sure, but that would require microsoft to release new windows xp service pack with this ca (“ISRG Root X1”) in trust store and then wait 4 years so everyone installs it on top of their windows xp
If letsencrypt intermediate is not trusted by ca that is preinstalled in windows xp sp3 trust store then it does not work on windows xp on any browser that uses it (all except firefox)
Ah yes, very good point
It’s time to let it die IMHO.
Given that XP doesn’t support newer crypto options or sni, the fact is it’s days are limited anyway…
Should start putting notices for xp on non HTTPS sites, and not redirect them to HTTPS. Same for stagnant android <4 … Varyby user-agent for proxies…
well Firefox is still an option.
also unlike the XP stuff where there’s very little data, for Android >4 we know from Android distribution data that they are at roughly 3,4%
also XP and oldDroid cant do EC, which will play a very important role because of better performance and stuff.
I appreciate the input on ignoring XP, but it’s off-topic for this thread.
@jsha But you should also consider the fact the possibility exists that there’s no option to fix this bug/problem. Even if there’s a solution somewhere, it would probably need a new intermediate certificate… And I don’t think you’re going to have a complete new key signing ceremony for X3, just for XP support?
If so, might I suggest making ECC Intermediates while you’re at it?
To summarize, XP does not support certs with exclusive NameConstraints (has anyone ever tried that across XP’s entire lifetime?)
Maybe this is an opportunity for another CA to cross-sign and charge for XP compatibility
Why not create certificates without NameConstraints and limit .mil domain on server side?
Our cross-signer, IdenTrust, wanted it this way.
Well, it’s shame it makes LE unusable for bigger sites And event more if there is easy technical solution.
does that mean IdenTrust SSL certs also don’t work witn WinXP ?
As far as I understood, the .mil Name Constraint was a specific condition for the cross signing of the LE intermediates. I don’t think the IdenTrust certs itself have these Name Constraints and therefore should work in XP.
for small it’s also problem… windows xp users global is about 10%
Now LE shoulde be used only for internal sites, like phpmyadmin, redmine, company webmail etc.
why should LE only be used for internal?
they are not much worse than usual DV certs. and for HTTPS Server certs, OV isnt worth it because a user cant distinguish between DV and OV easily.
for forums, blogs and stuff, LE is more than good enough.
but I think XP with IE or chrome can be dropped, because XP has only one way of going securely into the internet and that’s Firefox because it can do TLS 1.2, EC, AES, SHA2 and all that stuff without problems.
couse 10% globaly of XP users depend on country … I have small site in romania and serbia… when I changed few day ago to cheap ssl cert, my statistics grow up (about 20%).
Many people use windows XP … I want to serve only SSL site, and insert links directli to https.
So I can’t filter request depended on operating system/browser.
Windows XP dramaticly going out from global traffic… but still is there… I think we must wait one maybe two years to ignore it.
But now everyone must check statistics in country, or (if have) check how many users on site use windows XP.
BTW… on letsencrypt.org should be big information about this issue!
well why not instead of auto-upgrading to HTTPS just serve your real site over HTTPS but create an HTTP site with a link to the HTTPS site, but instruct XP users to go Firefox. it isnt secure anymore.
1/ google boost rank when serving https
2/ user can send link to https to other people
3/ people share it in social network.
and many others think.
But yeah… XP is not secure, but many people don’t have cash and exprience to move to better version of operationg system.
From my statistic is about 20% in romania and serbia… in poland is about 5-15% (depended on site).
My global sites have about 5%.
Where is 5% I think we can ignore it … or if someone have big site then 5% can be 100k users
well I dont stop you from serving HTTPS, but the point was an additional HTTP when calling the site without HTTPS to instruct XP users to use FF and all other could e.g. get a redirect.
i tried my hand at redirecting winxp users to http site at https://community.centminmod.com/threads/letsencrypt-ssl-certificates-and-windows-xp-workarounds.5272/ heh
Any HTTPS->HTTP redirect cannot work, because the redirect operate on the HTTP level, on top of all SSL/TSL stuff, and the problem with Windows XP is at this level. If you try this with CURL all seems to work, but only because CURL has a proper SSL/TLS implementation.
Try with a virtual machine (you can get one for free at https://dev.windows.com/en-us/microsoft-edge/tools/vms/windows/) and you will see that the redirect will not work.
The only thing that can work is NOT redirecting windows XP users from HTTP to HTTPS, but if they follow an HTTPS link the browser will display an error for sure.