Windows XP and TLS 1.2

[Sfor]

More and more web sites are turning the TLS 1.0 off. There is no big deal with the web browsing, because the Firefox handles the TLS 1.2 just fine. But, some other applications will be affected.

A nice example are the utilities made to send XML based electronic goverment declarations. The Polish goverment servers will turn off TLS 1.0 in the middle of 2017. I strongly doubt the utilities used to send the declarations do have own TLS 1.2 support as the Firefox does. The declarations can not be sent through the browser, so Firefox will not do.

Is there a way to check if an application has it's own TLS support?

Is there a way to add TLS 1.2 support to Windows XP?

[roytam1]

what about writing your own schannel.dll like ReactOS did?

(You may help finishing up ReactOS schannel.dll+mbedtls.dll for use in XP/2003)

[Mathwiz]

On Sunday, December 11, 2016 at 7:05 AM, Sfor said:

Is there a way to check if an application has it's own TLS support?

Well, if the application is a browser, you can just browse to https://www.ssllabs.com/ssltest/viewMyClient.html and it will tell you, right at the top of the page, whether it supports TLS 1.2. I don't know of an easy way to check non-browser clients (secure email, etc.) though.
 

[Sfor]

Unfortunately the applications I wish to test against TLS 1.2 support are not browsers. They are mostly goverment tax declaration form senders and managers. The goverment tax service will not work with just a browser, as the protocol is not user friendly.

I did play a bit with schannel.dll. After replacing it with a file taken from Windows 7, the IE 8 stopped working with https, completely. There were no visible error messages, the IE just did not make any connection.

-------------------------------------------------------

I did the same experiment with schannel.dll and mbedtls.dll from ReactOS. The result was almost the same as with Windows 7 schannel.dll file. The difference is, with some sites IE 8 crashes, with most of thei it does not connect.

It seems the ReactOS is using mbed TLS 2.3.0 and schannel.dll is just a wrapper for mbedtls.dll. mbed TLS 2.3.0 should support the TLS 1.2.

Another question is, if Microsoft added TLS 1.2 support with updates for Windows XP Embedded. If so, it would be logical to use them instead.

Another task is testing if a particular application is gaining TLS 1.2 support. To do so it would be necesary to redirect connections to some other server. Well, redirecting to a different IP through DNS is a simple task, but I have no experience with HTTPS servers. I would be good to have a server with an ability to switch between TLS 1.0 and 1.2.

On the other hand, perhaps it would be a better choice to use a proxy, instead. While using the original server, to switch on and off TLS 1.0 with the proxy.

Yet another idea is to leave Windows TLS support as is, and to use a TLS 1.2 capable proxy to make the connection, instead.

Edited December 12, 2016 by Sfor

[ekeda]

Bump, any solutions for this?

I need tls 1.2 on xp too.

Edited March 30, 2017 by ekeda

[jaclaz]

7 minutes ago, ekeda said:

Bump, any solutions for this?

I need tls 1.2 on xp too.

There is another related thread, here:
 

about using a proxy.

jaclaz

 

[ekeda]

Proxy is not an option since I need it for online play and proxy will create lag.

[jaclaz]

3 minutes ago, ekeda said:

Proxy is not an option since I need it for online play and proxy will create lag.

*Need* for play?

I mean, usually gamers have the latest, newest of everything including both hardware and software (and OS), whilst to play (say) Hearts, a small lag is not that much relevant.

jaclaz
 

[heinoganda]

@ekeda

How does it look with a local HTTPS proxy? Have a small project run on the basis of Python in the form of a compiled program. If there is interest in it, send me a PM.

[ekeda]

I have no idea if this local proxy will cause lag. I need the tls 1.2 on XP for Starcraft HD, which will be released this summer. If you want upload the program somewhere, but I won't be able to test it until the game releases.