The certificate generated with certbot does not work on Windows XP


#1

My domain is: gisslicence.ml

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

When I try to access to my website from Windows XP the page is unreachable, but when I go to google.com or letsencrypt.com that works


#2

Hi,

Usually when the website doesn’t work on XP, it means that you are using SNI (one IP has several https sites on it), however, that’s not your case here…

What browser do you use to access the site? (Chrome seems to be fine, but IE does have some issues, might be due to FS)

Thank you


#3

I’m using IE, my real problem is that the site is unreachable from my program written in c# if it is started on Windows XP
PS The WebClient used in the code is precisely InternetExplorer


#4

This isn’t a problem of the certificate, it’s a problem of your webserver-configuration.

Very old (XP): One ip-address -> one domain and one certificate
Newer (Server Name Indication - SNI): One ip-address + a lot of domains + a lot of certificates -> Client sends the server name, server answers with the correct configuration.

So you need to change your configuration that your standard entry (default) has the correct certificate.


#5

So the problem is that the certificate contains two domains? www.gisslicence.ml and gisslicence.ml? I have only one site on my server


#6

It could be that you’re using Windows XP before SP3, which “cannot handle SHA-2 signed certificates”.


#7

No, this is not the problem. The problem is, that the client calls the ip-address and don’t send the hostname / domain name (there is no place to send the domainname without SNI).

So the server has to select the right certificate. That is impossible if there are a lot of domains.

You can test it with

https://www.ssllabs.com/ssltest/

So your domain with XP-support has to be the default domain.


#8

I’m using Windows XP Professional 2002 ServicePack 3


#9

In that case, other people’s speculations about SNI might be more relevant.


#10

So, tested with ssllabs. There is no info, that SNI is required, so this should not be the problem.

But: IE + XP had only SSL3.

IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert: handshake_failure

But you should not activate SSL3.

XP - not longer supported.


#11

So there is no way to support it?


#12

What can happen if I enable SSLv3 only for XP clients?


#13

You need to activate it on your server


#14

How can I do it? I tried but apparently when I restart Apache I get an error where it says that OpenSSL 1.1.0g does not support SSL3


#15

SSL3 is deprecated. So OpenSSL 1.1 may not longer support it.

XP is also deprecated. So I would ignore these clients.

PS: XP with a newer Firefox may work. But not XP + IE.


#16

By default, but wasn’t there an option to manually enable TLS 1.0? I have no idea if that option can be activated from c# though, or how.


#17

I can not ignore customers who have windows xp installed on their computers, unfortunately I am forced to run my program on Windows XP


#18

I’ve already tried to activate TLS 1.0 from code without success


#19

There was a registry entry, but actual, I didn’t find something. And normally, it’s not possible to do that from code.


#20

Then you may install a very old OpenSSL-Version (perhaps with security holes). But I have no idea if this may work.