[Help needed] Windows XP support


#56

couse 10% globaly of XP users depend on country … I have small site in romania and serbia… when I changed few day ago to cheap ssl cert, my statistics grow up (about 20%).
Many people use windows XP … I want to serve only SSL site, and insert links directli to https.
So I can’t filter request depended on operating system/browser.

Windows XP dramaticly going out from global traffic… but still is there… I think we must wait one maybe two years to ignore it.
But now everyone must check statistics in country, or (if have) check how many users on site use windows XP.

BTW… on letsencrypt.org should be big information about this issue!


#57

well why not instead of auto-upgrading to HTTPS just serve your real site over HTTPS but create an HTTP site with a link to the HTTPS site, but instruct XP users to go Firefox. it isnt secure anymore.


#58

1/ google boost rank when serving https
2/ user can send link to https to other people
3/ people share it in social network.
and many others think.

But yeah… XP is not secure, but many people don’t have cash and exprience to move to better version of operationg system.
From my statistic is about 20% in romania and serbia… in poland is about 5-15% (depended on site).
My global sites have about 5%.
Where is 5% I think we can ignore it … or if someone have big site then 5% can be 100k users :wink:


#59

well I dont stop you from serving HTTPS, but the point was an additional HTTP when calling the site without HTTPS to instruct XP users to use FF and all other could e.g. get a redirect.


#60

i tried my hand at redirecting winxp users to http site at https://community.centminmod.com/threads/letsencrypt-ssl-certificates-and-windows-xp-workarounds.5272/ heh


#61

Any HTTPS->HTTP redirect cannot work, because the redirect operate on the HTTP level, on top of all SSL/TSL stuff, and the problem with Windows XP is at this level. If you try this with CURL all seems to work, but only because CURL has a proper SSL/TLS implementation.
Try with a virtual machine (you can get one for free at https://dev.windows.com/en-us/microsoft-edge/tools/vms/windows/) and you will see that the redirect will not work.
The only thing that can work is NOT redirecting windows XP users from HTTP to HTTPS, but if they follow an HTTPS link the browser will display an error for sure.


#62

Unfortunately XP not supporting Let’s Encrypt certificates is a showstopper for us. We have deployed Let’s Encrypt on a few of our client sites that originally did not have SSL and also replaced a few DV certificates.

With 10%+ of our user base (and that includes some slow moving corporates) receiving an error message when they visit the sites, we will have to roll back to non-HTTPS and continue buying DV/OV certificates where needed.

When reading the technicals about Let’s Encrypt, we took on board the fact that Blackberry 10 and Android 2.3 isn’t supported, but nowhere was XP mentioned; had it been then we wouldn’t have considered it a viable solution.

That said, I appreciate the work the Let’s Encrypt team has put into facilitating easy and free access to SSL certificates and will keep an eye on the project with a hope for XP support soon.


#63

the XP thing wasnt even known until recently, because it seems to be a bug with the crss cert. the “normal” lets encrypt cert would have no problems but you wont get it in XP automatically.

also almost 2 years after end of life XP should really be killed off…


#64

Sorry about that! I tried to update all our relevant documentation when we discovered the XP compatibility problems. If you remember which documentation you read that failed to mention XP, I’ll update it.


#65

Not an issue. The current documentation is clear that XP isn’t supported so that should help others making the same decision. I hope a resolution can be reached with ISRG about removing the name constraint and making Let’s Encrypt certificates first class members of the SSL world.


#66

The Wii is also not supported, as I’m betting many other gaming consoles and embedded systems are in the same unfortunate boat.


#67

well the name limit is just on the cross cert by IdenTrust. when LE gets trusted then the cross cert isnt needed anymore and the “real” intermediate by LE doesnt have that limit.


#68

I doubt Microsoft would release an update to the XP root certificate store to include Let’s Encrypt, given that they have EOL-ed the product. I don’t even think Microsoft Update works anymore on XP? Unfortunately it looks like it will have to be a case of working with what is there currently for most XP users.


#69

that’s true enough but the ISRG cannot do much about it, because that was IdenTrust’s decision. if you have control over the XP users as I said more often than enough in this thread, let them use Firefox, this also gives you the benefit of being able to turn off all the old stuff and go for a very secure server.


#70

So as it seems the only workable solution would be to get another cross-sign by another CA trusted by Windows XP, which does not have such stupid requirements like NameConstrants.
But I assume it was already difficult so find IdenTrust for this project, was not it?

The other solution is of course to ignore XP users and if they notice they get errors all over the web and (hopefully) get out it is because an outdated OS, they may even use a newer OS or at least install Firefox. And BTW: they don’t have to pay for a new OS - they could also just install Linux. There are many distros that evcen run on old hardware like XP does.
Obviously this solution is not a nice one for web admins. :wink:


#71

paypal is announcing their transition from sha1 to sha256 certs so that might prompt some winxp folks to update or change browsers heh


#72

While that is an issue on Chrome/Opera/IE + XP SP2 you can still get by on XP SP3 - IIRC


#73

Well that probably does cover a lot of people as a way to avoid the problem. Here is a case where that will not work freindsplus.me it is dependant on a chrome extension (provides Google+ post scheduling capabilities) and thus a chrome browser. I am assuming they recently started using “let’s encrypt” signing in December 2015 as it stopped working on my XP SP3 which led me here. Their extension is only available in Chrome so I have asked them if there is any chance the can stop using Let’s Encrypt as I think if the web pages don’t work then the extension won’t work as well. This problem really sucks.

Another point is have two working browsers is always a good way to troubleshoot problems. Are there any other browsers besides Firefox that can provide a second opinion reliably on XP SP3.

Would someone be able to look at that link and confirm it is the certificate issue for WIN XP discussed in this thread. Thanks.


#74

yeah true… unfortunately


#75

but ya know that chrome isnt supported on XP anymore, dont you, so you are on an old version as well so another point of unupdated security.