Is the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA compatible only with SSL3 or is it also compatible with TLS 1.0?
if I try google.com on ssllabs it turns out that it does not have SSL3 active, why can I access google.com from Win XP and IE?
Man⌠the site is not SNI, itâs exactly one domain per IPâŚ
I think the issue might be FS (forward security) mainly because other clients use the same configturation with forward security are able to open the website (and IE provides fatal error)
I still do not understand why is possible to visit google.com without FS and without SNI
also letsencrypt.com works on Win XP with IE
Found the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
With the Enabled - RegDWord - Value ffffffff
Long time ago this was a solution to activate TLS.1.2 on older Windows-Server (2008 R2).
I use the .NET Framework 4.0 which supports up to TLS 1.0
Hi @CrazyminerMC,
I donât think the problem is SNI, your server answers with the right cert for non SNI connections. You should try a different cipher suite for your web server:
For really old versions like IE 6 on XP you could try this directives in your Apache conf:
SSLProtocol all
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
For versions like IE 8 on Windows XP you could try these directives in your Apache conf:
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
Above entries are from Mozilla SSL Configuration Generator
Remember to restart your Apache Server when doing these changes to your conf.
Good luck,
sahsanu
I tried both configurations without success
I did the tests on ssllabs respectively but the cipher that interests me that is DES-CBC3-SHA does not work
the first configuration
Hi,
Please take look at the following answers t similiar to your question.
https://community.qualys.com/thread/16818-fatal-error-handshakefailure-message-for-ie-8xp
The IE seems to use RSA 3DS instead of all ciphers you enabledâŚ
Could you please check if your server would be able to enable a cipher that was used in your IE?
Thank you
The cipher used by IE is this TLS_RSA_WITH_3DES_EDE_CBC_SHA(in the cipher list must be puth this DES-CBC3-SHA), Iâve already put it in the list of ciphers but apparently it does not seem to work
Ssllabs has also a client check.
https://www.ssllabs.com/ssltest/viewMyClient.html
What happens if you load this page with a browser that doesnât work on your site?
that site does not work on IE on Windows XP
Hi @CrazyminerMC,
Take a look to this openssl blog post:
For 1.0.2 and 1.0.1, we removed the triple-DES ciphers from the âHIGHâ keyword and put them into âMEDIUM.â Note that we did not remove them from the âDEFAULTâ keyword. For the 1.1.0 release, which we expect to release tomorrow, we will treat triple-DES just like we are treating RC4. It is not compiled by default; you have to use âenable-weak-ssl-ciphersâ as a config option. Even when those ciphers are compiled, triple-DES is only in the âMEDIUMâ keyword. In addition, because this is a new release, we also removed it from the âDEFAULTâ keyword.
As 3DES is marked as an insecure cipher, Ubuntu is not compiling openssl with 3DES support (enable-weak-ssl-ciphers) so you are out of luck, you could use another old distribution supporting and old openssl version with 3DES cipher enabled like Debian 8 (I don't use Ubuntu so don't know what LTS version could fit your needs):
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 8.11 (jessie)
Release: 8.11
Codename: jessie
$ openssl version
OpenSSL 1.0.1t 3 May 2016
$ openssl ciphers -v 'ALL:COMPLEMENTOFALL' | grep DES
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1
SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1
SRP-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1
Note: I've tested it using a Windows XP SP3 IE8 on a VM and it works fine against a Debian 8 machine using a LE cert.
The other option is compile your own openssl version enabling 3DES support but that is not so easy because you should recompile other programs too against this new openssl version and it could be a pain to maintain it in case you finally get it working.
Maybe it is time to move on and leave XP resting in peace 
If you MUST use Windows XP, find a distribution that at least have some security updates like Debian 8 and use it... but that is not something I would recommend, up to you ;).
Good luck,
sahsanu
1 Like
Ubuntu 16.04 LTS supports 3DES and will be supported by Canonical until 2021.
1 Like
If you have to support Windows XP what is the feasibility of implementing a TLS and HTTP stack inside your application, or does your application depend on a web view control?
PS: Perhaps you should activate RC4 Cipher Suites.
Normally, they are completely deprecated, because they are unsecure. But with older configurations, RC4 was often used as standard cipher.
All data sent by the client to the server are encrypted, but I do not want to use the http because I want to implement a system to update the program and therefore I can not pass the updates through http because it would be too insecure, at least adding the TLS 1.0 are a little more protected