SAN: domain name mismatch (Android 2 / Windows XP)

I have configured one domain (https://m.jadi.cz/?forceMobile) to use only SAN certificate to make testing easier: https://www.ssllabs.com/ssltest/analyze.html?d=m.jadi.cz

from when is that?

here we have stats and we have 4& of devices with <4.0...

Windows XP market share among Windows is 3 times bigger than Android 2 among Android.

But those people can and should use another browser.

Only Firefox which use a independent TLS library should not be affected by this bug…

Even Chrome would shows an error…

1 Like

In the 1 of the 3 pictures from @gavinmerk it is interesting that the Cert is marked with an Red X.
This mean the chain is not valid. I think this is not domain name related.
Maybe the CA-List on XP and Android 2 does not include the root used for cross sign.

1 Like

The problem is not with the lack of support of SNI on Windows XP but with the certificate policy.

So here is the Cause but no Solution !

1 Like

An other Issue with Android 2 is that 2.3+ is required for SHA-256 certificates.

  • SHA-256 support matrix.

http://developer.android.com/training/articles/security-ssl.html

  • Explain how SSL work in Android
  • Show that there are different ssl providers used for http
1 Like

Following another post from the same blog http://unmitigatedrisk.com/?p=198, it was possible to make Windows XP and 2003 accept let’s encrypt certificates. You only need to add a DWORD value named flags with 20 in hexadecimal as content in the registry key HKLM\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots.

3 Likes

@luishgo interesting work around !

1 Like

I thought LE has no name constraints or stuff like that.

[quote=“My1, post:31, topic:4060, full:true”]
I thought LE has no name constraints or stuff like that.
[/quote]Intermediate under IdenTrust root prohibits issuance for .MIL domains.

okay, now that I looked at the cert with xca it makes sense.
it didnt show in firefox…

but why does this even matter?
if .mil is excluded (for whatever reason a tld should be excluded) then everything ELSE (so basically almost everything) should pass through…

It’s likely a bug in how XP handles name constraints, see:

1 Like

Yes, editing registry may work,
we can do it ourselves,
but we can’t do it for our visitors

1 Like

A post was split to a new topic: SAN Ordering Issue w/Outlook 2010

A post was merged into an existing topic: SAN Ordering Issue w/Outlook 2010