[Help needed] Windows XP support

@My1 that would be fine if you knew who your users were, but a general web site can’t know that. Also, unless they start in http, you can’t even tell them anything, because all they get is a frightening message about someone trying to attack them before we have any opportunity to communicate with them, or drop back to http. It’s not even like a self-signed certificate - the browser simply won’t let the user proceed at all. So if, for example, someone follows a link in an email or another web site, or a Google search (which probably covers 90% of the cases!), as far as they are concerned it is a web site that just doesn’t work, when other similar sites do work because they got their certificate elsewhere.

In 5 year’s time maybe XP will be at such a low level that it is discountable, but as Facebook and Twiiter have been demonstrating recently, they think a big enough proportion of their traffic is coming from XP that they can’t afford to drop support for it.

Having said that, my site visitor who hit this for real is in California and should know better. But maybe his PC is one that isn’t able to be upgraded for whatever reason. In this case I do actually have contact with many of the people who use that site, but that’s not the point - it’s about the ability of LE to work peoprly on the wider anonymous internet where XP is still at 10 or 15% of the market worldwide.

I don’t think Microsoft is going to care about (helping out with) some bugs in their software for which mainstream support ended on April 14, 2009…

No, of course they aren’t going to change anything, but someone might be prepared to help us understand the NameConstraints logic on XP. (There may also be XP documentation out there too which I haven’t found yet).

as I said maybe when you declare whats not perimtted, you have to declare what’s permitted, so try to declare “allow all” and “forbid that tld that for no reason I can imagine has been blocked from LE”.

As far as I have been able to discover, there isn’t an “allow all” that XP understands.

The problem seems to be that if you use NameConstraints at all, XP requires you to restrict the dirName.

Why letsencrypt intermediate cert needs to use NameConstraints at all? To block certificates issued to .mil domains? How about just not issuing such certificates in the first place?

why are mil domains are blocked in the first place? is that some bad country or what? north korean domains arent blocked as well…

Intermediate (letsencrypts) certficate is issued by DST Root CA X3 so I’m guessing they did not want to allow letencrypt to issue to .mil domains (.mil is us military) - probably because they or some other ca they certify is doing that for a lot of money already and they did not want to lose that business. Internet freedom abruptly ends when there is enough money on the line.

1 Like

As @naox said, this is a requirement from IdenTrust, who cross-signed our intermediate so we could be immediately trusted in most browsers.

why does the US military need an own TLD?
it’s just a military. if anything.

same stupid junk that .edu is just for us universities…

Historical stuff from the early days. Obviously we should just drop all TLDs except the country-coded ones and each country can set the policy for how names under their ccTLD work.

Note that discussion about why TLDs are the way they are is probably off-topic here. Feel free to start a new topic about it if you will.

It is important to have .gov .mil .edu - etc domains so that users know they are reaching a confirmed organization that is part of that grouping. It raises trust and blocks possible fishing sites in that TLD.

well then they can do something like gov.us or whatever. (puclic pseudo-subdomains like co.uk are there since half an eternity)

the point that I have is that at least mil and edu are only for US stuff. would they be international it would be better, especially since an .edu email address is often used to verify university students which is impossible outside the US.

@motoko’s right: discussion of alternate TLD schemes is off-topic in this thread.

I’ve tryied to access https://helloworld.letsencryp.com using Chrome on a WinXP non-SP3…I use that as a test.

Why don’t you try to create and https://winxp.letsencryp.org cert with best settings so we can try to minimize XP effects ?

I have to rollback an https site due to that 0.1% of users not allowed to purchase…I know it sounds weird… But my client want it back like it was before…

well the problem is that how the LE certs are, you cannot make an LE based HTTPS site for XP because XPs cert verification is f’ed up.

It should be fixed for making “SSL Everywhere”.
from my global sites… 70% is windows, and from this 8% is windows XP :confused:

There are any hot fixes for my win xp users?

well a registry change can solve it, but that’s bad for security. or just use Firefox it ships its own security.

The intermediate certificates signed by “ISRG Root X1” don’t have the Name Constraint extension like the IdenTrust cross signed certs, so if LE itself gets accepted by all major parties, the problem would go away.