From what I could find online, I'd need OpenSSL 1.1.1 and libcURL 7.73.0 (although I'm not 100% sure), which have support for TLS 1.2/1.3 and modern networking while also staying compatible with Windows XP.
My only issue with the two is that despite me having searched for multiple downloads from multiple different repositories, I've only been able to find the executables and source code for them. 

Perhaps it's a mistake and stupidity on my behalf, but is it possible to directly get the SDK files directly? (Such as the "/include" and "/lib" directories)
And if so, would I be obliged to use outdated and non-updated versions of OpenSSL and libcURL, or are there any modern-ish and stable backports?

For reference, I'm compiling the app using Code::Blocks 17.12 alongside its bundled MinGW compiler (GCC 5.1.0), targeting 32-bit (x86) Windows XP.

Any help would be appreciated. Have a nice day. 

1. Grab leaked XP SP1/W2003 RTM sources (google it)
2. Use "XPSP1/NT" directory as basedir if you want to compile acpi.sys for Windows XP x32
3. Use "Win2K3/NT" directory as basedir for Windows 2003 x32 / Windows 2003 x64 / Windows XP x64
4. Download any GNU patch package for windows (gnuwin32.sourceforge.net, cygwin, mingw, msys2, ...)
5. Open command console, change current dir to base\busdrv\acpi\
6. (Windows XP x32) Save text diff patch  https://pastebin.com/C5NXwHbS (v7 update) to file base\busdrv\acpi\sp1_to_sp3(ACP2).patch
7. (Windows 2003 x32 / Windows 2003 x64 / Windows XP x64) Save text diff patch https://pastebin.com/8QURrM49 (v7 update) to file base\busdrv\acpi\rtm_to_sp2(ACP2).patch
8. (Windows 2003 x32 / Windows 2003 x64 / Windows XP x64) Rename Win2K3/NT/public to Win2K3/NT/public2
9. (Windows 2003 x32 / Windows 2003 x64 / Windows XP x64) Update compiler and headers to mix of W2003 DDK+WRK, unpack  https://anonfiles.com/J1W9H1a8y1/W2003_tools_update_7z  to basedir with overriding existing files
10. Remove "read only" flag from base\busdrv\acpi directory including sub-dirs and files
11. Apply patch to convert original SP1/RTM sources to SP3/SP2 with extended ACPi 2.0 syntax:

    Quote

    (Windows XP x32) patch.exe -Np1 -u -l -i sp1_to_sp3(ACP2).patch

    (Windows 2003 x32 / Windows 2003 x64 / Windows XP x64)  patch.exe -Np1 -u -l -i rtm_to_sp2(ACP2).patch

     

12. patching file driver/amlinew/amlipriv.h
    patching file driver/amlinew/amlitest.c
    patching file driver/amlinew/data.c
    patching file driver/amlinew/misc.c
    patching file driver/amlinew/object.c
    patching file driver/amlinew/parser.c
    patching file driver/amlinew/proto.h
    patching file driver/amlinew/type1op.c
    patching file driver/amlinew/type2op.c
    patching file driver/inc/aml.h
    patching file driver/nt/debug.c
    patching file driver/nt/debug.h
    patching file driver/nt/devpower.c
    patching file driver/nt/internal.c
    patching file driver/nt/interupt.c
    patching file driver/nt/irqarb.c
    patching file driver/nt/osnotify.c
    patching file driver/nt/pciopregion.c
    patching file driver/nt/rangesup.c
    patching file driver/nt/root.c
    patching file driver/nt/wake.c

13. Change current dir to basedir
14. (Windows XP x32 / Windows 2003 x32) Run razzle environment setup:

    Quote

    set PROCESSOR_ARCHITECTURE=x86

    tools\razzle.cmd offline No_urt no_binaries no_certcheck No_prefast

    (add option free for nondebug compiling with optimization)

     

15. (Windows 2003 x64 / Windows XP x64) Run razzle environment setup

    Quote

    set PROCESSOR_ARCHITECTURE=x86

    tools\razzle.cmd Win64 Amd64 offline No_urt no_binaries no_certcheck No_prefast

    (add option free for nondebug compiling with optimization)

     

16. Change current dir to base\busdrv\acpi\driver\
17. Complie ACPI driver: build /Dcegbw
18. Compiled acpi.sys.sys will be in (x32) base\busdrv\acpi\driver\nt\obj\i386\ or (x64) base\busdrv\acpi\driver\nt\obj\amd64\

Project contains implementation of new ACPi 2.0 syntax:

• ToInteger
• ToString
• ToHexString
• Continue
• ConcatenateResTemplate
• ToDecimalString
• Mod
• ToBuffer
• CopyObject
• MidString
• QwordConst (inside ParseIntObj)
• Timer
• CreateQWordField(fake it as CreateDWordField)

Know issues workarounds:

1. BSOD 0xA5 (0x10006, ...)  missing _DIS method for "PNP0C0F" (PCI Interrupt Link Devices)
2. BSOD 0xA5 (0x02,xxx, 0x0, ...)  ACPI vs E820 mem ranges conflict
3. IOTRAPS I/O range 0xFF00-0xFFFF vs VGA (10-bit decode!) conflict
4. BSOD 0xA5(0x03, ..., C0140008, ...) error in ValidateArgTypes() when reading 64-bit fields
5. BSOD 0x7E(c0000005, ...) error in AcpiArbCrackPRT() when referencing null pointer
6. BSOD 0xA5 (0x11, 0x08, ..., ...) error in _AMLILoadDDB() (zero lenght buffer)
7. BSOD 0xA5 (0x11, 0x08, ..., ...) error in _AMLILoadDDB() (doubled device definition)
8. BSOD 0xA5 (0x0000000D, ..., 0x4449555F, 0) absence _UID method
9. BSOD 0xA5 (0x11, 0x08, ..., ...) error in _AMLILoadDDB() (Connection() opcode)
10. CPU definition as Device with _HID=ACPI0007
11. BSOD 0xA5(0x03, ..., C0000034, ...) postponed SSDT loading on x64 platform (v8 update)
12. Assertion Fail on loaddsdt.c, line 488 for x64 builds (v8 update)

Unresolved issues:

1.  BSOD 0xA5 (0x0000000D, ..., ..., ...) duplicated/absence _HID/_UID method (AMD boards)
2.  BSOD 0xA5 (0x2001, 0x01,  0xC0000034, ...) failure to evaluate the _PIC method in NotifyHalWithMachineStates()
3. Conflicted device names in Windows device manager (Code 42)

Motherboard: ASUS M5A97 R2.0 (AM3+)
CPU: AMD Phenom II 1100T
GPU: Nvidia GTX 980
NVME: Kioxia KXG6AZMV256G (OEM) - I bought this because I didn't want to spend too much on a drive if this didn't work out

Some bios info: Fast booting is off, CSM enabled and Legacy Only selected, Secure Boot is "unloaded" and OtherOS is selected, SATA is running in IDE mode (for DOS/98 SATA drive)

I saw a video by omores and followed what he did in this video using Integral Edition:

This half works, the driver allowed part 1 of the installer to see the nvme (stornvme) drive, then partition and format it, copies the files, but after reboot, I get the usual message of "Please select proper boot device" etc.

After some searching I saw a post here by @Dietmar about using the Samsung 950 Pro Option Rom inserted into the PC Bios (I assume instead of the "NvmExpressDxe_5.ffs" that I have inserted and this would maybe allow me to legacy boot MBR?)

The only other thing would be to install XP to a GPT disk, I have read people install XP to a SATA drive and then copy the contents to the NVME, I tried this with a drive that had two partitions (7 installed on second partition and then copy XP to the first partition) however I could not get XP to boot on the disk using EasyBCD, only 7.

Does anyone have any info on getting this to hopefully work? I also have Win98 on a separate SATA SSD which I'd like to multiboot but keep the NVME for XP/7. Thanks.

in the past i once came across a installer or often used a different name like SP4 update pack - or in my case "SP4 by harkaz"
so to say SP4 by harkaz is a installer but it use microsofts engine or the so CALLED "INF"
so when i used it i had a problem - the install time was like super high like 6 hours it was on my weak computer past in time
that is because the method is rather a engine or a script (and these are not fast)

to mention now is that "INF" installer engine by microsoft can install either registry entrys or files

the next thing to mention is that registry entrys and file controls are always made via the same ("windows api functions") (so other installers that have a such entrys (or whatever we call them) - always use these functions (these are absolute ) (not like the installer script itself)

these always look like for example : 
HKEY_LOCAL_MACHINE (the main key)
then there are KEY ENTRYS like "MYNAMEIS" 
then these have a TYPE like dword, binary, string
as last thing there is the DATA like "true" , "1" or 0x0000000

thus an INF has :
HKLM,(subfolder), MYNAMEIS, TYPE, DATA
so one to make his own installer for this need to write something similiar
to devide the parameters (, is used by microsoft, but it tends to bug with ")
so i used a more safe method : 0, or in the compiler \0 (that method give a clear cut and is  a lot harder to bug)
after that it looks like this:
"HKLM\0,(subfolder)\0, MYNAMEIS\0, TYPE\0, DATA",
the quotes are just because you in a compiler and the ", or just the , is for the next entry

for the files "microsoft INF" snips together some information
it has an identifier for a certain path like %systemroot%
for this it use a subpath
and a filename
that it snips together to like C:\windows\a.exe (with a subpath could be like C:\windows\x\a.exe) C:\windows + \x + a.exe

so i wrote something similiar 
identifier, subpath, targetfilename, sourcefilename, sourcesubpath
(for source always the path for the executable name (aka installer.exe) is taken
so basicly it do the same thing as microsofts INF
this is like absolute - their nor other installer can do nothing else in the end

so i was working around and took the biggest upgrade i could find
that was "IE8-WindowsXP-x86-ENU.exe" around 17 MB 
that being said that update/installer has 9187 registry entrys
so have this faster i made a converter - the converter exspect the above described "inf style " registry entry´s

now here would be the next idea, the most installers use exactly that "inf style" installer methods
this means you can combine all the upgrades to just 1 installer - you just have to collect the registrys and file entrys
then you have your "sp4 update pack" 

for now i only made the that for the first IE8 installer, but combine all is possible

and now its time for the test 
so i made 2 versions de (german) and en_us (english)
i tested them in a virtual machine if you install DE to a us version the IE8 is bugged up so if you install the US version to a DE system
i think you need SP2 too ... (as IE8 probaly needs that)
but that is not really a question or problem because the installer just has to proof that it installs correctly (the sp2 or files what we want we can do later)
beware and use either a VM or a computer where you can try this (otherwise you overwrite a older version if IE8 (if already got a newer version)) :
(source code also included)

Blank (only IE8 without upgrades GERMAN)
https://www.file-upload.net/download-15597090/IE8_DE_part1.zip.html

Blank (only IE8 without upgrades ENGLISH)
https://www.file-upload.net/download-15597091/IE8_enUS_part1.zip.html

IE8-Blank + kb4467770 + kb4019276 + kb4493435 + kb2598845 (ENGLISH)

https://www.file-upload.net/download-15597216/IE8_combined_ENUS.zip.html

IE8-Blank + kb4467770 + kb4019276 + kb4493435 + kb2598845 (GERMAN)

https://www.file-upload.net/download-15597217/IE8_combined_german.zip.html

kb4493435 seems to have a bugged entry it contains 6.1 for windows 7 but meant is 5.1 - that was corrected

installer code (blank)

https://www.file-upload.net/download-15602013/fp.zip.html

0. Table of Contents

0.           Table of Contents
1.           Introduction
2.           Purpose of ProxHTTPSProxy and HTTPSProxy
3.           Area of application
4.           The TLS protocols and their cipher suites
5.           Certificates - CA and Root Certificates
5.1.        The CA certficate of ProxHTTPSProxy
5.2.        The Root Certificates of Windows XP
6.           The TLS 1.2 proxies ProxHTTPSProxy and HTTPSProxy
6.1.        Prerequisites
6.1.1.     Detailed information
6.2.        Installation
6.3.        Configuration
6.3.1.     Configuration of ProxHTTPSProxy
6.3.2.     Configuration of HTTPSProxy
6.3.3.     Configuration of these proxies to access the MU website successfully nowadays
6.4.        Usage
6.4.1.     Usage of ProxHTTPSProxy
6.4.2.     Usage of HTTPSProxy
6.5.        Maintenance of ProxHTTPSProxy and HTTPSProxy for future use
7.           The TLS 1.2 proxy ProxHTTPSProxy's PopMenu 3V1
7.1.        Prerequisites
7.2.        Purpose and components of ProxHTTPSProxy's PopMenu 3V1
7.3.        Features of ProxHTTPSProxy's PopMenu 3V1
7.4.        Changelog of ProxHTTPSProxy's PopMenu 3V1:
7.5.        Installation and configuration of ProxHTTPSProxy's PopMenu 3V1
7.6.        Tranferring all settings of an existing ProxHTTPSProxy's installation
7.7.        Usage of ProxHTTPSProxy's PopMenu 3V1
8.           The TLS 1.3 proxy ProxyMII
8.1.        Prerequisites
8.2.        General information about ProxyMII
8.3.        Specific information about the different ProxyMII releases
8.3.1      ProxyMII (20220717)
8.3.2      ProxyMII (20230813)
8.4.        How to set up and use the TLS 1.3 proxy ProxyMII
9.           The TLS 1.3 proxy ProxHTTPSProxy's PopMenu TLS 1.3
9.1.        Prerequisites
9.2.        General information about ProxHTTPSProxy's PopMenu TLS 1.3
9.3.        ProxHTTPSProxy's PopMenu TLS 1.3 3V3
9.3.1.     Features of ProxHTTPSProxy's PopMenu TLS 1.3 3V3
9.3.2.     Changelog of ProxHTTPSProxy's PopMenu TLS 1.3 3V3
9.3.3.     Installation and start of ProxHTTPSProxy's PopMenu TLS 1.3 3V3
10.         Versions
10.1.      Versions of the TLS 1.2 proxies ProxHTTPSProxy, HTTPSProxy, and ProxHTTPSProxy's PopMenu
10.2.      Versions of the TLS 1.3 proxies ProxyMII and ProxHTTPSProxy's PopMenu TLS 1.3
11.          Downloads
11.1.       Archived Downloads {obsolete}:
11.2.       Latest Downloads
11.2.1.    Downloads related to the TLS 1.2 proxies
11.2.1.1. Downloads related to ProxHTTPSProxy
11.2.1.2. Downloads related to HTTPSProxy
11.2.2.    Downloads related to the TLS 1.3 proxies
11.2.3.    Downloads related to cacert.pem Certificate Update
11.2.4.    Downloads related to Root Certificate Updates
12.          Update notifications
13.          Conclusion
14.          Disclaimer

1. Introduction:

The idea of this thread is to provide information and recent findings I've made relating to the TSL proxies ProxHTTPSProxy and HTTPSProxy. Due to the fact that I don't use other older NT based Operation Systems (OSs) except Windows XP Professional all my observations and explanations are referring to both proxies in Windows XP only. So, please do not comment off-topic in this thread!
I am AstroSkipper, a member of MSFN since 2010, and was involved in restoring of access to the Microsoft Update (MU) website in Windows XP (and some other OSs). This is the thread:
https://msfn.org/board/topic/178377-on-decommissioning-of-update-servers-for-2000-xp-and-vista-as-of-july-2019/
While restoring MU in my own Windows XP Professional system, I had to solve a lot of problems and had among other things some significant findings relating to ProxHTTPSProxy and HTTPSProxy, too. The above mentioned thread is now over 140 pages long and unfortunately very bloated. In most cases visitors or members of MSFN don't want to read that much of pages for getting information they have looked for. A lot of comments are part of conversations which no longer can be retraced or understood easily by people who weren't participated. Therefore, I wanted to make my own findings accessible to all interested people in a clear, short way. That's why I decided to make my own thread to provide some facts, tips and especially news referring to these proxies. It is an unfortunate circumstance that the creators of ProxHTTPSProxy and HTTPSProxy, @heinoganda and @Thomas S., haven't been here for a long time and no further development of these proxies has been made the last years. Of course, we thank both creators explicitly for these outstanding proxies, we are very glad to have them, but they have to be used as they are. For this reason, we have to ask ourselves whether they'll continue doing their job in the future or not. But maybe some of you don't really know what actually their job is.

2. Purpose of ProxHTTPSProxy and HTTPSProxy:

Originally, ProxHTTPSProxy was created for Proxomitron as an SSL Helper Program. Proximotron is a local HTTP web-filtering proxy. Here are two links about Proxomitron: http://www.buerschgens.de/Prox/index.html (German website, use Google Translator if necessary) and https://msfn.org/board/topic/183295-web-browser-proxomitron-reborn-ptrongui-a-how-to-guide/.
This is a quotation from a post of the developer called "whenever" who had made ProxHTTPSProxy originally:

Quote

For every https request, it returns a "307 Moved Temporarily" response with a "Location" header pointing to the http version of the request. The purpose is to switch the browser from https mode to http mode. For every http request, it fetches the content through https protocol and feeds the decrypted content to the browser. The communication between ProxHTTPSProxy and the remote server is https while the communication between ProxHTTPSProxy and the browser is still http so Proxomitron gets a chance to filter the content.

Source link: https://prxbx.com/forums/showthread.php?tid=1618. Here is an image to show how ProxHTTPSProxy works:



ProxHTTPSProxy and HTTPSProxy were created by our members mentioned above to provide modern nag-free HTTPS connections for an HTTP proxy. The main purpose in Windows XP is in adding modern ciphers to HTTPS connections of the Internet Explorer (IE) to improve either its missing TLS 1.2 functionality or its rudimentary TLS 1.2 functionality last added by Microsoft after installing some relevant POSReady updates (KB4230450, KB4316682 and KB4019276). Here is a link with further information how TLS 1.1 and TLS 1.2 can be enabled in Windows XP: https://msfn.org/board/topic/178092-enable-tls-11-and-12-in-windows-xp-correctly/?do=findComment&comment=1158544. The original ciphers of IE are outdated and therefore a lot of websites can't be accessed or they don't work properly due to SSL issues. More information about these proxies you can find in the original thread: https://msfn.org/board/topic/176344-problems-accessing-certain-sites-https-aka-tls/.

3. Area of application:

As already said, the main purpose of these proxies is in adding modern ciphers to HTTPS connections of IE to improve either its missing TLS 1.2 functionality or its rudimentary TLS 1.2 functionality last added by Microsoft after installing some relevant POSReady updates. Therefore, ProxHTTPSProxy or HTTPSProxy is often used in combination with IE to access websites which couldn't be called up by IE without it. Some programs use Internet Explorer's browser engine called Trident to get data from Internet, to search something or to check for updates. For example my favourite movie database program All My Movies™ checks for updates using IE engine. Without one of these proxies it will fail. Some e-mail clients like eM Client or Eudora are using IE engine too. Some browsers like 360 Extreme Explorer are able to use IE engine for surfing. Another new purpose is to access Microsoft Update  to look for updates. As I mentioned above I was involved in restoring of access to the Microsoft Update (MU) website in Windows XP (and some other OSs), and we were successful by now. If you're interested in restoring MU functionality, I've written a little guide with the title "Complete guide for restoring IE's access to WU/MU website using ProxHTTPSProxy or HTTPSProxy in Windows XP" which can be found here:
https://msfn.org/board/topic/183498-general-and-specific-solutions-for-problems-regarding-auwumu-in-windows-xp/?do=findComment&comment=1216509
This thread is about different proxies to establish secure connections to servers or, more generally, to the internet. You often read about TLS, cipher suites, and certificates here. Therefore, I disseminate here some information about these "termini technici" for those who do not know exactly what is meant by them.

4. The TLS protocols and their cipher suites

If you research the term TLS on the internet, you will get a lot of information, sometimes very simply presented, sometimes very technical, more for IT experts.  With this small article, which can be seen more as a summary, I try to provide a little more transparency in this stuff.
Transport Layer Security, abbreviated TLS, is a protocol for the authentication and encryption of Internet connections. For this purpose, TLS is inserted as its own layer between TCP and the protocols of the application layer. Here is a linked graphic to make it more clear:

The individual tasks include authentication, certification, key exchange, integrity assurance and encryption. The main tasks are to guarantee the authenticity of the contacted remote stations, in most cases a server, by means of a certificate and to encrypt the connection between the remote stations. Here is a second linked graphic to demonstrate the actions and reactions in the communication between a client and a server:



The used protocol defines the basic communication for the connection and is as crucial for a secure connection as the encryption protocol itself. Due to a series of vulnerabilities, the SSL2 and SSL3 protocols must be considered a security vulnerability and should be avoided at all costs. The successor to SSL3, TLS 1.0 should also be avoided, as the protocol offers a method to downgrade an established TLS 1.0 connection to SSL3. Thus, the connection is again vulnerable to the vulnerabilities that affect SSL3. Unfortunately, its successor TLS 1.1 is also no longer up to date and should be rather avoided nowadays. For a long time, the TLS 1.2 protocol was considered secure and therefore recommended. It offers a number of improvements that should ensure the security of connections again. In general, each new SSL or TLS version has brought additional features and options, making configuration a little more confusing, implementation more error-prone and handling more tedious. Overall, the use of TLS has become more insecure. With TLS 1.3, this should change, at best. Or, this was and is the actual goal, at least. For this reason, every single function of TLS has been tested for its security benefits and risks. In the process of development and in regard to the present knowledge, some parts were removed that no longer offer security and some of which are now also considered insecure. At the same time, security was improved with new procedures. Furthermore, measures for performance optimisation and preventive hardening measures for future attacks were taken into account. TLS 1.3 breaks backwards compatibility for the first time, which unfortunately causes some problems in practice. Connections with TLS 1.3 can be interrupted either because the connection is not accepted en route or due to a defective web server. Anyway, the protocols TLS 1.2 and, above all, TLS 1.3 are recommended as secure protocols nowadays. Here is a list of typical protocols and their cipher suites used by the TLS 1.3 proxy of my current program package ProxHTTPSProxy's PopMenu TLS 1.3 3V3 as an example. It's a screenshot taken from the website https://browserleaks.com/ssl:



In the screenshot above, you can see many so called cipher suites belonging to specific TLS protocols. A cipher suite is a standardised collection of cryptographic procedures (algorithms) for encryption. In the Transport Layer Security (TLS) protocol, the cipher suite specifies which algorithms are to be used to establish a secure data connection. A cipher suite is generally displayed as a long string of seemingly random information but each segment of that string contains essential information. Generally, this data string is made up of several key components:

1. The used protocol, in most cases TLS.
2. The key exchange algorithm dictates the manner by which symmetric keys will be exchanged such as RSA, DH, DHE, ECDH, ECDHE.
3. The authentication algorithm dictates how server authentication and (if needed) client authentication will be carried out such as RSA, DSA, ECDSA.
4. The bulk encryption algorithm dictates which symmetric key algorithm will be used to encrypt the actual data such as AES, 3DES, CAMELLIA.
5. The Message Authentication Code (MAC) algorithm dictates the method the connection will use to carry out data integrity checks such as SHA, SHA256, MD5.

In some cases, there is an Elliptic Curve Cryptography (ECC) which is an encryption technique that provides public-key encryption similar to RSA. While the security strength of RSA is based on very large prime numbers, ECC uses the mathematical theory of elliptic curves and achieves the same security level with much smaller keys. Here are three linked graphics to illustrate these strings with examples:

5. Certificates - CA and Root Certificates

Although Windows XP was abandoned and updates of root certificates were not provided anymore by Microsoft for this OS, we still found ways to update them. And, if we want to install one of our TLS proxies, we have to install a CA certificate to get them working. In both cases, certificates are needed, and this short article is intended to shed some light on this certificate jungle with regards to our TLS proxies.

5.1. The CA certficate of ProxHTTPSProxy

A certificate authority (CA) is a trusted entity that issues digital certificates. These are files that cryptographically link an entity to a public key. Certificate authorities are an important part of the Internet's Public Key Infrastructure (PKI) because they issue the Secure Sockets Layer (SSL) certificates that browsers use to authenticate content sent from web servers. All popular web browsers use web servers' SSL certificates to keep content delivered online secure. They all need to trust certificate authorities to issue certificates reliably. SSL certificates are used in conjunction with the Transport Layer Security (TLS) protocol to encrypt and authenticate data streams for the HTTPS protocol, and are therefore sometimes referred to as SSL/TLS certificates or simply TLS certificates. The first time ProxHTTPSProxy is started, it creates the keys for a certificate authority in its program directory if there is none. This file CA.crt is used for on-the-fly generation of dummy certificates for each visited website which are stored in the subfolder Certs. And, there is a second file called cacert.pem located in ProxHTTPSProxy's program directory. This file cacert.pem contains the currently valid root certificates (will be considered in more detail below) used by the proxy to verify the server connections. Since your browser won’t trust the ProxHTTPSProxy's CA certificate out of the box, you will either need to click through a TLS certificate warning on every domain, or install the CA certificate once so that it is trusted. It has to be installed in the Trusted Root Certification Authority of Windows XP and in some cases additionally in the Certificate Manager of a browser as in the cases of New Moon, Pale Moon, Firefox, and others. The Internet Explorer doesn't possess an own certificates store and uses the Trusted Root Certification Authority of Windows XP. Typically, digital certificates contain data about the entity that issued the certificate and cryptographic data to verify the identity of the entity, including the entity's public key and expiration date for the certificate, as well as the entity's name, contact information, and other information associated with the certified entity. Web servers transmit this information when a browser establishes a secure connection over HTTPS. In doing so, they send to it the certificate and the browser authenticates it using its own root certificate store. The following graphic illustrates the structure of a Certificate Authority as for example GlobalSign:



SSL/TLS certificates are based on PKI as mentioned above, and there are a few key parts that need to be in place for the SSL certificate to work:

• A digital certificate (for example, an SSL/TLS certificate) that proves the website’s identity.
• A certificate authority that verifies the website and issues the digital certificate.
• A digital signature that proves the SSL certificate was issued by the trusted certificate authority.
• A public key that your browser uses to encrypt the data sent to the website.
• A private key that the website uses to decrypt the data sent to it.

Here is another graphic to illustrate the role that a certificate authority (CA) plays in the Public Key Infrastructure (PKI):



When installing such CA certificates in Windows XP manually, then there is something else to note. It can be of crucial importance whether one installs a root certificate under the account of the Current User or Local Computer. In this article a little further down, you can find more information on that. Furthermore, exiting ProxHTTPSProxy completely, deleting the old CA.cert file in ProxHTTPSProxy's program directory, and restarting ProxHTTPSProxy will result in the generation of a new CA.crt that will be valid for another ten years. In addition, the certificate bundle cacert.pem should be updated, at best regularly. You can do that with the tool cacert Updater Fixed which can be found in the download section 11.2.3. Downloads related to cacert.pem Certificate Update. This tool is also included in my program package ProxHTTPSProxy's PopMenu. And, that is the moment to note something very important. Any change to a ProxHTTPSProxy installation regarding the CA certificate or a severe system crash while one of the proxies is running in the background always requires a reset of all dummy certificates in the Certs subfolder. The word "reset" at this point means deleting all certificates that have been created in the Certs folder, manually by the user. The next time the proxy is started correctly, all necessary certificates will be created again when the corresponding websites are accessed. Here are a few screenshots of ProxHTTPSProxy's CA certificate (German edition of Windows XP, sorry!):





5.2. The Root Certificates of Windows XP

In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA). Root certificates are self-signed and form the basis of an X.509-based PKI. Either it has matched Authority Key Identifier with Subject Key Identifier, in some cases there is no Authority Key identifier, then Issuer string should match with Subject string (RFC 5280). For instance, the PKIs supporting HTTPS for secure web browsing and electronic signature schemes depend on a set of root certificates. A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree, the private key which is used to "sign" other certificates. All certificates signed by the root certificate, with the "CA" field set to true, inherit the trustworthiness of the root certificate. A signature by a root certificate is somewhat analogous to "notarizing" identity in the physical world. Such a certificate is called an intermediate certificate or subordinate CA certificate. Certificates further down the tree also depend on the trustworthiness of the intermediates.
The following graphic illustrates the role of a root certificate in the chain of trust:



The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. Root certificates are distributed in Windows XP by Microsoft and located in special certificate stores. These certificate stores may be viewed through the Certificates snap-in Certmgr.msc in the Microsoft Management Console (MMC). You can open the Certificates console focused on the Current User on a Windows XP computer by executing Certmgr.msc in the Run dialog box. Here is a screenshot of what you see running this command (German edition of Windows XP, sorry!):



The root certificates of Windows XP can be updated by @heinoganda's Certificate Updater, @Thomas S.'s CAupdater, or by my self-created Root Certificate and Revoked Certificate Updaters, in all cases to the most recent ones provided by Microsoft. These updaters can be found in the download section under 11.2.4. Downloads related to Root Certificate Updates. There is no automatism for this updating. It must be done manually by the user and, if possible, regularly. @heinoganda's Certificate Updater is also included in my program package ProxHTTPSProxy's PopMenu.

And now, back to our proxies.

6. The TLS 1.2 proxies ProxHTTPSProxy and HTTPSProxy

6.1. Prerequisites:

A CPU with SSE2 instruction set is required to run the more recent versions of these TLS 1.2 proxies under Windows XP.

6.1.1. Detailed information:

Testing system: Windows XP Professional SP3 POSReady with an AMD Athlon XP 3200+ (Thoroughbred), an old CPU providing SSE, but lacking of SSE2 instruction set.

After testing of all proxies mentioned in this article, I can confirm that all @heinoganda's releases ProxHTTPSProxy REV3b, ProxHTTPSProxy REV3d, ProxHTTPSProxy REV3e and @Thomas S.'s release HTTPSPoxy in version HTTPSProxy_Launcher_v2_2018-11-06 require a CPU with SSE2 instruction set.
All these proxies crashed when starting 'ProxHTTPSProxy.exe' or 'HTTPSProxy.exe'. But @whenever's release ProxHTTPSProxyMII 1.3a could be started without crashing, and after testing I can confirm this proxy is fully compatible with a CPU possessing SSE instruction set only. Therefore, this proxy can be used in such old systems, but only if absolutely necessary. For safety reasons. More detailed information below in the section 10.1. Versions of the TLS 1.2 proxies ProxHTTPSProxy, HTTPSProxy, and ProxHTTPSProxy's PopMenu.

6.2. Installation:

The program packages provide documents and instructions, actually sufficient. Both proxies do not need any installation. There is no setup installer. They are fully portable with a few exceptions. The user has to edit the config file according to his needs, he should update a special certificate called 'cacert.pem' and he has to install the proxy's root certificate properly in any case. But to avoid unnecessary repetitions, I'll come back to that later in the section 6.3. Configuration. The location of their program folder can be chosen freely. For this purpose, I've created a folder "Portable" in my system partition. I have created this folder to remind me that programs inside folder Portable do not have to be uninstalled.

6.3. Configuration:

The configurations of these proxies are a bit different.

6.3.1. Configuration of ProxHTTPSProxy:

- Install ProxHTTPSProxy's root certificate 'CA.crt' under the Trusted Root Certification Authority manually or apply 'ProxHTTPS Cert Install.exe'. Alternatively you can use the more recent ProxHTTPSProxy Cert Installer which has been modified and updated by me. You can find it in the section 11.2.1.1. Downloads related to ProxHTTPSProxy.
- Edit  the config file 'config.ini' according to your needs. More detailed explanations at the end of this section.
- Update the certificate 'cacert.pem' by downloading and inserting it manually (see cacert Update.txt) or automatically by applying 'cacert_Updater.exe'. Due to the circumstance that @heinoganda's original cacert Updater doesn't work anymore, I have fixed it. This "cacert Updater Fixed" can be downloaded in the section 11.2.3. Downloads related to cacert.pem Certificate Update.

6.3.2. Configuration of HTTPSProxy:

- Generate a new HTTPSProxy's root certificate 'HTTPSProxyCA.crt' by opening 'HTTPSProxy.exe' and closing its window when the process is over.
- Install HTTPSProxy's root certificate 'HTTPSProxyCA.crt' under the Trusted Root Certification Authority manually. Alternatively you can use the brand new HTTPSProxy Cert Installer which has been created by me. You can find it in the section 11.2.1.2. Downloads related to HTTPSProxy.
- Edit  the config files 'config.ini' and 'Launcher.ini' according to your needs. More detailed explanations at the end of this section.
- Update the certificate 'cacert.pem' by downloading from url https://curl.se/ca/cacert.pem and inserting it manually (see Installation-Update_EN.txt) or automatically by clicking cacert.pem update in Launcher's menu.
- Execute the reg file 'Inet_CurUser_ProxySettings.reg'.

Both proxies have got a config file called 'config.ini'. The following parameters of the proxy can be specified there:: ProxAddr,  FrontPort,  BackPort, LogPort and LogLevel. Look into this file and you'll get short descriptions of these parameters. Furthermore there are special sections titled [SSL No-Verify], [BLACKLIST], [SSL Pass-Thru] and [BYPASS URL]. In these sections url addresses can be inserted letting the proxy know how to perform them. HTTPSProxy has a second config file called 'Launcher.ini'. Here you can set up the Launcher of HTTPSProxy. A short description can be read at the beginning of each file section.
Here you can see HTTPSProxy's config file similar to the one of ProxHTTPSProxy:



More detailed information about the parameters and sections can be found in their doc files.
Both proxies can be set as system-wide proxies using the executable proxycfg.exe. Here are proxycfg's command line parameters:

• The command proxycfg displays the current WinHTTP proxy settings.
• The command proxycfg -d specifies that all HTTP and HTTPS servers should be accessed directly. Use this command if there is no proxy server.
• The command proxycfg -p proxy-server-list optional-bypass-list specifies one or more proxy servers, and an optional list of hosts that should be accessed directly. If a proxy server is not specified for a given protocol and that server is not in the bypass list, the -p option specifies that the server cannot be accessed at all.
• The command proxycfg -d -p proxy-server-list optional-bypass-list specifies one or more proxy servers, and an optional list of hosts that should be accessed directly. If a proxy server is not specified for the given protocol, the -d option specifies that the server should be accessed directly instead.
• The command proxycfg -u imports the Internet Explorer proxy settings of the current user. WinHTTP does not support auto-discovery and configuration script-based proxy settings.

So far so good, but unfortunately that's not the whole truth.

6.3.3. Configuration of these proxies to access the MU website successfully nowadays:

The MU website can be accessed only by IE, but nowadays it needs the more recent cryptographic protocol TLS 1.2. That's the reason why MU wasn't available in the past. Therefore we have to use one of these proxies to gain access. If all steps of my Complete guide for restoring IE's access to WU/MU website using ProxHTTPSProxy or HTTPSProxy in Windows XP have been  performed properly, you would like to call up MU website. But in some cases problems could occur. One of them is to get a MU website with output of error code 0x80072f8f (hexadecimal notation). I had examined this error deeply and could solve it. But what does that have to do with our proxies? Of course a lot, otherwise I wouldn't have mentioned it. Here you can read my short post "Final fix of error code 0x80072f8f while accessing WU or MU website":
https://msfn.org/board/topic/178377-on-decommissioning-of-update-servers-for-2000-xp-and-vista-as-of-july-2019/?do=findComment&comment=1213188
The steps in order:

1. Delete the old CA.cert file in ProxHTTPSProxy's program folder.
2. Delete all certificates in ProxHTTPSProxy's certs subfolder.
3. Update the certificate cacert.pem.
4. Run the executable ProxHTTPSProxy.exe. A new ProxHTTPSProxy CA certificate CA.crt valid for another ten years has been generated.
5. Import this new ProxHTTPSProxy CA certificate to Trusted Root Certification Authority but under the account local computer.

And exactly here lies the problem. You have to import this certificate in a special way to ensure it is really installed in Trusted Root Certification Authority under the account local computer. Otherwise, it can happen that this certificate is installed in Trusted Root Certification Authority under the account current user. And that is definitely the cause of error code 0x80072f8f. No one had told us where this certificate has to be installed to. No hints in the doc files of both proxies. And, how can we do that? Here are the detailed steps using the Microsoft Management Console:

1. Open console by typing mmc.
2. Add a snap-in for certificates.
3. Choose for local computer.
4. Import your recently generated ProxHTTPSProxy CA certificate to Trusted Root Certification Authority.
5. Finished.

Now, we have to modify the config file. Alternatively you can use my pre-configured config files in the section 11.2.1. Downloads related to the TLS 1.2 proxies.
Open the file config.ini in an editor of your choice. Add these urls under the section [SSL No-Verify]:
urs.microsoft.com
c.microsoft.com*
*one.microsoft.com*
download.windowsupdate.com
cc.dcsec.uni-hannover.de
fe2.ws.microsoft.com
*update.microsoft.com
ds.download.windowsupdate.com
- Save your changes.
- Finished.

Of course, same procedure for HTTPSProxy with one exception: HTTPSProxy's root certificate is named HTTPSProxyCA.crt. Fixing error code 0x80072f8f leads to fixing another problem and that is the validity of Proxy's root certificate. From now on a freshly generated root certificate of ProxHTTPSProxy or HTTPSProxy valid for another ten years will be fully functional because we finally know where it exactly has to be imported to. Maybe, you understand now how important it is to configure these proxies properly. Otherwise, they wouldn't work flawlessly. In the section 11.2.1. Downloads related to the TLS 1.2 proxies, I provide separate CA Certificate Installer and Uninstaller for both proxies. They have been created by me for the people who do not dare to generate and install certificates themselves. Due to a modification made by me, these installers and uninstallers do now their job properly, i.e. the certificate installation will be definitely performed in the Trusted Root Certification Authority under the account local computer. If you asked me which kind of certificate installation you should choose, I would recommend the manual method. For security reasons only. The installers contain a pre-generated root certificate of its proxy which will be installed properly. But as a result all users of these installers will have got the same certificate unfortunately. Normally, no good. But, do we really want to spy each other? I don't think so. On the other hand, using the manual method we all will have an unique certificate without any risks. So it's up to you!  

6.4. Usage:

The usage of these proxies is very simple but a bit different.

6.4.1. Usage of ProxHTTPSProxy:

The best way to start ProxHTTPSProxy is to execute the file ProxHTTPSProxy_PSwitch.exe. In this case, ProxHTTPSProxy will set up itself automatically and delete its settings when closing. You can check the settings of ProxHTTPSProxy in Internet Options of IE. Here is a screeshot of ProxHTTPSProxy's program window:



6.4.2. Usage of HTTPSProxy:

The way to start HTTPSProxy is a bit different. For starting it, you have to simply drag the executable HTTPSProxy.exe onto a second executable Launcher.exe by drag & drop and a new system tray icon appears. Via this icon, all available options of HTTPSProxy's Launcher are accessible. There are a lot of options: HTTPSProxy exit, HTTPSProxy restart, HTTPSProxy show, HTTPSProxy hide, HTTPSProxy launch with Windows, config.ini edit, cacert.pem update, HTTPSProxy enabled - settings - log, Update Windows root CAs, Launcher.ini edit and so on. Here are some screenshots of HTTPSProxy:

Launcher's menu:



HTTPSProxy - switched on and switched off:





HTTPSProxy's program window:



HTTPSProxy while accessing MU:



If connection errors occur, you can check the settings of HTTPSProxy in Internet Options of IE and set them manually or automatically by applying reg file 'Inet_CurUser_ProxySettings.reg'. And now one important hint. If you want to use both proxies in your system, you mustn't run them in RAM at same time! Otherwise the selected proxy won't work at all. You have to close the unused proxy to use the other. Keep that in mind!  

6.5. Maintenance of ProxHTTPSProxy and HTTPSProxy for future use:

We have to carry out a bit of maintenance to ensure that these proxies are working properly. First of all, the system's root certificates should be updated every three months. If you have not done that yet, you can use one of the root certificate updater in the section 11.2.4. Downloads related to Root Certificate Updates where different online and offline versions can be downloaded from. Then you should check following list:

• Regular update of the file 'cacert.pem'.
• Maintenance and check of the file config.ini according to your needs.
• Checking the validity of the proxy's root certificate.
• Deleting of all certificates in the folder 'Certs' if the proxy isn't working properly.
• Checking the state of the Proxy in IE or in your system.

7. The TLS 1.2 proxy ProxHTTPSProxy's PopMenu 3V1

7.1 Prerequisites:

A CPU with SSE2 instruction set is required to run this TLS 1.2 proxies under Windows XP.

7.2. Purpose and components of ProxHTTPSProxy's PopMenu 3V1:

This is the first release of ProxHTTPSProxy's PopMenu 3.0 in version 1.0.0.0 shortened 3V1. ProxHTTPSProxy's PopMenu 3V1 is a one-click menu in systray to access and control @heinoganda's ProxHTTPSProxy REV3e. ProxHTTPSProxy's PopMenu 3V1 is a synthesis of self-programmed executables, a very few commands, credits to @AstroSkipper at MSFN, and the freeware PopMenu 3.0, credits to Jochanan Agam at freeware.persoft.ch. All the information I spread about ProxHTTPSProxy in the sections above is of course also valid for ProxHTTPSProxy's PopMenu.

7.3. Features of ProxHTTPSProxy's PopMenu 3V1:

ProxHTTPSProxy's PopMenu is not a classical launcher, it is rather a systray popup menu. It can be totally customized and continuously extended according to user's needs due to its modular structure, therefore much more flexible than a classical, compiled launcher. More features can be added easily without touching existent code. Due to ProxHTTPSProxy's PopMenu's modular structure the user can change, add, delete and reorder features. Even the icons in menu can be changed easily by the user.

Here is the complete list of features implemented in ProxHTTPSPoxy's PopMenu 3v1:

1. Start ProxHTTPSPoxy
2. Stop ProxHTTPSPoxy
3. Hide ProxHTTPSPoxy
4. Show ProxHTTPSPoxy
5. Check if ProxHTTPSPoxy is running (in RAM)
6. cacert.pem Update
7. Root Certificates Update
8. Open IE Proxy settings
9. Close IE Proxy settings
10. Check system proxy status
11. Enable ProxHTTPSProxy system-wide
12. Disable ProxHTTPSProxy system-wide
13. Edit config.ini
14. Read documentation

And here is a screenshot of ProxHTTPSProxy's PopMenu 3V1:



ProxHTTPSPoxy's PopMenu is provided together with ProxHTTPSProxy REV3e. This new archive called "ProxHTTPSProxy_REV3e_PopMenu_3V1" has been additionally updated by me. These are the changes to original package of @heinoganda:

7.4. Changelog of ProxHTTPSProxy's PopMenu 3V1:

• @heinoganda's Certificate Updater 1.6 added.
• Old CA Root Certificate CA.crt replaced by new one valid until 02/19/2032.
• ProxHTTPSProxy CA Certificate Installer and Uninstaller replaced by more recent ones corresponding to pre-generated CA Root Certificate valid until 02/19/2032.
• Old cacert Updater removed, recreated cacert Updater Fixed added.
• cacert.pem updated to most recent one.
• Alternative latest cacert.pem dated of 2022-04-26 from Mozilla added with download url.
• All self-programmed executables of ProxHTTPSPoxy's PopMenu 3v1 created in two different versions, UPX and noUPX, following the spirit of ProxHTTPSPoxy's creator.

7.5. Installation and configuration of ProxHTTPSProxy's PopMenu 3V1:

1. Unpack archive and copy the complete folder ProxHTTPSProxy_REV3e_PopMenu_3V1_noUPX or ProxHTTPSProxy_REV3e_PopMenu_3V1_UPX (or its complete content) to desired location.
2. Although both, ProxHTTPSProxy REV3e and ProxHTTPSPoxy's PopMenu 3V1, are fully portable, the config file of program PopMenu has to be adjusted to new location. This can be done manually or much more comfortable automatically by a tool I created for this purpose only. Go to subfolder PopMenu and execute "Configure PopMenu.exe". This procedure will always set the menu back to default settings. If you modified the menu in the past to your needs, you have to adjust the config file "PopMenu.ini" manually, otherwise you'll lose your modifications. In any case the paths in config file "PopMenu.ini" have to be adjusted when the complete program folder (or its complete content) was copied to a new location.

7.6. Tranferring all settings of an existing ProxHTTPSProxy's installation:

Copy the files "CA.crt" and "config.ini" from old installation folder to new one. Same with complete subfolder "Certs". Doing it in that way you won't lose any old settings.

7.7. Usage of ProxHTTPSProxy's PopMenu 3V1:

To start ProxHTTPSPoxy's PopMenu, just apply "ProxyPopMenu.exe" in main program folder ProxHTTPSProxy_REV3e_PopMenu_3V1_noUPX or ProxHTTPSProxy_REV3e_PopMenu_3V1_UPX. ProxHTTPSPoxy's PopMenu can be set to "Start automatically at Windows startup" in context menu item "Settings" which is called up by right-clicking systray icon. Here the PopMenu can be configured generally. ProxHTTPSPoxy's PopMenu has been pre-configured by me. The provided functions (items) corresponding to their labels are in most cases self-programmed executables and in a very few inserted commands. All items of ProxHTTPSPoxy's PopMenu are generally self-explanatory. Feel free to click on them and test them! If you click on item "Enable ProxHTTPSProxy system-wide", my program checks whether ProxHTTPSProxy is running or not. If not, it will be started immediately. This is necessary to set ProxHTTPSProxy to mode system-wide or setting process would fail. And one recommendation: Do not change or modify files in subfolder PopMenu and keep the file or folder structure inside main folder, otherwise the ProxHTTPSProxy's PopMenu won't work properly! If you want to modify the menu, do it in PopMenu's "Settings". But you have to know what you do otherwise ProxHTTPSPoxy's PopMenu won't work as expected.

ProxHTTPSProxy's PopMenu itself has a very low usage of RAM. It's only about 2 MB.

The download link of ProxHTTPSProxy's PopMenu 3V1 can be found in the section 11.2.1.1. Downloads related to ProxHTTPSProxy.

8. The TLS 1.3 proxy ProxyMII

8.1. Prerequisites:

ProxyMII was created by Python 3.7.1 which requires Microsoft Visual C++ 2015 Redistributable or Microsoft Visual C++ 2015-2019 Redistributable (latest version 14.28.29213.0). Check if it is installed in your system!

8.2. General information about ProxyMII:

ProxyMII is a proxy based on ProxHTTPSProxy which was originally created by whenever. It was enhanced in terms of the TLS 1.3 protocol and its cipher suites by @cmalex who recently created it using Python 3.7.1. Again, a big thanks for that to @cmalex! ProxyMII provides all TLS protocols from TLS 1.0 up to TLS 1.3 and its corresponding cipher suites. It differs from @heinoganda's ProxHTTPSProxy in its file structure and does not provide a comparable program like ProxHTTPSProxy_PSwitch.exe to activate or deactivate the proxy settings automatically, when the proxy is started or closed. This has to be done manually by the user. If you want to use ProxyMII as it is without any additional comfort, then read the following instructions to get it running.

8.3. Specific information about the different ProxyMII releases:

8.3.1 ProxyMII (20220717):

Hardware requirements: A CPU with SSE2 instruction set is not required anymore, SSE only is sufficient.

ProxyMII (20220717) is now based on OpenSSL 3.0.5, dated from 2022-07-05, and Cryptography 3.4.8, dated from 2021-08-24.

8.3.2. ProxyMII (20230813):

Hardware requirements: A CPU with SSE2 instruction set is now required., SSE only is not sufficient anymore.

ProxyMII (20230813) is now based on OpenSSL 3.1.2, dated from 2023-08-01, and Cryptography 40.0.2, dated from 2023-04-14. Here are the changelogs:

Changes from OpenSSL 3.0.5 to OpenSSL 3.1.2:

Quote

Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023]

Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])

Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446])

Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])

When building with the `enable-fips` option and using the resulting FIPS provider, TLS 1.2 will, by default, mandate the use of an extended master secret and the Hash and HMAC DRBGs will not operate with truncated digests.

Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [30 May 2023]

Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. ([CVE-2023-2650])

Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms ([CVE-2023-1255])

Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466])

Fixed handling of invalid certificate policies in leaf certificates ([CVE-2023-0465])

Limited the number of nodes created in a policy tree ([CVE-2023-0464])

Major changes between OpenSSL 3.0.10 and OpenSSL 3.1.0 [14 Mar 2023]

SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.

Performance enhancements and new platform support including new assembler code algorithm implementations.

Deprecated LHASH statistics functions.

FIPS 140-3 compliance changes.

Major changes between OpenSSL 3.0.9 and OpenSSL 3.0.10 [1 Aug 2023]

Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])

Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446])

Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])

Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023]

Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. ([CVE-2023-2650])

Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms ([CVE-2023-1255])

Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466])

Fixed handling of invalid certificate policies in leaf certificates ([CVE-2023-0465])

Limited the number of nodes created in a policy tree ([CVE-2023-0464])

Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023]

Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401])

Fixed X.400 address type confusion in X.509 GeneralName ([CVE-2023-0286])

Fixed NULL dereference validating DSA public key ([CVE-2023-0217])

Fixed Invalid pointer dereference in d2i_PKCS7 functions ([CVE-2023-0216])

Fixed Use-after-free following BIO_new_NDEF ([CVE-2023-0215])

Fixed Double free after calling PEM_read_bio_ex ([CVE-2022-4450])

Fixed Timing Oracle in RSA Decryption ([CVE-2022-4304])

Fixed X.509 Name Constraints Read Buffer Overflow ([CVE-2022-4203])

Fixed X.509 Policy Constraints Double Locking ([CVE-2022-3996])

Major changes between OpenSSL 3.0.6 and OpenSSL 3.0.7 [1 Nov 2022]

Added RIPEMD160 to the default provider.

Fixed regressions introduced in 3.0.6 version.

Fixed two buffer overflows in punycode decoding functions. ([CVE-2022-3786]) and ([CVE-2022-3602])

Major changes between OpenSSL 3.0.5 and OpenSSL 3.0.6 [11 Oct 2022]

Fix for custom ciphers to prevent accidental use of NULL encryption ([CVE-2022-3358])

Changes from Cryptography 3.4.8 to Cryptography 40.0.2:

Quote

40.0.2 - 2023-04-14

Fixed compilation when using LibreSSL 3.7.2.

Added some functions to support an upcoming pyOpenSSL release.

40.0.1 - 2023-03-24

Fixed a bug where certain operations would fail if an object happened to be in the top-half of the memory-space. This only impacted 32-bit systems.

40.0.0 - 2023-03-24

BACKWARDS INCOMPATIBLE: As announced in the 39.0.0 changelog, the way cryptography links OpenSSL has changed. This only impacts users who build cryptography from source (i.e., not from a wheel), and specify their own version of OpenSSL. For those users, the CFLAGS, LDFLAGS, INCLUDE, LIB, and CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS environment variables are no longer valid. Instead, users need to configure their builds as documented here.

Support for Python 3.6 is deprecated and will be removed in the next release.

Deprecated the current minimum supported Rust version (MSRV) of 1.48.0. In the next release we will raise MSRV to 1.56.0. Users with the latest pip will typically get a wheel and not need Rust installed, but check Installation for documentation on installing a newer rustc if required.

Deprecated support for OpenSSL less than 1.1.1d. The next release of cryptography will drop support for older versions.

Deprecated support for DSA keys in load_ssh_public_key() and load_ssh_private_key().

Deprecated support for OpenSSH serialization in DSAPublicKey and DSAPrivateKey.

The minimum supported version of PyPy3 is now 7.3.10.

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.0.

Added support for parsing SSH certificates in addition to public keys with load_ssh_public_identity(). load_ssh_public_key() continues to support only public keys.

Added support for generating SSH certificates with SSHCertificateBuilder.

Added verify_directly_issued_by() to Certificate.

Added a check to NameConstraints to ensure that DNSName constraints do not contain any * wildcards.

Removed many unused CFFI OpenSSL bindings. This will not impact you unless you are using cryptography to directly invoke OpenSSL’s C API. Note that these have never been considered a stable, supported, public API by cryptography, this note is included as a courtesy.

The X.509 builder classes now raise UnsupportedAlgorithm instead of ValueError if an unsupported hash algorithm is passed.

Added public union type aliases for type hinting:

Asymmetric types: PublicKeyTypes, PrivateKeyTypes, CertificatePublicKeyTypes, CertificateIssuerPublicKeyTypes, CertificateIssuerPrivateKeyTypes.

SSH keys: SSHPublicKeyTypes, SSHPrivateKeyTypes, SSHCertPublicKeyTypes, SSHCertPrivateKeyTypes.

PKCS12: PKCS12PrivateKeyTypes

PKCS7: PKCS7HashTypes, PKCS7PrivateKeyTypes.

Two-factor: HOTPHashTypes

Deprecated previously undocumented but not private type aliases in the cryptography.hazmat.primitives.asymmetric.types module in favor of new ones above.

39.0.2 - 2023-03-02

Fixed a bug where the content type header was not properly encoded for PKCS7 signatures when using the Text option and SMIME encoding.

39.0.1 - 2023-02-07

SECURITY ISSUE - Fixed a bug where Cipher.update_into accepted Python buffer protocol objects, but allowed immutable buffers. CVE-2023-23931

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.

39.0.0 - 2023-01-01

BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.0 has been removed. Users on older version of OpenSSL will need to upgrade.

BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.5. The new minimum LibreSSL version is 3.5.0. Going forward our policy is to support versions of LibreSSL that are available in versions of OpenBSD that are still receiving security support.

BACKWARDS INCOMPATIBLE: Removed the encode_point and from_encoded_point methods on EllipticCurvePublicNumbers, which had been deprecated for several years. public_bytes() and from_encoded_point() should be used instead.

BACKWARDS INCOMPATIBLE: Support for using MD5 or SHA1 in CertificateBuilder, other X.509 builders, and PKCS7 has been removed.

BACKWARDS INCOMPATIBLE: Dropped support for macOS 10.10 and 10.11, macOS users must upgrade to 10.12 or newer.

ANNOUNCEMENT: The next version of cryptography (40.0) will change the way we link OpenSSL. This will only impact users who build cryptography from source (i.e., not from a wheel), and specify their own version of OpenSSL. For those users, the CFLAGS, LDFLAGS, INCLUDE, LIB, and CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS environment variables will no longer be respected. Instead, users will need to configure their builds as documented here.

Added support for disabling the legacy provider in OpenSSL 3.0.x.

Added support for disabling RSA key validation checks when loading RSA keys via load_pem_private_key(), load_der_private_key(), and private_key(). This speeds up key loading but is unsafe if you are loading potentially attacker supplied keys.

Significantly improved performance for ChaCha20Poly1305 when repeatedly calling encrypt or decrypt with the same key.

Added support for creating OCSP requests with precomputed hashes using add_certificate_by_hash().

Added support for loading multiple PEM-encoded X.509 certificates from a single input via load_pem_x509_certificates().

38.0.4 - 2022-11-27

Fixed compilation when using LibreSSL 3.6.0.

Fixed error when using py2app to build an application with a cryptography dependency.

38.0.3 - 2022-11-01

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.7, which resolves CVE-2022-3602 and CVE-2022-3786.

38.0.2 - 2022-10-11 (YANKED)

Attention

This release was subsequently yanked from PyPI due to a regression in OpenSSL.

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6.

38.0.1 - 2022-09-07

Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically seen in large CRLs).

38.0.0 - 2022-09-06

Final deprecation of OpenSSL 1.1.0. The next release of cryptography will drop support.

We no longer ship manylinux2010 wheels. Users should upgrade to the latest pip to ensure this doesn’t cause issues downloading wheels on their platform. We now ship manylinux_2_28 wheels for users on new enough platforms.

Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0. Users with the latest pip will typically get a wheel and not need Rust installed, but check Installation for documentation on installing a newer rustc if required.

decrypt() and related methods now accept both str and bytes tokens.

Parsing CertificateSigningRequest restores the behavior of enforcing that the Extension critical field must be correctly encoded DER. See the issue for complete details.

Added two new OpenSSL functions to the bindings to support an upcoming pyOpenSSL release.

When parsing CertificateRevocationList and CertificateSigningRequest values, it is now enforced that the version value in the input must be valid according to the rules of RFC 2986 and RFC 5280.

Using MD5 or SHA1 in CertificateBuilder and other X.509 builders is deprecated and support will be removed in the next version.

Added additional APIs to SignedCertificateTimestamp, including signature_hash_algorithm, signature_algorithm, signature, and extension_bytes.

Added tbs_precertificate_bytes, allowing users to access the to-be-signed pre-certificate data needed for signed certificate timestamp verification.

KBKDFHMAC and KBKDFCMAC now support MiddleFixed counter location.

Fixed RFC 4514 name parsing to reverse the order of the RDNs according to the section 2.1 of the RFC, affecting method from_rfc4514_string().

It is now possible to customize some aspects of encryption when serializing private keys, using encryption_builder().

Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL versions older than 22.0 will need to upgrade.

Added AES128 and AES256 classes. These classes do not replace AES (which allows all AES key lengths), but are intended for applications where developers want to be explicit about key length.

37.0.4 - 2022-07-05

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.5.

37.0.3 - 2022-06-21 (YANKED)

Attention

This release was subsequently yanked from PyPI due to a regression in OpenSSL.

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.4.

37.0.2 - 2022-05-03

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.3.

Added a constant needed for an upcoming pyOpenSSL release.

37.0.1 - 2022-04-27

Fixed an issue where parsing an encrypted private key with the public loader functions would hang waiting for console input on OpenSSL 3.0.x rather than raising an error.

Restored some legacy symbols for older pyOpenSSL users. These will be removed again in the future, so pyOpenSSL users should still upgrade to the latest version of that package when they upgrade cryptography.

37.0.0 - 2022-04-26

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2.

BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL 2.9.x and 3.0.x. The new minimum LibreSSL version is 3.1+.

BACKWARDS INCOMPATIBLE: Removed signer and verifier methods from the public key and private key classes. These methods were originally deprecated in version 2.0, but had an extended deprecation timeline due to usage. Any remaining users should transition to sign and verify.

Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by the OpenSSL project. The next release of cryptography will be the last to support compiling with OpenSSL 1.1.0.

Deprecated Python 3.6 support. Python 3.6 is no longer supported by the Python core team. Support for Python 3.6 will be removed in a future cryptography release.

Deprecated the current minimum supported Rust version (MSRV) of 1.41.0. In the next release we will raise MSRV to 1.48.0. Users with the latest pip will typically get a wheel and not need Rust installed, but check Installation for documentation on installing a newer rustc if required.

Deprecated CAST5, SEED, IDEA, and Blowfish because they are legacy algorithms with extremely low usage. These will be removed in a future version of cryptography.

Added limited support for distinguished names containing a bit string.

We now ship universal2 wheels on macOS, which contain both arm64 and x86_64 architectures. Users on macOS should upgrade to the latest pip to ensure they can use this wheel, although we will continue to ship x86_64 specific wheels for now to ease the transition.

This will be the final release for which we ship manylinux2010 wheels. Going forward the minimum supported manylinux ABI for our wheels will be manylinux2014. The vast majority of users will continue to receive manylinux wheels provided they have an up to date pip. For PyPy wheels this release already requires manylinux2014 for compatibility with binaries distributed by upstream.

Added support for multiple OCSPSingleResponse in a OCSPResponse.

Restored support for signing certificates and other structures in X.509 with SHA3 hash algorithms.

TripleDES is disabled in FIPS mode.

Added support for serialization of PKCS#12 CA friendly names/aliases in serialize_key_and_certificates()

Added support for 12-15 byte (96 to 120 bit) nonces to AESOCB3. This class previously supported only 12 byte (96 bit).

Added support for AESSIV when using OpenSSL 3.0.0+.

Added support for serializing PKCS7 structures from a list of certificates with serialize_certificates.

Added support for parsing RFC 4514 strings with from_rfc4514_string().

Added AUTO to PSS. This can be used to verify a signature where the salt length is not already known.

Added DIGEST_LENGTH to PSS. This constant will set the salt length to the same length as the PSS hash algorithm.

Added support for loading RSA-PSS key types with load_pem_private_key() and load_der_private_key(). This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a normal RSA private key, discarding the PSS constraint information.

36.0.2 - 2022-03-15

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n.

36.0.1 - 2021-12-14

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m.

36.0.0 - 2021-11-21

FINAL DEPRECATION Support for verifier and signer on our asymmetric key classes was deprecated in version 2.0. These functions had an extended deprecation due to usage, however the next version of cryptography will drop support. Users should migrate to sign and verify.

The entire X.509 layer is now written in Rust. This allows alternate asymmetric key implementations that can support cloud key management services or hardware security modules provided they implement the necessary interface (for example: EllipticCurvePrivateKey).

Deprecated the backend argument for all functions.

Added support for AESOCB3.

Added support for iterating over arbitrary request attributes.

Deprecated the get_attribute_for_oid method on CertificateSigningRequest in favor of get_attribute_for_oid() on the new Attributes object.

Fixed handling of PEM files to allow loading when certificate and key are in the same file.

Fixed parsing of CertificatePolicies extensions containing legacy BMPString values in their explicitText.

Allow parsing of negative serial numbers in certificates. Negative serial numbers are prohibited by RFC 5280 so a deprecation warning will be raised whenever they are encountered. A future version of cryptography will drop support for parsing them.

Added support for parsing PKCS12 files with friendly names for all certificates with load_pkcs12(), which will return an object of type PKCS12KeyAndCertificates.

rfc4514_string() and related methods now have an optional attr_name_overrides parameter to supply custom OID to name mappings, which can be used to match vendor-specific extensions.

BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email address fields as E in rfc4514_string() methods from version 35.0.

The previous behavior can be restored with: name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})

Allow X25519PublicKey and X448PublicKey to be used as public keys when parsing certificates or creating them with CertificateBuilder. These key types must be signed with a different signing algorithm as X25519 and X448 do not support signing.

Extension values can now be serialized to a DER byte string by calling public_bytes().

Added experimental support for compiling against BoringSSL. As BoringSSL does not commit to a stable API, cryptography tests against the latest commit only. Please note that several features are not available when building against BoringSSL.

Parsing CertificateSigningRequest from DER and PEM now, for a limited time period, allows the Extension critical field to be incorrectly encoded. See the issue for complete details. This will be reverted in a future cryptography release.

When OCSPNonce are parsed and generated their value is now correctly wrapped in an ASN.1 OCTET STRING. This conforms to RFC 6960 but conflicts with the original behavior specified in RFC 2560. For a temporary period for backwards compatibility, we will also parse values that are encoded as specified in RFC 2560 but this behavior will be removed in a future release.

35.0.0 - 2021-09-29

Changed the version scheme. This will result in us incrementing the major version more frequently, but does not change our existing backwards compatibility policy.

BACKWARDS INCOMPATIBLE: The X.509 PEM parsers now require that the PEM string passed have PEM delimiters of the correct type. For example, parsing a private key PEM concatenated with a certificate PEM will no longer be accepted by the PEM certificate parser.

BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows negative serial numbers. RFC 5280 has always prohibited these.

BACKWARDS INCOMPATIBLE: Additional forms of invalid ASN.1 found during X.509 parsing will raise an error on initial parse rather than when the malformed field is accessed.

Rust is now required for building cryptography, the CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no longer respected.

Parsers for X.509 no longer use OpenSSL and have been rewritten in Rust. This should be backwards compatible (modulo the items listed above) and improve both security and performance.

Added support for OpenSSL 3.0.0 as a compilation target.

Added support for SM3 and SM4, when using OpenSSL 1.1.1. These algorithms are provided for compatibility in regions where they may be required, and are not generally recommended.

We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to our manylinux2010 and manylinux2014 wheels. Users on distributions like Alpine Linux should ensure they upgrade to the latest pip to correctly receive wheels.

Added rfc4514_attribute_name attribute to x509.NameAttribute.

Added KBKDFCMAC.

8.4. How to set up and use the TLS 1.3 proxy ProxyMII:

• Unpack the archive and copy the folder ProxyMII to a location of your choice.
• Install the file CA.crt to Trusted Root Certification Authority under the account local computer manually. I use the certificate generated by ProxHTTPSProxy REV3e, provided in my release of ProxHTTPSProxy's PopMenu 3V1. Or use my contained ProxHTTPSProxy CA Certificate Installer and Uninstaller to do that automatically. If so, you have to overwrite the already existing CA.crt in ProxyMII's program folder by the one of my release.
• Enable the proxy settings of IE in the Internet Options -> LAN settings, i.e., check mark "Use a proxy server for your LAN", and click on Advanced. Go to the entry Secure and enter the Proxy address 127.0.0.1 and the port 8079.
• Update the file cacert.pem to have the most recent one by using my cacert Updater Fixed (Recreated).
• Start the proxy by executing the file ProxHTTPSProxy.exe.
• Ensure that your firewall doesn't block this proxy. Add it to your exclusions list or allow its connection.
• Do not forget to disable the proxy settings of IE when ProxyMII has been closed.

The download links of ProxyMII and cacert Updater Fixed can be found respectively in the sections 11.2.2. Downloads related to the TLS 1.3 proxies and 11.2.3. Downloads related to cacert.pem Certificate Update.

ProxyMII is the TLS 1.3 proxy on which my program package ProxHTTPSProxy's PopMenu TLS 1.3 is based from now on.

9. The TLS 1.3 proxy ProxHTTPSProxy's PopMenu TLS 1.3

9.1. Prerequisites:

ProxHTTPSProxy's PopMenu TLS 1.3 is based on ProxyMII, which was created by Python 3.7.1, and requires Microsoft Visual C++ 2015 Redistributable or Microsoft Visual C++ 2015-2019 Redistributable (latest version 14.28.29213.0). Furthermore, Microsoft .NET Framework 4.0 is now additionally required to run the program package ProxHTTPSProxy's PopMenu TLS 1.3 under Windows XP. Check if both are installed in your system! A CPU with SSE2 instruction set is not required anymore, SSE only is sufficient.

9.2. General information about ProxHTTPSProxy's PopMenu TLS 1.3

The main feature of my program package ProxHTTPSProxy's PopMenu TLS 1.3 is @cmalex's ProxyMII, a TLS 1.3 proxy. I replaced @heinoganda's TLS 1.2 proxy from my last release of ProxHTTPSProxy's PopMenu REV3e 3V1 by @cmalex's TLS 1.3 proxy. This sounds simple, but, unfortunately, it wasn't. A lot of problems had to be solved to implement this proxy completely, enhance functionality, and get control of it as convenient as the old one. ProxHTTPSProxy's PopMenu TLS 1.3 is a one-click menu in systray to access and control the brand new TLS 1.3 proxy ProxyMII, better known as ProxHTTPSProxy, credits to @cmalex and its original creator whenever. @cmalex's ProxyMII, dated from 2022-07-17, is now based on OpenSSL 3.0.5 and Cryptography 3.4.8. It provides all TLS protocols from TLS 1.0 up to TLS 1.3 and its corresponding ciphers.

9.3. ProxHTTPSProxy's PopMenu TLS 1.3 3V3

ProxHTTPSProxy's PopMenu TLS 1.3 3V3 is the third release of ProxHTTPSProxy's PopMenu 3.0, now in version 3.0.0.0, shortened 3V3. It is a synthesis of the excellent, brand new TLS 1.3 proxy ProxyMII, dated from 2022-07-17, credits to @cmalex at MSFN, several self-programmed executables and a very few commands, credits to @AstroSkipper at MSFN, the freeware PopMenu 3.0, credits to Jochanan Agam at freeware.persoft.ch, the open source utility Min2Tray v1.7.9, credits to Junyx at junyx.breadfan.de, and the program Certificate Updater 1.6, credits to @heinoganda at MSFN. If you wonder when the second version was released, the answer is very simple: never. This version was unofficial. ProxHTTPSProxy's PopMenu is not a classical launcher, it is rather a systray pop-up menu. It can be totally customized and continuously extended according to the user's needs due to its modular structure, therefore, much more flexible than a classical, compiled launcher. More features can be added easily without touching the existent code. Due to ProxHTTPSProxy's PopMenu's modular structure, the user can change, add, delete and reorder features. Even the icons in the menu can be changed easily by the user. Here is a screenshot:



9.3.1 Features of ProxHTTPSProxy's PopMenu TLS 1.3 3V3:

Here is the complete list of features implemented in ProxHTTPSProxy's PopMenu TLS 1.3 3V3 and a short explanation of them:

1. Start ProxHTTPSPoxy – Activates the proxy's settings in IE LAN Settings, starts the proxy, and deactivates and cleans its settings after closing, all automatically.
2. Stop ProxHTTPSPoxy – Stops the proxy and closes its status window.
3. Minimize ProxHTTPSProxy to systray – Minimizes ProxHTTPSProxy's status window to systray and shows its icon there.
4. Restore ProxHTTPSProxy from systray – Restores ProxHTTPSProxy's minimized status window from systray.
5. Hide ProxHTTPSPoxy – Hides ProxHTTPSProxy's status window completely.
6. Show ProxHTTPSPoxy – Shows ProxHTTPSProxy's hidden status window again.
7. Check if ProxHTTPSPoxy is running (in RAM) – Checks if ProxHTTPSPoxy is running in the background.
8. cacert.pem Update – Performs an update of the file cacert.pem.
9. Root Certificates Update – Performs an update of the system's Root Certificates.
10. Open IE Proxy settings – Opens the tab LAN Settings in IE's Internet Options.
11. Close IE Proxy settings – Closes the tab LAN Settings and IE's Internet Options completely.
12. Check system proxy status – Checks whether the proxy is used system-wide or the system has direct access.
13. Enable ProxHTTPSProxy system-wide – Permits the whole system to use this proxy. In this mode, services can route their traffic through the proxy, too.
14. Disable ProxHTTPSProxy system-wide – The proxy can be used only locally if it is running, generally all have direct access to their servers or the internet.
15. Edit config.ini – Opens the file config.ini with the editor Notepad to check or modify the proxy's configuration.
16. Read documentation – Opens the documentation with the editor Notepad to get quickly information.

In the screenshot above, you can see a red arrow which points to the icon of ProxHTTPSPoxy, minimized to systray. It's a new feature, and the green marked items have been added to the pop-up menu since last release.

ProxHTTPSPoxy's PopMenu is provided together with ProxyMII from 2022-07-17, created by @cmalex and branded by me as ProxHTTPSProxy 1.5.220717. This new archive called ProxHTTPSProxy TLS 1.3 1.5.220717 PopMenu 3V3 has been additionally updated by me. These are the changes to the previous version of ProxHTTPSPoxy's PopMenu:

9.3.2 Changelog of ProxHTTPSProxy's PopMenu TLS 1.3 3V3:

• @heinoganda's ProxHTTPSProxy REV3e replaced by @cmalex's ProxHTTPSProxy 1.5.220717 with a brand new TLS 1.3 support.
• New starter program StartProxy.exe created to activate the proxy settings, start the proxy, and deactivate its settings after closing, all automatically.
• cacert.pem updated to the most recent one.
• Alternative cacert.pem from Mozilla, updated to the most recent version dated 2022-07-19.
• The open source utility Min2Tray has been fully implemented by the new configuration tools Configure PopMenu.exe and Setup Min2Tray.exe, all automatically.
• After the setup procedure, the programs PopMenu and Min2Tray are started automatically.
• All self-created files are not UPX-compressed. Therefore, the version is a noUPX only.
• Two new items added to the pop-up menu: Minimize ProxHTTPSProxy to systray and Restore ProxHTTPSProxy from systray.
• All unnecessarily embedded files have been removed from my self-created executables.
• Changes in calling up other programs.
• In all my affected programs, protection against code injection has been improved. This leads to preventing of future "space bugs", too!
• Different issues, which could have been noticed only in very rare cases, have been fixed.
• All unnecessary code has been removed.
• New bugs I additionally found  have been fixed.
• Autostart entries of PopMenu and the new Min2Tray, automatically added to the registry by my configuration program, have been fixed in regard to the "space bug".
• All message windows of my programs have been resized and adjusted for a better visibility.
• All my self-created program files have been recompiled by using a different compiler.
• @cmalex's original ProxyMII wasn't modified by me, except a replacement of ProxHTTPSProxy.EXE's program icon, back to the old one and an update of the file config.ini to get access to the Microsoft Updates (MU) website with this proxy.

9.3.2 Installation and start of ProxHTTPSProxy's PopMenu TLS 1.3 3V3:

• Check if Microsoft Visual C++ 2015 Redistributable or Microsoft Visual C++ 2015-2019 Redistributable (latest version 14.28.29213.0) is installed in your system.
• Check if Microsoft .NET Framework 4.0 is installed in your system.
• Unpack the archive and copy either the complete folder ProxHTTPSProxy_TLS_1_3_1_5_220717_PopMenu_3V3 or its complete content to your desired location.
• Install the file CA.crt, located in the main program folder, to Trusted Root Certification Authority under the account local computer, or use the program ProxHTTPSProxy Cert Installer, provided in the archive.
• Go to the subfolder PopMenu and execute the program Configure PopMenu.exe.
• PopMenu and Min2Tray will be started automatically.

A more detailed documentation, titled Documentation of ProxHTTPSProxy's PopMenu 3V3, can be found in the subfolder Docs of my program package and should be read before using ProxHTTPSProxy's PopMenu in any case. All features and more are described there. 

The programs PopMenu and Min2Tray have a very low usage of RAM. It's only about 2 MB and 4 MB respectively.

The download link of ProxHTTPSProxy's PopMenu TLS 1.3 3V3 can be found in the section 11.2.2. Downloads related to the TLS 1.3 proxies.

10. Versions:

10.1. Versions of the TLS 1.2 proxies ProxHTTPSProxy, HTTPSProxy, and ProxHTTPSProxy's PopMenu:

Last known version of ProxHTTPSProxyMII, created by @whenever and released in June of 2018: ProxHTTPSProxyMII 1.5 (20180616)
ProxHTTPSProxyMII 1.3a (20150527) was released in May of 2015. Here are two links: 
https://prxbx.com/forums/showthread.php?tid=2172&pid=17686#pid17686 and https://prxbx.com/forums/showthread.php?tid=2172&pid=18454#pid18454
Due to support of SHA1 for signing certificates ProxHTTPSProxyMII 1.3a can be used in a Windows XP Professional x64 system to access MU successfully. More recent versions use SHA256 to sign certificates and fail while accessing MU. But that also means ProxHTTPSProxyMII 1.3a is not secure and should only be used if there is no other option.
Here is a link to the post with necessary instructions and a screenshot of successful access to MU using ProxHTTPSProxyMII 1.3a in Windows XP Professional x64, credits to @maile3241:
https://msfn.org/board/topic/178377-on-decommissioning-of-update-servers-for-2000-xp-and-vista-as-of-july-2019/?do=findComment&comment=1214098

Last known version of ProxHTTPSProxy released in November of 2019: ProxHTTPSProxy REV3e.
Here is a link:
https://msfn.org/board/topic/176344-problems-accessing-certain-sites-https-aka-tls/?do=findComment&comment=1173585

Last known version of HTTPSProxy released in November of 2018: HTTPSProxy_Launcher_v2_2018-11-06
Here are two links:
https://msfn.org/board/topic/176344-problems-accessing-certain-sites-https-aka-tls/?do=findComment&comment=1155858
and
https://msfn.org/board/topic/176344-problems-accessing-certain-sites-https-aka-tls/?do=findComment&comment=1156032

Last version of ProxHTTPSProxy's PopMenu released in May of 2022: ProxHTTPSProxy's PopMenu 3V1 (20220510)
Here is the link to my post of this initial release:
https://msfn.org/board/topic/183352-proxhttpsproxy-and-httpsproxy-in-windows-xp-for-future-use/?do=findComment&comment=1218622

10.2. Versions of the TLS 1.3 proxies ProxyMII and ProxHTTPSProxy's PopMenu TLS 1.3:

ProxyMII released in July of 2022: ProxyMII (20220717). It was rebranded by me to ProxHTTPSProxy 1.5.220717.
Here is the link to @cmalex's original post: https://msfn.org/board/topic/183684-looking-for-a-person-with-python-programming-skills-to-implement-tls-13-functionality-in-proxhttpsproxy-rev3e/?do=findComment&comment=1222235

Latest version of ProxyMII released in August of 2023: ProxyMII (20230813). Here is the link to @cmalex's original post: https://msfn.org/board/topic/183352-proxhttpsproxy-and-httpsproxy-in-windows-xp-for-future-use/?do=findComment&comment=1250552

Latest version of ProxHTTPSProxy's PopMenu TLS 1.3 3V3 released in August of 2022: ProxHTTPSProxy's PopMenu TLS 1.3 3V3 (20220817).
Here is the link to the post of its official release: https://msfn.org/board/topic/183352-proxhttpsproxy-and-httpsproxy-in-windows-xp-for-future-use/?do=findComment&comment=1224184

11. Downloads:

11.1. Archived Downloads {obsolete}:

ProxHTTPSProxyMII 1.3a  can be downloaded here: http://www.proxfilter.net/proxhttpsproxy/ProxHTTPSProxyMII 1.3a.zip. Credits to @whenever.
ProxHTTPSProxyMII 1.5  can be downloaded here: http://jjoe.proxfilter.net/ProxHTTPSProxyMII/files/ProxHTTPSProxyMII 1.5 advanced 34cx_freeze5.0.1urllib3v1.22Win32OpenSSL_Light-1_0_2o-1_1_0h.zip. Credits to @whenever.
ProxHTTPSProxy REV3d can be downloaded here: https://www.mediafire.com/file/r23ct8jd2ypfjx5/ProxHTTPSProxyMII_REV3d_PY344.7z/file. Credits to @heinoganda.
Root Certificate and Revoked Certificate Updater of 02/24/2022 created by @AstroSkipper: https://www.mediafire.com/file/n4ea8nbijox88o3/Roots_Certificate_Updater_24.02.22.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 02/24/2022 created by @AstroSkipper: https://www.mediafire.com/file/8ler7d9z8aesz08/rootsupd.exe/file
Root Certificate and Revoked Certificate Updater of 04/28/2022 created by @AstroSkipper: https://www.mediafire.com/file/7e6jw2mdp6bi3u0/Roots_Certificate_Updater_28.04.22.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 04/28/2022 created by @AstroSkipper: https://www.mediafire.com/file/m6n7481wdq546ad/rootsupd.EXE/file
Root Certificate and Revoked Certificate Updater of 05/24/2022 created by @AstroSkipper: https://www.mediafire.com/file/aob1fkpf6f3vyhd/Roots_Certificate_Updater_24.05.22.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 05/24/2022 created by @AstroSkipper: https://www.mediafire.com/file/vkopcjfymnei5cn/rootsupd.exe/file
Root Certificate and Revoked Certificate Updater of 06/28/2022 created by @AstroSkipper: https://www.mediafire.com/file/2eowvtl8r56q8tx/Roots_Certificate_Updater_28.06.22.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 06/28/2022 created by @AstroSkipper: https://www.mediafire.com/file/h1460guuxqklkk5/rootsupd.exe/file
Root Certificate and Revoked Certificate Updater of 08/23/2022 created by @AstroSkipper: https://www.mediafire.com/file/nxt11m8m39fnc1k/Roots_Certificate_Updater_23.08.22.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 08/23/2022 created by @AstroSkipper: https://www.mediafire.com/file/0o2h3y16ekmtv2o/rootsupd.EXE/file
Root Certificate and Revoked Certificate Updater of 09/27/2022 created by @AstroSkipper: https://www.mediafire.com/file/d4mtrexun8ao81l/Roots_Certificate_Updater_27.09.22.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 09/27/2022 created by @AstroSkipper: https://www.mediafire.com/file/44suzv2x2fbrret/rootsupd.EXE/file
Root Certificate and Revoked Certificate Updater of 10/25/2022 created by @AstroSkipper: https://www.mediafire.com/file/naxyauof6fs0p88/Roots_Certificate_Updater_25.10.22.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 10/25/2022 created by @AstroSkipper: https://www.mediafire.com/file/nmzw6l4lzmxn8wx/rootsupd.EXE/file
Root Certificate and Revoked Certificate Updater of 11/29/2022 created by @AstroSkipper: https://www.mediafire.com/file/cnlbxdffjq9beva/Roots_Certificate_Updater_29.11.22.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 11/29/2022 created by @AstroSkipper: https://www.mediafire.com/file/pctxthjlcb6croc/rootsupd.EXE/file
Root Certificate and Revoked Certificate Updater of 02/28/2023 created by @AstroSkipper: https://www.mediafire.com/file/6chiibdsdoh4i22/Roots_Certificate_Updater_28.02.23.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 02/28/2023 created by @AstroSkipper: https://www.mediafire.com/file/rmjyq3pak60jayz/rootsupd.EXE/file
Root Certificate and Revoked Certificate Updater of 04/25/2023 created by @AstroSkipper: https://www.mediafire.com/file/xgmi98u15ikerrn/Roots_Certificate_Updater_25.04.23.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 04/25/2023 created by @AstroSkipper: https://www.mediafire.com/file/dxtxkgqdk6xlfb9/rootsupd.EXE/file
Root Certificate and Revoked Certificate Updater of 08/22/2023 created by @AstroSkipper: https://www.mediafire.com/file/53fv86ouqgonm7f/Roots_Certificate_Updater_22.08.23.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 08/22/2023 created by @AstroSkipper: https://www.mediafire.com/file/9xhsy3i2bphtf0i/rootsupd.EXE/file
Root Certificate and Revoked Certificate Updater of 11/28/2023 created by @AstroSkipper: https://www.mediafire.com/file/361ux1ogvmokuhf/Roots_Certificate_Updater_28.11.23.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 11/28/2023 created by @AstroSkipper: https://www.mediafire.com/file/6o1rfz4oqnh0din/rootsupd.EXE/file
Root Certificate and Revoked Certificate Updater of 02/27/2024 created by @AstroSkipper: https://www.mediafire.com/file/7awvvb37in89op1/Roots_Certificate_Updater_27.02.24.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 02/27/2024 created by @AstroSkipper: https://www.mediafire.com/file/55c7c574pyem2vg/rootsupd.EXE/file
Root Certificate and Revoked Certificate Updater of 03/26/2024 created by @AstroSkipper: https://www.mediafire.com/file/a1oil6g5cane3bu/Roots_Certificate_Updater_26.03.24.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 03/26/2024 created by @AstroSkipper: https://www.mediafire.com/file/6hcuv2r715l8nnm/rootsupd.EXE/file
Root Certificate and Revoked Certificate Updater of 05/28/2024 created by @AstroSkipper: https://www.mediafire.com/file/qo3w3h9n2zumb2o/Roots_Certificate_Updater_28.05.24.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 05/28/2024 created by @AstroSkipper: https://www.mediafire.com/file/v3bokp223uen5ta/rootsupd.EXE/file

11.2. Latest Downloads:

11.2.1. Downloads related to the TLS 1.2 proxies:

11.2.1.1. Downloads related to ProxHTTPSProxy:

ProxHTTPSProxy REV3e can be downloaded here: https://www.mediafire.com/file/me5l9dydomgwa0h/2005536469_ProxHTTPSProxyMIIv1.5Rev3ePython3.44OriginalFiles.7z/file. Credits to @heinoganda.
ProxHTTPSProxy's PopMenu 3V1  can be downloaded here: https://www.mediafire.com/file/djg5n0n9osqco7m/ProxHTTPSProxy_REV3e_PopMenu_3V1_CheckedByAstroSkipper.7z/file. Password: CheckedByAstroSkipper. Credits to @AstroSkipper.
ProxHTTPSProxy CA Certificate Installer and Uninstaller with a freshly pre-generated root certificate valid until 02/19/2032 modified and built by @AstroSkipper:
https://www.mediafire.com/file/9tnonnlymrp98f8/ProxHTTPSProxy_Cert_Installer_%2B_Uninstaller_%2B_CA_valid_until_02-19-2032.7z/file
ProxHTTPSProxy's config file to access MU website successfully, modified by @AstroSkipper: https://www.mediafire.com/file/vr1klatuzjh6v5c/ProxHTTPSProxy_-_config.ini/file

11.2.1.2. Downloads related to HTTPSProxy:

HTTPSProxy in the version of HTTPSProxy_Launcher_v2_2018-11-06 can be downloaded here: https://www.mediafire.com/file/ku859ikt2t79cgl/HTTPSProxy_Launcher_v2_2018-11-06.7z/file. Credits to @Thomas S..
HTTPSProxy CA Certificate Installer and Uninstaller with a freshly pre-generated root certificate valid until 02/19/2032 created by @AstroSkipper:
https://www.mediafire.com/file/sx1i6w2c6f1hvwm/HTTPSProxy_Cert_Installer_%2B_Uninstaller_%2B_CA_valid_until_02-19-2032.7z/file
HTTPSProxy's config file to access MU website successfully, modified by @AstroSkipper: https://www.mediafire.com/file/6emtdvx2vmw4iz8/HTTPSProxy_-_config.ini/file

11.2.2. Downloads related to the TLS 1.3 proxies:

ProxyMII (20220717) = ProxHTTPSProxy 1.5.220717 can be downloaded here: https://www.mediafire.com/file/zbkz37dh0wjgnml/ProxyMII_220717_CheckedByAstroSkipper.7z/file. Password: CheckedByAstroSkipper. Credits to @cmalex.
ProxyMII (20230813) can be downloaded here: https://www.mediafire.com/file/8oir8zsg0ffjs6u/ProxyMII_230813_CheckedByAstroSkipper.7z/file. Password: CheckedByAstroSkipper. Credits to @cmalex.
ProxHTTPSProxy's PopMenu TLS 1.3 3V3 can be downloaded here: https://www.mediafire.com/file/4sqkixfd2waaypt/ProxHTTPSProxy_TLS_1_3_1_5_220717_PopMenu_3V3_CheckedByAstroSkipper.7z/file. Password: CheckedByAstroSkipper. Credits to @AstroSkipper.
ProxHTTPSProxy CA Certificate Installer and Uninstaller with a freshly pre-generated root certificate valid until 02/19/2032 modified and built by @AstroSkipper:
https://www.mediafire.com/file/9tnonnlymrp98f8/ProxHTTPSProxy_Cert_Installer_%2B_Uninstaller_%2B_CA_valid_until_02-19-2032.7z/file
ProxHTTPSProxy's config file to access MU website successfully, modified by @AstroSkipper: https://www.mediafire.com/file/vr1klatuzjh6v5c/ProxHTTPSProxy_-_config.ini/file

11.2.3. Downloads related to cacert.pem Certificate Update:

cacert Updater Fixed, fixed and recreated by @AstroSkipper: https://www.mediafire.com/file/y98gtqf8ewr6zz4/cacert_Updater_Fixed_Recreated.7z/file. Credits to @heinoganda. 

11.2.4. Downloads related to Root Certificate Updates:

Root Certificate and Revoked Certificate Updater of 04/29/2026 created by @AstroSkipper: https://www.mediafire.com/file/bapcerwza3fklqe/Roots_Certificate_Updater_29.04.26.7z/file
Root Certificate and Revoked Certificate Updater (AIO version!) of 04/29/2026 created by @AstroSkipper: https://www.mediafire.com/file/v9gyyuvp69yuggw/rootsupd.EXE/file
Certificate Updater 1.6: https://www.mediafire.com/file/nmoqrx8vwc8jr6l/jveWB2Qg1Lt9yT5m3CYpZ8b8N4rH.rar/file. Credits to @heinoganda. Archive password: S4QH5TIefi7m9n1XLyTIZ3V5hSv4se1XB6jJZpH5TfB6vkJ8hfRxU7DWB2p
CAupdater 1.0.0.1:
https://www.mediafire.com/file/z34fifg2a09fzxo/CAupdater.7z/file. Credits to @Thomas S..

The installers created by myself or built by me will be updated from time to time if necessary. All files in my offered archives are definitely virus-free and clean, although some AV scanners produce false positives.

I recommend adding the complete folder to the exclusion list of your security program(s), only if you trust me, of course. Apart from that, you can also check positive reported files on VirusTotal, though.

12. Update notifications: 

02/26/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 02/24/2022.
03/16/2022: The functionality of @heinoganda's cacert Updater has been restored. cacert Updater Fixed can be downloaded in the section 11.2.3. Downloads related to cacert.pem Certificate Update.
04/23/2022: cacert Updater Fixed has been completely recreated due to false alarms of some virus scanners and can be downloaded in the section 11.2.3. Downloads related to cacert.pem Certificate Update.
05/10/2022: ProxHTTPSProxy's PopMenu 3V1 has been released. Here is the link to my post of the initial release with the download link: https://msfn.org/board/topic/183352-proxhttpsproxy-and-httpsproxy-in-windows-xp-for-future-use/?do=findComment&comment=1218622
05/16/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 04/28/2022.
06/05/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 05/24/2022.
06/30/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 06/28/2022.
07/17/2022: ProxyMII has been released. Here is the link to the post of its official release: https://msfn.org/board/topic/183684-looking-for-a-person-with-python-programming-skills-to-implement-tls-13-functionality-in-proxhttpsproxy-rev3e/?do=findComment&comment=1222235.
08/17/2022: ProxHTTPSProxy's PopMenu TLS 1.3 3V3 has been released. Here is the link to the post of its official release: https://msfn.org/board/topic/183352-proxhttpsproxy-and-httpsproxy-in-windows-xp-for-future-use/?do=findComment&comment=1224184
09/05/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 08/23/2022.
10/06/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 09/27/2022.
11/06/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 10/25/2022.
12/09/2022: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 11/29/2022.
03/04/2023: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 02/28/2023.
05/09/2023: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 04/25/2023.
08/13/2023: ProxyMII has been updated. Here is the link to the post of its official release: https://msfn.org/board/topic/183352-proxhttpsproxy-and-httpsproxy-in-windows-xp-for-future-use/?do=findComment&comment=1250552.
09/01/2023: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 08/22/2023.
12/11/2023: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 11/28/2023.
04/05/2024: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 02/27/2024.
04/05/2024: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 03/26/2024.
08/20/2024: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 05/28/2024.
01/14/2025: Four download links renewed due to false positives by MediaFire. These four files are now password-protected to stop MediaFire from spreading even more nonsense.
06/11/2026: Both versions of Root Certificate and Revoked Certificate Updater have been updated and are now of 04/29/2026.

13. Conclusion:

At the beginning of this post, I said we had to ask ourselves whether these proxies would continue doing their job in the future or not. After all these observations and explanations, the answer to this question is quite clear: Yes, of course. And especially since we have our new TLS 1.3 proxies. But we have to avoid misconfiguration of these proxies, and in addition, we know they won't work properly without updating and carrying out maintenance. Doing all these things leads to a general, positive side effect for those loving their Windows XP. If all is done correctly, we are now able to use a freshly generated 10 years valid root certificate of ProxHTTPSProxy or HTTPSProxy at any time as long as Windows XP, Internet Explorer access to WWW, TLS 1.2 or TLS 1.3 functionality, Microsoft Update for Windows XP, or the user himself still exist.

14. Disclaimer:

All information that I spread here corresponds to my level of knowledge. Most of it has been carefully researched by me. I tested all programs of the section 11. Downloads extensively, and they worked properly in my system. Nevertheless, I do not assume any guarantee either for the correctness and completeness or for the implementation of my tips. The same applies to the application of my tools in the section 11. Downloads. Therefore, all at your own risk! 

You can use the commenting zone below to tell us about your experiences, problems and questions or to provide further tips and recommendations. Any discussions about these proxies are explicitly welcome. If this article has not been able to resolve any issues related to these proxies, and you need further assistance with configuring or running them, I will try to help you as much as I can. But one thing must be clear, everything should relate to the topic of this thread. That means please stay on-topic!

If you enjoyed this article or maybe, you found it interesting and helpful, I would be pleased about any reaction by liking, upvoting, and of course, commenting. 

  

Kind regards, AstroSkipper  

Where I am currently living, there is pretty much no way for me to use a lot of the internet without a VPN, I am wondering if there is any VPN client that still works with XP, that does not require payment. XP 32 bit, browser is Mypal.

This topic will focus on anti-virus and other security programs for Windows XP, which are still useful in 2026. The programs discussed here should have a good chance of still being useful for a long time, even if their official support has ended. Postings about anti-virus and other security programs for other older operating systems (e.g. Windows 2003 or Windows Vista) are also welcome, as well as postings about auxiliary programs which improve the functioning of these security programs.

https://annas-archive.se/slow_download/cfaaf2af56fd5956bd3f875b7f235726/0/0

"Verifying you are human. This may take a few seconds.

annas-archive.se needs to review the security of your connection before proceeding."

No problem on newer OSes.

On XP I am using what I think is the latest version of "New Moon"

NM28XP build:
Win32 https://o.rthost.win/palemoon/palemoon-28.10.7a1.win32-git-20250531-d849524bd-uxp-4cb39ffa48-xpmod.7z

The version number, 28.10.7a1 does not appear to have changed for quite a while.

Is there any way to get past Cloudflare, or any other browser that works on WinXP 32 that can?

Possibly related, I am now not able to log in to my account on https://imgur.com/

where I have previously written frequently about antivirus programs, has become rather bloated and confusing due to many informationless posts, is mainly focused on the topic of antivirus programs for Windows XP and has been completely unstructured from the very beginning. It is good to have such a thread full of different information for reference but there are many posts either outdated, incomplete or off-topic.  Therefore, I have decided to start a completely different thread from scratch. I deliberately chose the term antimalware in the title of this topic. In these days, most so-called antivirus programs can not only identify computer viruses, but also trojans, worms, rootkits, exploits, spyware, and so on. Generally speaking: a virus is a malware, but a malware is not always a virus. Therefore, malware is a generic term for any malicious software, including viruses. For many years now, the so-called antivirus programs have actually been antimalware programs.

In any case, this new topic here is about antimalware, firewall and other security programs for Windows XP. Under the term other security programs, I include among others security suites like internet security and total security, antivirus, antispyware, anti-rootkit, anti-exploit, online and offline scanner, ad blocker, protection layer, virtualization, security check and control programs and so on that make the use of Windows XP safer. And to avoid any misunderstanding, the main focus in this thread is on the concept of security. Those security programs that have been officially classified as insecure or not trustworthy are not the subject of consideration here, of course. Furthermore, many of these security programs can no longer be clearly classified in one of these categories due to their multifunctionality.

I therefore define the following categories and their abbreviations:

AM+ = Antimalware program with real-time protection
AM- = Antimalware program without real-time protection
SP  = Specialized program (focused on one main antimalware function)
IS  = Internet Security
TS  = Total Security
ON  = Online scanner
OF  = Offline scanner
AB  = Ad blocker
FW  = Firewall
VP  = Virtualization program
PL  = Protection layer program
SC  = Security check program
CP  = Control program
MF  = Multifunctional program

In addition, for the sake of simplicity, I define the following licence types and their abbreviations, reduced to the essentials:

C = Commercial (any payment software including shareware)
F = Free
D = Donationware
O = Open source

In the second post of this thread, I will provide and maintain an alphabetical list of working antimalware, firewall, and other security programs for Windows XP which were each presented in a corresponding post here. This list has the following columns: Name, Version, Type, Date and Link. Name means the name of the program, Version means its last/latest version, Type means its license type, Date means its last/latest date of release or creation (in some cases, there is no date of release available anymore) and Link means the link to its corresponding post here in this thread. I will only include programs in this list that receive updates in some form, be it program updates, definition updates or database updates. With the exception, of course, that there are also programs that do not necessarily need such updates.

In the third post of this thread, I will create and maintain an alphabetical list of programs that need to be tested for compatibility, features and support or whose installers have been lost and therefore could not be tested.

In the fourth post of this thread, I will create an alphabetical list of programs that have recently been abandoned or should be avoided. Some of them should only be used for a while or be avoided due to security reasons.

This project is very extensive and involves a lot of work. 
In-depth research in particular is very time-consuming, but necessary. So be patient, especially if the list of programs fills up slowly!  As always: Good things come to those who wait.  And just for clarification, I will not check all the programs myself to see if they can be installed properly and work, of course. Here, other members can make a perfect contribution with their knowledge or experiences already made. Furthermore, all the programs I have listed are not necessarily to be understood as recommendations. Basically, they are simply options that are still available for Windows XP. Because we all know that most manufacturers of security software have long since given up on Windows XP. If I personally consider a program to be good, I will express this in its relevant post. More about that here:

Any discussions, questions or suggestions about security programs for Windows XP are explicitly welcome. But one thing must be very clear, everything should relate to this topic. Just for clarification, insulting, provocative or completely off-topic posts (especially about operating systems other than Windows XP) will not be tolerated. That means, please stay on topic! This thread is intended to be a well-structured source of information where readers can get ideas on how to make their old Windows XP a bit more secure. If you like this thread, or you find it interesting and helpful, I would appreciate any contribution, be it a comment, a like or an upvote. Thanks for your interest! Windows XP forever!

Kind regards, AstroSkipper

Should I create aligned or not-aligned (=CHS-aligned) partitions on the 4TB GPT hard disk drives?

The two 4TB GPT HDDs are Toshiba HDWD240, the label on them has an "AF" symbol and Hard Disk Sentinel displays under WinXP "Bytes Per Sector: 4096 [Advanced Format]". Victoria v5.23 displays under WinXP: "Sector: Logic 512 bytes, Phys 4096". PartitionGuru v4.7.0 under WinXP displays "Sector Size: 512 Bytes, Physical sector Size: 512 Bytes".

A major criteria is backward compatibility. Which Windows XP software doesNOT work with aligned partitions? Which Windows 10 software doesNOT work with not-aligned partitions? Which hardware or driver doesNOT work with aligned/not-aligned partitions?

Does Windows XP/2003 have serious bugs when using aligned partitions? Does Windows 10 have serious bugs when using not-aligned partitions? Does boot-time/startup CHKDSK of WinXP/2003/Win10 have issues with aligned/not-aligned partitions on a 4TB GPT HDD?

Is the question about partition alignment on a 4TB GPT HDD irrelevant? Do both aligned and not-aligned partitions work OK on a 4TB GPT HDD under WinXP/2003/Win10?

Is there a worth-while increase in computer efficiency/speed, with a 5400rpm 4TB data storage HDD, when you use aligned partitions under Windows XP/2003?

If the 4TB GPT HDD should ever go bad, is it easier to recover data from aligned or not-aligned partitions?

When the onboard SATA controller (e.g. the Intel ICH5 onboard the Asus P5PE-VM motherboard of 2006) incorrectly detects under WinXP a disk geometry of 855388/121/34 (instead of 219051/255/63) for the 4TB GPT HDD connected to onboard SATA, will aligned or not-aligned partitions work OK?

In Paragon Hard Disk Manager 11, 12, 14 and 15 you have the choice of creating aligned or not-aligned partitions under WinXP, with the selection -> Tools -> Settings -> General options, section Partition Alignment Mode.

You can also create a mix of aligned and not-aligned partitions on a GPT HDD with Paragon HDM under WinXP/2003 by switching between "Legacy" and "Vista" Alignment mode in Settings -> exit PHDM -> restart PHDM -> create partition.

There are several alternatives:
1) create not-aligned partitions on both the Master and Backup 4TB GPT HDD
2) create aligned partitions on both 4TB HDDs
3) create aligned partitions on one 4TB GPT HDD, and not-aligned partitions on the other 4TB GPT HDD
4) create a mix of aligned/not-aligned partitions depending on e.g. the file system (FAT32/NTFS)

Answers to the various sub-questions above may help find an answer to the main question here: Should I create aligned or not-aligned partitions on the two 4TB GPT hard disk drives?

I discovered this today.

https://github.com/FlyGoat/csmwrap

Hopefully this means we can boot XP x86 on UEFI class 3 systems now.

The Developers behind XP's infamous Extended Kernel (OneCore API) managed to make Office 2013 (and 2016!) finally work on Windows XP. 

For me, this is actually very satisfying since I was trying to install it for years without success. Sadly, both 2013 and 2016 are officially out of support now BUT 2016 is still receiving monthly updates as of March 2026 (support.microsoft.com/de-de/topic/updates-für-märz-2026-für-microsoft-office-c8ddfa76-20b4-482a-8412-8b2bf6363fa7).

You will need the latest OneCore API Canary (v4.1+) as well as the MSI Versions for it to install. Personally, I spoofed Windows 7 to trick the installer.

Proof: imgur.com/a/dstXVfK

This is the logic of the command I would like to do:

Look at the "OWNER" field in every file/folder
If 
  the "OWNER" field contains the orphaned SID
Then
  Replace it with the Administrator account
Endif

Can this be done with SetACL?  If so could you provide the proper syntax for the command?

This is the command that Google's AI gave me but it doesn't look right:

SetACL -on "D:\Program Files" -ot file -actn setowner -ownr
"n:S-1-5-21-299502267-113007714-1177238915-1004;s:y" -rec cont_obj

.-on: The object name (your path)
.-ot: Object type (file/directory)
.-actn setowner: Targets only the owner field
.-ownr: The "n:" denotes the new owner (or you can use "n:Administrators")
.-rec cont_obj: Recursively applies this to files and subfolders.

I don't see where it's replacing the orphaned SID with the Administrator account.  It looks more like a global replace of all "OWNERS" with the orphaned SID or the administrator account.  That's not what I want since that will also replace "NT AUTHORITY/SYSTEM" on files that are rightfully owned by the system.

Heres how you might be able to use AI to help you reverse engineer.

You'll need 3 tools.

pdbripper - https://github.com/horsicq/PDBRipper/releases/tag/2.03

relyze disassembler - https://www.relyze.com/download.html

I use relyze because I've found that neither Ghidra nor IDA pro will let me just copy the assembly code of a single function into a text filr or the clipboard.

Lastly, Perplexity AI - https://www.perplexity.ai/

---

OK, lets pick a sizable function from the Netwtn04.sys file using the PDB symbols we have, lets go with oscWfdeSetPreferredOperatingChannel.

Using relyze, oscWfdeSetPreferredOperatingChannel is defined as this.

 int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT * pMpContext, struct _OID_EVENT_DATA * pOid ).

We will need to get the struct definitions for MINIPORT_CONTEXT and OID_EVENT_DATA for perplexity AI to use or it'll bul***** its way through with hallucinations, so this is what pdbripper is for.

Using pdbripper we can get this for struct definitions -

struct _MINIPORT_CONTEXT
{
    void * hMiniportAdapterHandle;
    void * hWrapperConfigContext;
    void * hNdisMiniportDmaHandle;
    struct _FLOW_PROCESSOR * pHmacFlowProcessor;
    struct _FLOW_PROCESSOR * pMmacFlowProcessor;
    struct _JOB_SCHEDULER_DATA * pJobScheduler;
    long numWorkitemsRunningWithoutJobSched;
    void * pOsc;
    struct _ALON_CONTEXT * pAlonContext;
    struct _MLME_SUBSYSTEM * pMlmeSubSystem;
    struct _APP_EXT_SUBSYSTEM * pAppExtSubSystem;
    struct _NDIS_MINIPORT_ADAPTER_NATIVE_802_11_ATTRIBUTES * pNativeAttributes;
    void * pUmacContext;
    struct _DP_ENGINE_SUBSYSTEM * pDpEngineSubsystem;
    struct _NDIS_MINIPORT_INIT_PARAMETERS * pMiniportInitParameters;
    long version;
    long productVersion;
    enum _MINIPORT_STATE uNdisMiniportState;
    struct _SpinlockR NdisMiniportStateLock;
    struct _SpinlockR NdisMiniportSendPacketLock;
    struct _SpinlockR contextLock;
    unsigned char bIsInMPInitialize;
    long bMiniportInitiatedHandshake;
    struct _MINIPORT_RESET_CONTEXT miniportReset;
    struct _DOT11_MIB_CONTEXT dot11Mib;
    struct _MIB_TABLE * pMib;
    struct _DATA_PATH_CONTEXT * pDataPathContext;
    void * pDeviceContext;
    enum _DOT11_CIPHER_ALGORITHM currentCipherAlg;
    union _LARGE_INTEGER lastOsScanTime;
    struct _MEMORY_MANAGER memoryManager;
    class CheckForHang * pCheckForHang;
    int doesUmacRunInHost;
    struct _XVT_CONTEXT * pXvtContext;
    int bXvtProxyModeEnabled;
    struct _NDIS_EVENT NdisMiniportInitializationCompleteSyncEvent;
    int isWdi;
    int bWdiOffloadMode;
    int bRestartPending;
    int bMacAddressRandomizationEnabled;
};

struct _OID_EVENT_DATA
{
    unsigned long oid;
    void * pInfoBuffer;
    unsigned long infoBufferLen;
    unsigned long methodOutputBufferLen;
    unsigned long * pBytesUsed;
    unsigned long * pMethodBytesWritten;
    unsigned long * pBytesNeeded;
    unsigned short opCode;
    unsigned long portNumber;
    struct _NDIS_OID_REQUEST * pNdisOidRequest;
};

Then, in relyze we right click inside the oscWfdeSetPreferredOperatingChannel disassembly window and select Export -> To Clipboard (Function).

We now write a prompt for perplexity AI.

---

Using the following struct definitions -

struct _MINIPORT_CONTEXT
{
    void * hMiniportAdapterHandle;
    void * hWrapperConfigContext;
    void * hNdisMiniportDmaHandle;
    struct _FLOW_PROCESSOR * pHmacFlowProcessor;
    struct _FLOW_PROCESSOR * pMmacFlowProcessor;
    struct _JOB_SCHEDULER_DATA * pJobScheduler;
    long numWorkitemsRunningWithoutJobSched;
    void * pOsc;
    struct _ALON_CONTEXT * pAlonContext;
    struct _MLME_SUBSYSTEM * pMlmeSubSystem;
    struct _APP_EXT_SUBSYSTEM * pAppExtSubSystem;
    struct _NDIS_MINIPORT_ADAPTER_NATIVE_802_11_ATTRIBUTES * pNativeAttributes;
    void * pUmacContext;
    struct _DP_ENGINE_SUBSYSTEM * pDpEngineSubsystem;
    struct _NDIS_MINIPORT_INIT_PARAMETERS * pMiniportInitParameters;
    long version;
    long productVersion;
    enum _MINIPORT_STATE uNdisMiniportState;
    struct _SpinlockR NdisMiniportStateLock;
    struct _SpinlockR NdisMiniportSendPacketLock;
    struct _SpinlockR contextLock;
    unsigned char bIsInMPInitialize;
    long bMiniportInitiatedHandshake;
    struct _MINIPORT_RESET_CONTEXT miniportReset;
    struct _DOT11_MIB_CONTEXT dot11Mib;
    struct _MIB_TABLE * pMib;
    struct _DATA_PATH_CONTEXT * pDataPathContext;
    void * pDeviceContext;
    enum _DOT11_CIPHER_ALGORITHM currentCipherAlg;
    union _LARGE_INTEGER lastOsScanTime;
    struct _MEMORY_MANAGER memoryManager;
    class CheckForHang * pCheckForHang;
    int doesUmacRunInHost;
    struct _XVT_CONTEXT * pXvtContext;
    int bXvtProxyModeEnabled;
    struct _NDIS_EVENT NdisMiniportInitializationCompleteSyncEvent;
    int isWdi;
    int bWdiOffloadMode;
    int bRestartPending;
    int bMacAddressRandomizationEnabled;
};

struct _OID_EVENT_DATA
{
    unsigned long oid;
    void * pInfoBuffer;
    unsigned long infoBufferLen;
    unsigned long methodOutputBufferLen;
    unsigned long * pBytesUsed;
    unsigned long * pMethodBytesWritten;
    unsigned long * pBytesNeeded;
    unsigned short opCode;
    unsigned long portNumber;
    struct _NDIS_OID_REQUEST * pNdisOidRequest;
};

Convert the following x86 assembly into human readable C code -

 int32_t __stdcall oscWfdeSetPreferredOperatingChannel( struct _MINIPORT_CONTEXT * pMpContext, struct _OID_EVENT_DATA * pOid )
 {
    push ebp
    mov ebp, esp
    push edi
    mov edi, dword ptr [pMpContext]
    test edi, edi
    jnz code_0x4235
 code_0x422B:
    mov eax, 0xE0020001
    pop edi
    pop ebp
    ret 0x8
 code_0x4235:
    push ebx
    push esi
    mov esi, dword ptr [pOid]
    mov ebx, dword ptr [esi+0x4]
    test ebx, ebx
    jnz code_0x424D
 code_0x4241:
    pop esi
    pop ebx
    mov eax, 0xE0020001
    pop edi
    pop ebp
    ret 0x8
 code_0x424D:
    movzx eax, word ptr [esi+0x1C]
    mov ecx, 0x5
    cmp cx, ax
    jz code_0x4271
 code_0x425B:
    mov ecx, 0x2
    cmp cx, ax
    jz code_0x4271
 code_0x4265:
    pop esi
    pop ebx
    mov eax, 0xC0000001
    pop edi
    pop ebp
    ret 0x8
 code_0x4271:
    push 0x0
    push 0x8
    push 0xFF10060B
    push esi
    call OidEventHandlerPrologCommon; int32_t __stdcall( struct _OID_EVENT_DATA * _pOid, unsigned long _oidExpected, unsigned long _inputBuffLenExpected, unsigned long _outputBuffLenExpected )
    test eax, eax
    jnz code_0x42E3
 code_0x4284:
    push ebx
    push edi
    call vifMgrGetContext; inline struct _VIF_MGR_CONTEXT * __stdcall( struct _MINIPORT_CONTEXT * pMpCotnext )
    push eax
    call vifMgrChSelSetPreferredOperatingChannel; int32_t __stdcall( struct _VIF_MGR_CONTEXT * pVifMgrContext, struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL * pOpChannelParams )
    mov edi, eax
    test edi, edi
    jz code_0x42D6
 code_0x4297:
    mov ecx, dword ptr [WPP_GLOBAL_Control]
    cmp ecx, va_ptr WPP_GLOBAL_Control
    jz code_0x42D6
 code_0x42A5:
    test byte ptr [ecx+0x530], 0x1
    jz code_0x42D6
 code_0x42AE:
    cmp byte ptr [ecx+0x52D], 0x2
    jb code_0x42D6
 code_0x42B7:
    mov eax, dword ptr [ecx+0x524]
    push va_ptr string_oscWfdeSet; "oscWfdeSetPreferredOperatingChannel"
    push va_ptr WPP_f50d96c3adb583bcc2c3f6b942324e0c_Traceguids
    push 0x3B
    push eax
    mov eax, dword ptr [ecx+0x520]
    push eax
    call WPP_SF_s; void __stdcall( uint64_t Logger, uint16_t id, struct _GUID * TraceGuid, char * _a1 )
 code_0x42D6:
    push edi
    push 0x0
    push 0x8
    push esi
    call OidEventHandlerEpilog; void __stdcall( struct _OID_EVENT_DATA * pOid, unsigned long bytesRead, unsigned long bytesWritten, int32_t rc )
    mov eax, edi
 code_0x42E3:
    pop esi
    pop ebx
    pop edi
    pop ebp
    ret 0x8
 }

---

Perplexity AI gave me this answer.

int32_t __stdcall oscWfdeSetPreferredOperatingChannel(
    struct _MINIPORT_CONTEXT *pMpContext,
    struct _OID_EVENT_DATA *pOid)
{
    int32_t status;
    struct _VIF_MGR_CONTEXT *vifCtx;
    struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL *params;

    // Validate inputs
    if (pMpContext == NULL)
        return 0xE0020001;

    if (pOid == NULL || pOid->pInfoBuffer == NULL)
        return 0xE0020001;

    // Validate opcode (must be 2 or 5)
    if (pOid->opCode != 2 && pOid->opCode != 5)
        return 0xC0000001;

    // Validate OID + buffer lengths
    status = OidEventHandlerPrologCommon(
        pOid,
        0xFF10060B,
        8,
        0
    );

    if (status != 0)
        return status;

    // Extract input buffer
    params = (struct _WFDE_SET_PREFERRED_OPERATING_CHANNEL *)pOid->pInfoBuffer;

    // Get VIF manager context and set preferred channel
    vifCtx = vifMgrGetContext(pMpContext);

    status = vifMgrChSelSetPreferredOperatingChannel(vifCtx, params);

    // Logging (WPP)
    if (status != 0)
    {
        if (WPP_GLOBAL_Control != NULL &&
            (WPP_GLOBAL_Control->Flags[0x530] & 0x1) &&
            WPP_GLOBAL_Control->Level >= 2)
        {
            WPP_SF_s(
                WPP_GLOBAL_Control->Logger,
                0x3B,
                &WPP_f50d96c3adb583bcc2c3f6b942324e0c_Traceguids,
                "oscWfdeSetPreferredOperatingChannel"
            );
        }
    }

    // Complete OID handling
    OidEventHandlerEpilog(
        pOid,
        0,      // bytesRead
        8,      // bytesWritten
        status
    );

    return status;
}

https://www.perplexity.ai/search/using-the-following-struct-def-iH1rN.zcSMaVPiFOgI5RlA

@Dietmar

Do you find this helpful?

with latest acpi.sys it boots XP, but no USB port is working. Disabling USB3 makes every USB devices hidden to XP.

and maybe a modded display driver can work on it?

Notes

kernelxp.dll stays in the "mypal" and "basilisk" directories after patching, or else it will NOT work.

mypal68-xpsp1-code.txt serpent-xpsp1-code.txt

Experiment: I made Windows XP unbootable, for testing Kaspersky Registry Editor.

The Windows XP operating system seems to have become unbootable by simply having set, with the regedit Windows registry editor,
the permission of SYSTEM of the registry key HKLM\SOFTWARE\Microsoft\Windows\Windows NT\CurrentVersion to Deny:
- in regedit browsed to HKLM\SOFTWARE\Microsoft\Windows\Windows NT\CurrentVersion
-> right-clicked on CurrentVersion -> Permissions -> selected SYSTEM -> clicked on Advanced button
-> selected SYSTEM -> clicked on Edit button
-> clicked on any checkbox in column Deny -> OK -> clicked on Apply button -> OK

WARNING: The above experiment was very dangerous. Don't repeat it, unless you know what you are doing, and only at your own risk.

When booting again into Windows XP, the following message came up:

Windows Product Activation. A problem is preventing Windows from accurately checking the license for this computer. (0x80070005)

Pressing Alt-Ctl-Del didn't help. Pressing F8 while booting, for getting into safe mode, didn't help, eventually only a black screen with a blinking cursor was displayed. I was locked out. I definitely do not want to suggest a similarity between Windows Product Activation and ransomware.
It might be interesting to see whether volume licenses of Windows, which do not require activation, have a similar locked-out problem.

How to recover from being locked out?
The easiest way was to restore the Windows XP partition from a previous partition backup image.
Another recovery method, restoring the previously backed up registry key HKLM\SOFTWARE\Microsoft\Windows\Windows NT\CurrentVersion from a .reg file with Kaspersky Registry Editor, has also worked for me. Although Kaspersky Registry Editor cannot set permissions, Windows XP came up OK after importing CurrentVersion. Windows XP booted OK and worked OK just like before setting SYSTEM to Deny.

Importing with Kaspersky Registry Editor the CurrentVersion key from a 5MB .reg file was extremely slow on my 25-year-old 650MHz Inspiron 7500 laptop, about 45 minutes using the Kaspersky Rescue CD.

In my successful recovery attempt I had first deleted with Kaspersky Registry Editor the CurrentVersion key in the Windows XP registry, BEFORE importing the backup of the CurrentVersion key,
In an earlier recovery attempt I had tried to import a 108MB backup .reg of the whole registry, without having deleted the content of  HKLM\SOFTWARE\ beforehand. Importing the whole registry took 12+ hours and WinXP did NOT come up afterwards, it was stuck in a different crash loop. Deleting the registry key with Kaspersky Registry Editor BEFORE importing a .reg file with the corresponding registry key seems to be essential.

A comparison of 6 rescue disks lists three (AVG Rescue CD, Kaspersky Rescue Disk 10 and Norton Bootable Recovery Tool) which contain a registry editor: https://char.learnwebcoding.com/help/rescue_disk_comparison.html

\rescue\help\English\KRE.htm in the .iso seems to be the only documentation of Kaspersky Registry Editor.
KRE.htm incorrectly indicates "for all Windows operating systems installed on a computer":
Kaspersky Registry Editor does NOT display the Win98 registry, although it also displays the Win2003 registry on my old laptop, even if Win2003 is not listed among the system requirements of Kaspersky Rescue Disk 10:
https://web.archive.org/web/20120609034308/http://support.kaspersky.com/viruses/rescuedisk?level=3

KRE.htm (file modification date 28Feb2012 in the .iso) indicates compatibility only up to Win7. The description page of Kaspersky Rescue Disk v10.0.32.17 (captured on 29Apr2014), however, indicates compatibility up to Win8: https://web.archive.org/web/20140429131943/http://support.kaspersky.com/4162

Kaspersky Registry Editor seems to work OK also under Win2003, I have made a preliminary test.

The final build v10.0.32.17 of Kaspersky Rescue Disk 10 is of 28Feb2013, as indicated by the file modification date of \rescue\KRD.VERSION in the .iso. It contains the Kaspersky Registry Editor component and signatures of 22Feb2013. It can be downloaded from https://web.archive.org/web/20140627131637/http://rescuedisk.kaspersky-labs.com/rescuedisk/kav_rescue_10.iso

A user guide for Kaspersky Rescue Disk 10 (revision date 30Apr2010, does not mention mention Kaspersky Registry Editor which was first contained in kav_rescue.iso v10.0.31.4 (29Apr2012)) can be downloaded from https://web.archive.org/web/20111007093941/http://support.kaspersky.com/downloads/guides/kasp10.0_rescuedisk_en.pdf

Even if virus-checking is rarely done with a rescue CD, the registry editor on the CD may make the .iso interesting under WinXP,  Win2003 and up to Win8, no idea under Win10/11.

  Yes i could use also USB audio or soundcard, but switching is annoying.

Update:
Realtek HD 2.74 seems to work fine, so only LAN driver is needed.

- The updates links are grouped for each build, slightly sorted, and ordered lexicographically per update number or file name as possible

- Superseded (replaced) updates are not filtered or excluded

- The dump is available as csv files containing updates name and url, or plain text files containing updates url

- It's recommended to use CSVFileView to check the csv files
https://www.nirsoft.net/utils/csv_file_view.html

- You can filter or extract updates for certain language using findstr (Vista or 7)
e.g.
 

findstr /i \-enu NT_5.2.3790-x64-Custom.csv > NT_5.2.3790-x64-Custom-enu.csv

however, few update have different language identifier or none, so it's best to review the whole file first

- NT_5.1.2600-x86-SP2-Custom and NT_5.1.2600-x86-SP2-Custom-IE are ment for the EOS Windows XP SP2 x86 only

- NT5-ia64 is for Itanium-based Server 2003 / Windows XP

- .NET Framework packs and updates for NT 5.1/5.2 are in a separate list files, likewise Windows Media Player and some eXtra updates

# P.S. Maybe it's best not to post the links explicitly in the forum replies or text sites (pastebin, txtuploader..), and share them in the txt/csv files

# Download

https://gitlab.com/stdout12/adns/uploads/9ca06a12dd08c06edd889e65afa637fa/NT5_WU_URLs_csv.7z

https://gitlab.com/stdout12/adns/uploads/33fcfd0b0f6c1a0cb74472cb8407800d/NT5_WU_URLs_txt.7z

I know SP3 offers greater compatibility but last time that tried SP3 it completely broke my system.

My pick was FDM but all legacy versions give me an installation error and the same with portables. Assume they're for SP3 only. No browser extensions, please. I'm one of those who uses a separate download manager. Any suggestions?