Let's Encrypt certificates do not work on XP in IE8 or Chrome

I’m on the beta test and am very pleased so far, however I have discovered that Windows XP does not successfully validate Let’s Encrypt certificates. This is the case even when using Google Chrome instead of Internet Explorer 8. IE8 I can honestly understand and would not expect it to work at all these days. However as I am aware of people still using Windows XP on netbooks with a need to use Chrome to download packs from my website before hosting a very old game (namely Vampire the Masquerade Redemption via Tunngle VPN), it looks like I am going to have to revert to my old certificate for the time being. The reason it won’t work on XP is probably because of chain validation issues and getting muddled between the ISRG signed intermediate and the cross-signed IdenTrust intermediate (what with the trust path to ISRG root x1 not being valid yet as the root is not in the MS trust store yet). Google Chrome goes as far as to block the connection entirely and not give the end user an option to override when using XP on a site using a Let’s Encrypt certificate. I know it is not just my website at www.planetvampire.com as I also tried helloworld.letsencrypt.org and got the same error. If you like, I can provide a screenshot of this.
Anyway, I am not in any way complaining, but I thought I should make this known. Firefox will work with Let’s Encrypt certificates on XP, as it comes with it’s own SSL stack that bypasses the limitations of the underlying OS. To be quite honest I can’t wait to fully see the back of XP! I would just add a warning to the site but as it uses SSL entirely (no plain HTTP option), this wouldn’t be possible.

run your https site through https://www.ssllabs.com/ssltest/analyze.html to see which browsers are supported based on what ssl ciphers your web server is offering up to your visitor’s client browser

it is your web server’s configured ssl cipher preferences that determine what client web browsers negotiate and support

you can see more details of this at https://wiki.mozilla.org/Security/Server_Side_TLS

2 Likes

Back in the day I really, really loved XP (still count it as one of the best OS'es Microsoft ever devised). I know that it's still widely used. However, the good days of XP has come and passed I am afraid. Any XP machine caught on my controlled networks immediately have all network access severely limited. Suggested work around for mission critical applications that have no developer and run on XP are to be sandboxed through a VM (and even then network connectivity is still limited).

Reason is, except in rare government cases, Microsoft is no longer pushing out security updates since sometime last year, and any machine running XP is already considered compromised and completely unsafe.

--..Archer

I have used SSL labs before and determined through trial and error that the last supported cipher for Windows XP Service Pack 3 that remains somewhat safe (albeit without forward secrecy) is Triple DES. Thus IE8 will let you access a website using a Let’s Encrypt certificate, but it will insist on an interstitial screen warning that there’s a problem with it. Along with the patronizing “click here to close this webpage (recommended)” link that I have always hated since IE7 came out as it means you lose the whole tab along with being able to click the back button. Hence me personally ditching IE, shame the same can’t be said for other people.
According to the SSL Labs report, helloworld.letsencrypt.org does not support “TLS_RSA_WITH_3DES_EDE_CBC_SHA” hence has “Protocol or cipher suite mismatch” next to “IE 8 / XP”.
https://www.ssllabs.com/ssltest/analyze.html?d=helloworld.letsencrypt.org
However my website does support this as I explicitly allowed this in order to support XP. Normally Windows XP IE8 and Chrome has no problem connecting to it without any prompts using my old certificate. The only thing I changed recently was the certificate itself (to beta test the Let’s Encrypt cert), not the supported ciphers in my configuration. Thus it appears that the cipher suite/protocol is not the problem.
To @Archer above: I totally get that! I used to love the fact that XP is so much easier to use with third party peripherals and virtual devices that don’t have the money to pay for MS signatures for their drivers, and just does as it’s told without having to faff around with at least two reboots just to get an unsigned driver to load. However from a web point of view, it is such a pain to support these days!

1 Like

what's your web server ssl cipher preferences and protocols allowed ?

@eva2000, I really appreciate your kindness and patience!
In my apache configuration I have the following set globally for mod_ssl (as in, at the top just after the ‘IfModule mod_ssl.c’ line and before any virtual hosts, with no other overrides in the virtualhosts)
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW +3DES 3DES !MD5 !EXP !PSK !SRP !DSS !RC4”

I’ve decided that I will post a warning on the official Facebook page that the website will become inaccessible to XP users from December onwards. From that point on I will switch to using the Let’s Encrypt certificate completely and change the SSLCipherSuite options to drop Triple DES. Windows XP will always have a place in my heart but after reading that Google itself intends to drop support completely for it in Chrome in the near future, I have decided it’s for the best. Onwards with security! Posted here:
“To those still using Windows XP: please be aware that the forums and website will soon become inaccessible on XP due to the fact it is becoming a nightmare to continue supporting SSL for it. This will take effect from 1 December 2015. Although I understand that it is very useful to host VTMR from an old XP laptop and download skins when on the go, it really is unsafe to continue doing this! If need be, use a system with a more recent OS and download all required packs to a USB drive before hosting from an XP machine. I am aware Firefox on XP will continue to work with the website after this date but I do not know how long this will be and do not intend to actively monitor this situation after this date. -Sam”

3 Likes

most likely 2 problems

one you disabled SSLv3 and pre WinXP SP3 OS don’t support sha256 certificates only sha1

better approach for folks is to understand their visitors os/browser usage and adopt your ssl cipher preferences accordingly HOWTO: A+ with all 100%'s on SSL Labs test using apache2.4 (READ WARNINGS) - #4 by eva2000 i.e. if you have 80% users on winxp you don't want to disable SSLv3 and implement SSL ciphers than aren't supported.

Yes, I dropped SSLv3 as soon as I found out about the POODLE exploit. My intention was to support XP Service Pack 3 (as that was the very latest version) as long as possible, but now it really is time to move forward. I am aware people still access the site using a mobile browser as old as Android 2.3, hence using a single certificate to cover both the main site and forums since there’s no SNI support in that old version.

1 Like

yeah other one is RC4 for WinXP and IE8 https://github.com/client9/sslassert/wiki/IE-Supported-Cipher-Suites

I ran into the same problem. XP-Chrome not being able to access the site using a letsencrypt beta certificate. I tried allowing SSLv3 but that didn’t help. This was on an XP Professional Service Pack 3 machine.

Any ideas of what else to allow would be appreciated. SSLlabs is perfectly happy with my certificate and protocol suites (provided I don’t allow SSLv3).

I have created a new issue on Let’s Encrypt GitHub to clarify Windows XP support. I also found the likely problem why Windows XP doesn’t accept the Let’s Encrypt intermediate certificate. See https://github.com/letsencrypt/letsencrypt/issues/1660

EDIT: The Let’s Encrypt FAQ has been updated for the time being with “Most platforms that trust that root should trust Let’s Encrypt certs. One notable exception is Windows XP, which currently doesn’t accept our intermediate.”

All hope is not lost, Josh Aas was assigned to the issue and it may be possible to create a new compatible intermediate certificate.

3 Likes