MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. ×
Search the Community
Showing results for tags 'TLS1.2'.
Original January 4, 2019 post title was "Update IE8 to TLS1.2 for (nearly) Last Skype 184.108.40.206 on Windows XP". Update title changed May 1, 2019. Readers wanting Skype-specific info should page or find down to the ORIGINAL INTRODUCTION. UPDATE INTRODUCTION: This compiled procedure, Instructions To Add TLS1.2 To Windows XP OS & IE8, turns out to be useful for non-Skype purposes, and may now be obsolete for the intended purpose of running Windows XP Skype 220.127.116.11 (see posts below). For convenience of other readers, I've reorganized the original post so that the procedure steps now start near the top. I've also edited OS registry variations in steps 9A and 9B, made a change in step 11, and added a 12th procedure step, each helpfully noted by posters below. ----------------------------------------------------------------- INSTRUCTIONS TO ADD TLS1.2 TO WINDOWS XP OS & IE8 (Compiled from MSFN source posts credited) ----------------------------------------------------------------- 1) If not already updated, download and install Microsoft's updated Windows Installer 4.5 (KB942288-v3) from https://download.microsoft.com/download/2/6/1/261fca42-22c0-4f91-9451-0e0f2e08356d/WindowsXP-KB942288-v3-x86.exe 2) Set a System Restore point marked, say, "Spoof POSReady ID registry edit" 3) Put the following POSReady spoof text (omit the hyphen lines) in POSReady.txt, rename to POSReady.reg, right-click Merge, Yes. ---------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady] "Installed"=dword:00000001 [<-- BLANK LINE] [<-- BLANK LINE] ---------- 4) Navigate to: https://www.catalog.update.microsoft.com/search.aspx?q=kb4019276 5) Find down to POSReady, Windows XP Embedded versions of KB4019276 Click Download button for that version. Click English in the opening language window (or other language). 6) Navigate to: https://www.catalog.update.microsoft.com/search.aspx?q=KB4230450 7) Find down to POSReady, Windows XP Embedded versions of KB4230450: Click Download button for that version. Click English in the opening language window (or other language). 8) For each KB file: click, accept install, reboot. (Both create restore points just in case.) 9) Edit the following Windows XP registry entries in 9A and 9B to read as shown. If you aren't sure how, look up Regedit 5 editor instructions. For convenient automatic registry edit-merge, these lines may be pasted into Notepad text files, renamed .reg ,then just click the file after closing it (expect no response). (But to be careful, I edited them manually with Regedit 5.) 9A) After navigating the chain of registry keys, click the key TLS1.1, in the right panel, right-click "OSVersion", click Modify, enter the Value data already shown (not sure why), click OK. (I had to change "18.104.22.168.0" to "22.214.171.124.0" shown in obvious German in the source.) (EDIT: Other posters report below that if this key is absent, this step may be safely skipped.) ---------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1] "OSVersion"="126.96.36.199.0" ---------- 9B) Next click the key TLS1.2, in the right panel, right-click "OSVersion", click Modify, enter the Value data shown above, click OK. (Likewise I had to change "188.8.131.52.0" to "184.108.40.206.0") (EDIT: Likewise, if missing, skip this step.) ---------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2] "OSVersion"="220.127.116.11.0" ---------- 10) Click Start, hover Control Panel, click Internet Options, Advanced tab, pull the thumb bar all the way down. You should see new checkbox options for "Use TLS 1.1", "Use TLS 1.2". (KB4230450 will install these checkboxes, but they won't work without KB4019276.) 11) Check "Use TLS 1.2". Leave unchecked "Use TLS 1.1" (already obsoleted by TLS 1.2; and, TLS 1.3 was approved in 2018). (EDIT:) Leave checked "Use TLS 1.0". Click OK. The TLS 1.0's AES component is not insecure. TLS 1.0 may best remain checked for legacy websites needing AES or 3DES. (See explainers in posts below.) 12) (EDIT:) The following registry edits disable TLS 1.0's insecure cipher suites: DES, RC2, RC4, plus the insecure MD5 cipher hash. 3DES may be disabled optionally, but legacy websites without AES may need 3DES (Triple DES). TLS 1.0's secure cipher suite AES remains enabled, unchanged (no edit shown). Edit the following registry entries to read as shown: ---------- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5] "Enabled"=dword:00000000 ---------- You may need Triple DES (3DES) at websites which don't (yet) support AES. Here is the optional edit (not yet recommended) to disable 3DES (0's mean Not "Enabled", equals Disabled): ---------- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168] "Enabled"=dword:00000000 ---------- The above registry edits (manual for transparency) are included in a larger set of one-click automatic edits in a download .reg file posted below. Pardon any source text compiling errors. If you have problems, try reading the sources (long). Source posts credited: ● https://msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/ POSReady 2009 updates ported to Windows XP SP3 ENU By glnz, March 19, 2013 in Windows XP ● https://msfn.org/board/topic/177500-upgrading-ie8-to-tls-12/ Upgrading IE8 to TLS 1.2 By Thomas S., June 9, 2018 in Windows XP ● https://msfn.org/board/topic/178087-update-ie8-to-tls12-for-nearly-last-skype-7360150-on-windows-xp/ Update IE8 to TLS1.2 for (nearly) Last Skype 18.104.22.168 on Windows XP By Mathwiz, January 4, 2019 in Windows XP ---------- ORIGINAL INTRODUCTION: I'm posting a step-by-step fix to add TLS1.2 to IE8, so that Skype 22.214.171.124 (for a few months did) run on Windows XP-SP3. (While 7.41.x.x may be actual "last" for WinXP, it may or not nag you to "update", requiring a separate fix or version downgrade. My version 7.36 didn't get the nag, and 7.40 was also reported to lack the nag when it mattered before April 12.) I've compiled pieces of the fix puzzle I found elsewhere on MSFN, because the complete fix isn't obvious to WinXP Skypers searching from elsewhere on the web. The fix isn't that difficult, but the usual warnings that novices should back up the registry before editing it, do apply. The download KB file installs, and each set their own restore points. I hope just setting a Restore point before starting the edit will be adequate. I haven't used my desktop PC WinXP-SP3 Skype (mostly chat) for months while the power supply was down. Yesterday I fixed it. To my surprise, Skype errored with "Sorry, we couldn't connect to Skype. Please check your Internet connection and try again." But the internet was ok. Many Skypers aren't techies, and most of the posted complaints about "Sorry, we couldn't connect to Skype", don't have a fix other than get a new OS like Win7, or use web Skype. For good reasons, we don't want to give up WinXP, at least as a backup to Win7 (or even Win8.1 for my keytablet). I've thoroughly tested Win10, but I'm not interested in that control-freak bugfest. One elsewhere-posted answer with no fix, helpfully explained that Skype had switched to using the more secure https encryption protocol TLS1.2. Skype for WinXP uses the SSL/TLS protocols built into Internet Explorer 8, which is the last Internet Explorer version for WinXP. IE8 normally has a maximum version of TLS1.0. Skype servers apparently turned off insecure TLS 1.0 sometime after I had to quit using this Skype last year (2018). So the fix is to add TLS1.2 to IE8, and it did work for me. At MSFN I found the bitter-end holdouts on WinXP, same website where I found the Win98 bitter-enders. (Btw, one poster at MSFN said the famous Windows OS bitter-ender AXCEL216 aka MDGx aka George, is still alive!). One or more MSFN gurus noticed that Microsoft is still updating Windows XP embedded OS for computerized cash registers (etc.), a WinXP variant known as "POSReady" (POS= Point Of Sale). They figured out how to spoof WinXP-SP3's identity, so that it will pose as, and accept POSReady updates, including those which to add TLS1.2 to IE8. (If still relevant to Skype readers, do the procedure above. Even if another post-April 12 Skype for XP fix is found, this procedure will likely be needed as well.) When I did this procedure (in January of 2019), the "we couldn't connect to Skype" error went away. However, a new sub-login dialog appeared that only allows a Microsoft school or business account. This dialog went away after I clicked on an existing chat account. (See new Skype 7 login obsolescence described in posts below, first reported elsewhere as of about April 12, 2019.) I hope this helps. Al