Support in Windows XP SP3


#1

My domain is: fluxad.com

My hosting provider is: Dreamhost

I can login to a root shell on my machine: YES

I’m using a control panel to manage my site: Dreamhost control panel.

Hi, I’m pretty new with all the Free SSL and the manual installation of certificates. I used the automatic Dreamhost SSL certificates that comes with the hosting. It all went well, i was pretty happy. Until i tried the website in WinXP SP3-32bit IE8. It didn’t work. You have the “Internet Explorer cannot display the webpage”. And you can’t enter the website. Last time i checked, WinXP SP3 is supported Compatibility. Please try my website in https://www.ssllabs.com/ssltest/index.html and see for yourself. It even says “IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert: handshake_failure”.
Any help would be greatly appreciated.
Thanks in advance.


#2

IE on XP is very obsolete. While your certificate would be compatible with it, SSL Labs shows that DreamHost’s TLS configuration is not.

  • They disabled all cipher suites IE supports. (The one that’s least bad is TLS_RSA_WITH_3DES_EDE_CBC_SHA.)
  • They require SNI. IE will receive a self-signed certificate for sni.dreamhost.com.

You may or may not be able to talk them into enabling 3DES.

You may or may not be able to pay them extra for a unique IPv4 address so that you can avoid SNI. Or convince them to change the default certificate on your shared IP address.

Another option is to run another browser like Firefox. It includes its own TLS implementation and isn’t limited to XP’s shockingly dated cryptography.


#3

No way they are going to enable 3DES. I read it in ssllabs that is weak and should be avoided.
How can i get the SNI that everyone says?
So, it seems that one has to pay the 6USD in Dreamhost for the unique IPV4.
Some of my clients still use WinXP with IE8 (which i hope they get rid of it).
Thanks


#4

SNI support is on the client end, XP doesn’t support it so the only option for these users is Firefox (And even that is dropping XP support in the next release I think), or get the unique IPv4 address.

3DES is the same, if you can’t enable it then IE won’t connect to it. It’s not as bad as RC4 is, but not as good as AES, so it won’t hurt to enable it if you’re not hosting content that requires the very strong protection AES offers.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.