"Important
The default policy of a Microsoft client validating a certificate with name constraints asserted is that all names have to be explicitly permitted. For example, if a name constraint does not specify the e-mail name as a permitted type, and a certificate request contains an e-mail name, the request will be rejected. It is possible to relax this policy and implicitly allow names not defined in the name constraint extension by configuring the CA policy in the registry."
From: https://technet.microsoft.com/en-us/library/cc737026(v=WS.10).aspx
As I see it, that is happening because the Name Constraints have the Excluded Field set but the Allow Field is None, so because how the Name Constraints have to be Explicitly permitted, this will fail. A workaround is to change that on XP Registry which I think is pretty fair as XP is like a Fossil. Or LE could have besides the Excluded â.milâ TLD have all other TLD in the world, explicitly permitted in the Allow Field, your call buddy!
Two things: You donât need to send the ISRG Root X1. When itâs included in the client, the client will obviously have it anyway, and right now itâs not trusted anyway. In both cases there is no point in sending it.
Second, there is broken software out there that will fail to connect if the first chain is not valid. Itâs better to swap these around so that the valid chain comes first and the ISRG Root X1 chain is second.
I was ironic about changing the field in the LE Root certificate. I donât think this is even possible or viable. But as I understand, because the LE Root has Name Constraints set up, all other Certificates that follow will need that the LE Root explicit Allow things. My point is that a resolution from LE side is way more difficultâŚ
Sure. But as noted, it appears that blank fields should be considered as wild card (i.e. allow all, deny .mil). It may be the case that an explicit wild card is required for XP.
I havenât dug into the link you sent in detail, nor have the ability to attempt to model an explicit wild card cert. Might be worth someone giving it a shot.
it isnt in the LE root and not in the IdenTrust root as well.
simply said it is the intermediate, which is below the root and can be changed easily enough if needed, provided IdenTrust would sign that.
Thatâs a good solution for filtering your users as long as the SSL isnât required for keeping the information secure.
Another tip is to direct Google to the http:// page as the pageâs canonical address, even for SSL URLs. This way, Google lists the non-SSL page in its results and any clicks are upgraded to SSL as required. Again, not very useful for sites using HSTS or for transmitting credit card details, etc but good enough for a brochureware site.
@bb1
I dont think IEXP does HSTS in the first place, not forgetting thatunless a site is visited via HTTPS AND trusted, HSTS wont enable.
@jackpixley you might consider also redirecting firefox even on XP since firefox does its own security and should have no problem whatsoever in LE certs.
@ both of you:
be advised that this is susceptible to MITM, because of the flash of HTTP at the start.
A bug in Windows XP causes parsing of our current cross-signature
from IdenTrust to fail. We will be correcting this by getting new
cross-signatures from IdenTrust which work on Windows XP.
