XP compatibility issues


#1

Hi,

The certificate issued by Let’s Encrypt doesn’t work on Windows XP SP3 32-bit in IE8, but works on other browsers (Chrome/Firefox). Is that normal?

thanks.


Which browsers and operating systems support Let's Encrypt
#2

The certificates should be compatible with XP SP3 and IE >= 6. That said, XP doesn’t support any modern ciphers or SNI, so you would have to make sure your server supports old (and relatively insecure) ciphers, for example by using the “Old” preset on Mozilla’s SSL Configuration generator.

If you could post your domain name or post the results of SSL Labs, I could give you a more specific pointer.


#3

Thanks a lot for the answer. I’ve changed some nginx parameters and now it works for ONE domain. But doesn’t work for another: there’s some weird section “Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI”

This one is good: https://www.ssllabs.com/ssltest/analyze.html?d=dev.crystalidea.com
This not: https://www.ssllabs.com/ssltest/analyze.html?d=forums.crystalidea.com

IE8 on XP gives: The security certificate presented by this website was issued for a different website’s address.

For some reason, in "Certificate #2: RSA 2048 bits (SHA256withRSA) " is Common names dev.crystalidea.com MISMATCH (i wonder why is dev.crystalidea.com here for forums.crystalidea.com?)

I issued both certificates using the following command line:
sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default -d <domain>

Nginx params for both:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4”;


#4

Windows XP does not support SNI. With SNI, a TLS client such as a web browser sends the hostname as part of the TLS handshake. Without SNI, the server does not receive such a hostname, and thus does not know which certificate to use for the connection, so it falls back to your default certificate (often the first one the web server encounters when parsing its configuration). This would result in a common name mismatch on at least one of your two domains.

If you’d like to make both domains compatible with XP, you’ll either need a dedicated IP per certificate, or get a SAN certificate that covers both dev.crystalidea.com and forums.crystalidea.com. With certbot, that works by just providing two -d arguments when requesting the certificate, i.e. -d dev.crystalidea.com -d forums.crystalidea.com.


#5

Thank you again.

  • Should I pay attention that ssllabs displays name mismatch (though giving me A+)?
  • [quote=“pfg, post:4, topic:24277”]
    -d dev.crystalidea.com -d forums.crystalidea.com.
    [/quote]
    in what folder then will the certificate be saved?
  • How many domain names in can be in a SAN certificate? Can domains be totally different (like example.com and bad-example.com) ?

#6

Is this for a different domain, or the two you mentioned? I don’t see a name mismatch for either right now, except for with browsers that don’t support SNI (due to the reason explained in my previous post). A name mismatch means that your browser will show a warning page, so this should be fixed.

I’m not entirely sure in this case - I think it might create a new directory, given that you have one for both domains already. Probably something like /etc/letsencrypt/live/dev.crystalidea.com-001/. You could add --expand to make the client use one of the existing directories (though I’m not sure which of the two it would pick). Either way, the client will print the directory name after the certificate was obtained.

Up to 100 on one certificate.

Yep, you can mix subdomains, second-level domains, etc. as you wish.


#7

Currently I’m planning to host 3 .com domains and 2 subdomains for one of .com.
Seems like I got it now: if I want all of them to be supported in XP-IE8 mode, I need to issue one SAS certificate in a single request. Is there any downside of that?


#8

Nope, that’s perfectly alright.


#9

Thank you a really great deal, everything works perfectly now!


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.