SSL not working on Windows 7 running Chrome

Issue 1

Site showing A+ on SSLabs but showing unsecured certificate on client sites for Operating system Windows 7 running a Chrome version 96.0.4664xxx

Issue 2

IE 11 / Win Phone 8.1 R Server sent fatal alert: handshake_failure

I tried all configuration mentioned on SSL-config.mozilla.org using below BUT issue still remains

SSLEngine on

Protocols h2 http/1.1

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off

My domain is: upgrade.lensbazaar.com
I ran SSLab Test it produced this output in PDF on the link https://1drv.ms/b/s!AqYkuzhYbcqFhLgXMU47qRv-9NzFRg?e=9PKJWW

My web server is : apache
Operating system : Centos 8
Latest cerbot is installed already

1 Like

issue #1
Do any other browsers work on Win7? Like Firefox or IE
Is that system getting regular updates?

issue #2
Is that a real-world failure or only noting it from the SSL Labs report?
If real-world, can it be updated as indicated on SSL Labs?
Note: This forum site shows same error on SSL Labs (try it)

2 Likes
  1. Windows 7 does have many Chrome running - I am sure thousands and my issue is with this specific OS

  2. I ran the SSL Labs because they are trusted tool to check. Because I found Windows 7 was throwing issues. I am sure this would be real world too

1 Like

It would be helpful if you answered the questions I asked. Are you asking about possible problems or do you have a specific Win7 machine that is failing?

As to Issue #2, the warning on SSL Labs was only for the Win Phone version that was not updated. Look at the line just below that. If someone has a model that was not updated they would not connect to a very large number of websites (including this one). It would help them to update.

2 Likes

Please point to the specific "Win7 Chrome 96" issue found at SSLLabs:
[this below is from your site]

OR
Show the screenshot where it shows it as insecure.

3 Likes

For issue #2

Do you have a Win Phone 8.1 to test from?
I think it should work.
Comparing your ciphersuites to Win Phone 8.1 capabilities, I get:

ECDHE-ECDSA-AES128-GCM-SHA256 SUPPORTED	<<<<<<<
ECDHE-RSA-AES128-GCM-SHA256   UNSUPPORTED
ECDHE-ECDSA-AES256-GCM-SHA384 SUPPORTED	<<<<<<<
ECDHE-RSA-AES256-GCM-SHA384   UNSUPPORTED
ECDHE-ECDSA-CHACHA20-POLY1305 UNSUPPORTED
ECDHE-RSA-CHACHA20-POLY1305   UNSUPPORTED
DHE-RSA-AES128-GCM-SHA256     UNSUPPORTED
DHE-RSA-AES256-GCM-SHA384     UNSUPPORTED
3 Likes

The Win7 issue will be that the ISRG Root X1 certificate is not installed in the OS trust store. You can use Firefox if installing the ISRG Root X1 cert is too complicated for your users.

The Windows Phone issue will be that it's too old to successfully use the public internet.

3 Likes

Real-world failure - Yes - on Windows 7 Chrome 96.0.4664xxx
SSL Labs test was done basis to check issues which did not show issues on Windows 7 but other advance versions of Windows 8.1 IE

Note this SSLAbs test did not show Windows 7 Chrome issues

1 Like

Its a client test windows 7 system which is used as enterprise level
Not a windows phone

1 Like

Windows 8.1 ---no test available

1 Like


see the screenshot @rg305

1 Like

I do see it now.
But I don't believe my own eyes!
I can't see why Chrome would say that site is not properly secured.
Do you have similar trouble with other LE secured sites?
Have you tried clearing your cache, and rebooting?

1 Like

The "Not secure" text with a warning sign could be anything. Unsafe algorithms used, incorrect certificate, mixed content.

Please provide a screenshot of the message Chrome shows about WHY it thinks it's insecure when clicking on the warning sign logo.

3 Likes

I did check on SSL labs and WhyNoPadlock.
But the message detail will be helpful.

1 Like

Message detail ?

Please be specific on info you need ?

1 Like

Click where it shows "not secure"

2 Likes

see the attached

1 Like

I see a zoom of the same picture.
Click where it says "Not secure".

2 Likes

Other similar problems - yes --- even Safari version 6 are the same
Client system do not have control to clear cache or rebooting

1 Like

got it ?

1 Like