I have configured one domain (https://m.jadi.cz/?forceMobile) to use only SAN certificate to make testing easier: https://www.ssllabs.com/ssltest/analyze.html?d=m.jadi.cz
from when is that?
here we have stats and we have 4& of devices with <4.0...
Windows XP market share among Windows is 3 times bigger than Android 2 among Android.
But those people can and should use another browser.
Only Firefox which use a independent TLS library should not be affected by this bugâŚ
Even Chrome would shows an errorâŚ
In the 1 of the 3 pictures from @gavinmerk it is interesting that the Cert is marked with an Red X.
This mean the chain is not valid. I think this is not domain name related.
Maybe the CA-List on XP and Android 2 does not include the root used for cross sign.
The problem is not with the lack of support of SNI on Windows XP but with the certificate policy.
So here is the Cause but no Solution !
An other Issue with Android 2 is that 2.3+ is required for SHA-256 certificates.
- SHA-256 support matrix.
http://developer.android.com/training/articles/security-ssl.html
- Explain how SSL work in Android
- Show that there are different ssl providers used for http
Following another post from the same blog http://unmitigatedrisk.com/?p=198, it was possible to make Windows XP and 2003 accept letâs encrypt certificates. You only need to add a DWORD value named flags with 20 in hexadecimal as content in the registry key HKLM\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
.
I thought LE has no name constraints or stuff like that.
[quote=âMy1, post:31, topic:4060, full:trueâ]
I thought LE has no name constraints or stuff like that.
[/quote]Intermediate under IdenTrust root prohibits issuance for .MIL domains.
okay, now that I looked at the cert with xca it makes sense.
it didnt show in firefoxâŚ
but why does this even matter?
if .mil is excluded (for whatever reason a tld should be excluded) then everything ELSE (so basically almost everything) should pass throughâŚ
Itâs likely a bug in how XP handles name constraints, see:
Yes, editing registry may work,
we can do it ourselves,
but we canât do it for our visitors