Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


VistaLover

Enabling TLS 1.1/1.2 support in Vista's Internet Explorer 9

Recommended Posts

 As all of you Vista users surely know, IE9 is the last version of the MS supplied browser that can be installed on that OS.
It has several prerequisites, notably KB948465 (SP2 for Vista SP1), KB971512 (Windows Graphics, Imaging, and XPS Library) and KB2117917 (Platform update supplement for Windows Vista); you can read more here.

 MS had continued patching security vulnerabilities in IE9 on Vista SP2 via "Cumulative Security Updates for Internet Explorer 9 on Windows Vista SP2" up until Vista's EOL on April 11th of this year (update KB4014661).

 MS will continue patching IE9 on Windows Server 2008 SP2 (as, again, it's the last version installable there, too) until that product reaches its (Extended Support) EOL in 2020. If you have been following our Server 2008 Updates on Windows Vista thread, then you should have already installed follow-ups KB4018271 (May 2017), KB4021558 (June 2017) and KB4025252 (July 2017). For the rest of this post I'll assume your Vista SP2 OS (ergo IE9 copy) is fully updated even with post EOL updates intended for WS2008SP2; e.g. on my setup (Vista SP2 Home Premium 32bit), "About Internet Explorer" looks like:

AboutIE9.jpg.08a136feaad2dcbe5246eefd1e7fedaa.jpg

 For those of you out there with an intention to using IE9 as your main browser on Vista, sadly, you'd have come to the conclusion it's only half-usable currently, at best; this is a result of:

1. Most modern sites have removed support for IE9 completely, via UA string sniffing:

YT-IE9.jpg.8b71d583ed2c55b93e2f2152ee5f4425.jpg

Somes sites (like Youtube) offer a workaround, for others it may be necessary to spoof the actual UA string as one from a later OS+IE version (e.g. via the "Set UA String" IE addon).

2. Many sites have moved to recent web design, so they don't render correctly (if at all) in IE9, even in "Compatibility View" (well, actually, this is to be expected; CV means the site was optimised for IE8-); FWIW, even MS pages don't display correctly now in IE9 :angry:.

3. A third scenario I find quite irritating is that many sites fail to load at all in IE9 if they use the HTTPS protocol; with the recent move of many major sites to the more secure, encrypted, HTTPS, "allegedly" to increase user privacy and security, I found the list of "secure" sites not opening in IE9 growing at a high rate; of course there's always Firefox, but it's IE9 we're discussing here... 

IE9-https.jpg.b7f18f8d438e8fea196673a8d2a467ba.jpg

Upon investigation, I discovered this is due to IE9 on Vista only supporting TLS protocol v1.0; this is considered by today's standards no longer secure enough, so many sites using HTTPS have moved to the more secure versions 1.1, 1.2, even to 1.3!

 Fortunately, a recent MS update (intended for the WS2008SP2 OS) can be applied on Vista SP2 that will implement TLS 1.1/1.2 support on Vista's IE9, too! :); I have spoken about this important update here.

1. Install then KB4019276

2. Reboot the Vista machine

3. After restart, launch the Registry Editor (regedit), preferably as Administrator.

4. Navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1

5. Delete the "OSVersion"="3.6.1.0.0" subkey; BTW, I don't know which WinOS that string refers to (Win6.1=Win7)

6. Navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2

7. Again, delete the "OSVersion"="3.6.1.0.0" subkey. Exit Registry Editor.

8. Launch IE9; Tools -> Internet Options -> Advanced tab -> Scroll all the way down to "Security":

IE9_VistaSP2_AdvancedOptions.thumb.jpg.8c032ea1ae8ed0c374cdc35e8a5b2bd8.jpg

Prior to KB4019276 and registry manipulations, only "Use TLS 1.0" had been available on Vista; you should have already unchecked the older "Use SSL 2.0/3.0" options, to avoid being targeted by "POODLE" attacks; uncheck "Use TLS 1.0" (optionally also "Use TLS 1.1") and check "Use TLS 1.2".

9. Click Apply, OK, then exit IE9.

10. Upon restarting IE9, you'll find you can now visit all those sites that previously would not load due to unsupported TLS protocols:

IE9-TLS12-Success.jpg.f9dde9e4589a16e5acd5e540fc767407.jpg

10. You can verify further that indeed 1.2 is being used during server-client negotiations via specialised sites or via IE9's native GUI:

IE9_TLS-1.2_VistaSP2_1.jpg.1672c01eb838da5f57e76da87bb5be2b.jpg

IE9_TLS-1.2_VistaSP2_2.jpg.115d319bc6a8eb69f2102fbd0f411e33.jpg

I honestly hope you'll find my post to be of value; enjoy your more secure (than ever before?) Vista OS! :wub:

  • Upvote 5

Share this post


Link to post
Share on other sites

16 hours ago, VistaLover said:

 As all of you Vista users surely know, IE9 is the last version of the MS supplied browser that can be installed on that OS.
It has several prerequisites, notably KB948465 (SP2 for Vista SP1), KB971512 (Windows Graphics, Imaging, and XPS Library) and KB2117917 (Platform update supplement for Windows Vista); you can read more here.

 MS had continued patching security vulnerabilities in IE9 on Vista SP2 via "Cumulative Security Updates for Internet Explorer 9 on Windows Vista SP2" up until Vista's EOL on April 11th of this year (update KB4014661).

 MS will continue patching IE9 on Windows Server 2008 SP2 (as, again, it's the last version installable there, too) until that product reaches its (Extended Support) EOL in 2020. If you have been following our Server 2008 Updates on Windows Vista thread, then you should have already installed follow-ups KB4018271 (May 2017), KB4021558 (June 2017) and KB4025252 (July 2017). For the rest of this post I'll assume your Vista SP2 OS (ergo IE9 copy) is fully updated even with post EOL updates intended for WS2008SP2; e.g. on my setup (Vista SP2 Home Premium 32bit), "About Internet Explorer" looks like:

AboutIE9.jpg.08a136feaad2dcbe5246eefd1e7fedaa.jpg

 For those of you out there with an intention to using IE9 as your main browser on Vista, sadly, you'd have come to the conclusion it's only half-usable currently, at best; this is a result of:

1. Most modern sites have removed support for IE9 completely, via UA string sniffing:

YT-IE9.jpg.8b71d583ed2c55b93e2f2152ee5f4425.jpg

Somes sites (like Youtube) offer a workaround, for others it may be necessary to spoof the actual UA string as one from a later OS+IE version (e.g. via the "Set UA String" IE addon).

2. Many sites have moved to recent web design, so they don't render correctly (if at all) in IE9, even in "Compatibility View" (well, actually, this is to be expected; CV means the site was optimised for IE8-); FWIW, even MS pages don't display correctly now in IE9 :angry:.

3. A third scenario I find quite irritating is that many sites fail to load at all in IE9 if they use the HTTPS protocol; with the recent move of many major sites to the more secure, encrypted, HTTPS, "allegedly" to increase user privacy and security, I found the list of "secure" sites not opening in IE9 growing at a high rate; of course there's always Firefox, but it's IE9 we're discussing here... 

IE9-https.jpg.b7f18f8d438e8fea196673a8d2a467ba.jpg

Upon investigation, I discovered this is due to IE9 on Vista only supporting TLS protocol v1.0; this is considered by today's standards no longer secure enough, so many sites using HTTPS have moved to the more secure versions 1.1, 1.2, even to 1.3!

 Fortunately, a recent MS update (intended for the WS2008SP2 OS) can be applied on Vista SP2 that will implement TLS 1.1/1.2 support on Vista's IE9, too! :); I have spoken about this important update here.

1. Install then KB4019276

2. Reboot the Vista machine

3. After restart, launch the Registry Editor (regedit), preferably as Administrator.

4. Navigate to


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1

5. Delete the "OSVersion"="3.6.1.0.0" subkey; BTW, I don't know which WinOS that string refers to (Win6.1=Win7)

6. Navigate to


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2

7. Again, delete the "OSVersion"="3.6.1.0.0" subkey. Exit Registry Editor.

8. Launch IE9; Tools -> Internet Options -> Advanced tab -> Scroll all the way down to "Security":

IE9_VistaSP2_AdvancedOptions.thumb.jpg.8c032ea1ae8ed0c374cdc35e8a5b2bd8.jpg

Prior to KB4019276 and registry manipulations, only "Use TLS 1.0" had been available on Vista; you should have already unchecked the older "Use SSL 2.0/3.0" options, to avoid being targeted by "POODLE" attacks; uncheck "Use TLS 1.0" (optionally also "Use TLS 1.1") and check "Use TLS 1.2".

9. Click Apply, OK, then exit IE9.

10. Upon restarting IE9, you'll find you can now visit all those sites that previously would not load due to unsupported TLS protocols:

IE9-TLS12-Success.jpg.f9dde9e4589a16e5acd5e540fc767407.jpg

10. You can verify further that indeed 1.2 is being used during server-client negotiations via specialised sites or via IE9's native GUI:

IE9_TLS-1.2_VistaSP2_1.jpg.1672c01eb838da5f57e76da87bb5be2b.jpg

IE9_TLS-1.2_VistaSP2_2.jpg.115d319bc6a8eb69f2102fbd0f411e33.jpg

I honestly hope you'll find my post to be of value; enjoy your more secure (than ever before?) Vista OS! :wub:

Omg im actually really keen on trying this,thanks for once again keep Vista Alive and IE9 aswell ofcourse :D 

Also when i use ie9 webpages dont load/render properly do you know of any fix for this? (eg. hltv.org)

 

Edited by burd
  • Upvote 1

Share this post


Link to post
Share on other sites
16 hours ago, burd said:

Also when i use ie9 webpages dont load/render properly

I've already mentioned this issue:

20 hours ago, VistaLover said:

2. Many sites have moved to recent web design, so they don't render correctly (if at all) in IE9, even in "Compatibility View"

16 hours ago, burd said:

do you know of any fix for this?

 Original post is about implementing TLS 1.1/1.2 support to IE9; it will allow for opening HTTPS websites that were previously inaccessible to IE9, because it would go as far as TLS 1.0.

 Sadly, the recent MS update has nothing to do with IE9's rendering engine, which is what's used to properly display (render) a loaded webpage -_-. For sites that do open but don't display correctly (and/or are not fully functional) you'll have to use another, more modern, browser that supports more recent Javascript and CSS code needed to render them correctly; apologies, but I'm not an expert in HTML and web design, so my terminology might be somewhat off, but I think you still get the picture (... or lack of it, if it fails to render in IE9 ! :P ).

 Please have a read of this older forum thread ; WS 2008 SP2 is already inside Extended Support (i.e. no new features, only security updates issued for it), so I was pleasantly surprised by KB4019276 which, depending on how you look at it, could be considered as a new OS feature; OTOH, it can simply fall inside the "security" category, since it improves the "security" protocols used when accessing HTTPS web places...

 I don't think that MS will issue any future updates in the remaining 2.5 years (till WS 2008 SP2 becomes EOL) that would enable an upgrade of IE9's layout engine - security: YES, they are still catering for that; functionality: THEY SIMPLY DON'T CARE; else they would've upgraded their own browser to IE10 or IE11 (possibly after a Vista/WS 2008 SP3 and/or a second Platform Update...).

  • Upvote 2

Share this post


Link to post
Share on other sites
1 minute ago, VistaLover said:

I've already mentioned this issue:

 Original post is about implementing TLS 1.1/1.2 support to IE9; it will allow for opening HTTPS websites that were previously inaccessible to IE9, because it would go as far as TLS 1.0.

 Sadly, the recent MS update has nothing to do with IE9's rendering engine, which is what's used to properly display (render) a loaded webpage -_-. For sites that do open but don't display correctly (and/or are not fully functional) you'll have to use another, more modern, browser that supports more recent Javascript and CSS code needed to render them correctly; apologies, but I'm not an expert in HTML and web design, so my terminology might be somewhat off, but I think you still get the picture (... or lack of it, if it fails to render in IE9 ! :P ).

 Please have a read of this older forum thread ; WS 2008 SP2 is already inside Extended Support (i.e. no new features, only security updates issued for it), so I was pleasantly surprised by KB4019276 which, depending on how you look at it, could be considered as a new OS feature; OTOH, it can simply fall inside the "security" category, since it improves the "security" protocols used when accessing HTTPS web places...

 I don't think that MS will issue any future updates in the remaining 2.5 years (till WS 2008 SP2 becomes EOL) that would enable an upgrade of IE9's layout engine - security: YES, they are still catering for that; functionality: THEY SIMPLY DON'T CARE; else they would've upgraded their own browser to IE10 or IE11 (possibly after a Vista/WS 2008 SP3 and/or a second Platform Update...).

True

Share this post


Link to post
Share on other sites

Excellent post, VistaLover!

Really appreciate it, especially the Reg Edits, never would have known about them. Going to implement this in a few days time.

Page saved.

Many thanks,

Ruan.

  • Upvote 1

Share this post


Link to post
Share on other sites

Page saved for posterity in the webarchive:

https://web.archive.org/web/20170810231809/http://www.msfn.org/board/topic/176902-enabling-tls-1112-support-in-vistas-internet-explorer-9/

@Ruan

Welcome to MSFN (apparently a little too late :P)

Thanks for your kind words...

  • Upvote 1

Share this post


Link to post
Share on other sites
4 minutes ago, VistaLover said:

Page saved for posterity in the webarchive:


https://web.archive.org/web/20170810231809/http://www.msfn.org/board/topic/176902-enabling-tls-1112-support-in-vistas-internet-explorer-9/

@Ruan

Welcome to MSFN (apparently a little too late :P)

Thanks for your kind words...

Thanks VistaLover for saving to webarchive, makes it handy for sharing with others. Bookmarked for future ref.

And thank you too, for the welcome :), I hope to make the most of what time is left here.

Share this post


Link to post
Share on other sites

website' server requires at least TLS 1.2 (managed to get it in Vista SP2) and only that cipher suites:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

(which i don't have in vista)

I have only (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\0010002):

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL_CK_RC4_128_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA

I found update for non-Vista adding needed cipher suites: 

https://support.microsoft.com/en-hk/help/2929781/update-adds-new-tls-cipher-suites-and-changes-cipher-suite-priorities
https://support.microsoft.com/en-us/help/3161639

https://support.microsoft.com/en-us/help/3042058/microsoft-security-advisory-update-to-default-cipher-suite-priority-or

Can I use them?

After updates recommended above Do you have any of required by that website cipher cuites in your registry(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\0010002)?

Share this post


Link to post
Share on other sites
On 11/13/2017 at 3:23 AM, hapxhapx said:

website' server requires at least TLS 1.2 (managed to get it in Vista SP2) and only that cipher suites:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

(which i don't have in vista)

I have only (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\0010002):

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL_CK_RC4_128_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA

I found update for non-Vista adding needed cipher suites: 

https://support.microsoft.com/en-hk/help/2929781/update-adds-new-tls-cipher-suites-and-changes-cipher-suite-priorities
https://support.microsoft.com/en-us/help/3161639

https://support.microsoft.com/en-us/help/3042058/microsoft-security-advisory-update-to-default-cipher-suite-priority-or

Can I use them?

After updates recommended above Do you have any of required by that website cipher cuites in your registry(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\0010002)?

no sorry hapxhapx, you can not use the 2929781, 3161639 & 3042058 patches under Vista as those patches require Win7 (Server 2008 R2) or higher and will fail to install saying they're "not applicable to your computer".  MS did not make any of those patches for Vista/Server 2008 R0 SP2.

note to VistaLover (OP): the KB4019276 updates have been revised mid-November 2017 and there's also a KB4019276 patch available for POSReady 2009 users (ah for those still using XP).  Download & install the "revised" KB4019276 patches, installing them on top of the older version.

Edited by erpdude8
  • Like 1

Share this post


Link to post
Share on other sites

... In addition to the forums' host cipher suites changes, as of yesterday, Sat Feb 17 2018, "sourceforge.net", a popular service hosting open-source projects (and compiled binaries), has completely switched to TLS 1.2 only, again with a set of only four strict cipher suites not supported in IE9 (and Fx < 28.0):

Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS 128

If this trend is adopted by many more secure sites, I suspect we can forget IE9 altogether, even with TLS 1.2 enabled there... :angry:

Edited by VistaLover

Share this post


Link to post
Share on other sites

i was wondering does this add addition security for privacy and banking related stuff? just wondering

Share this post


Link to post
Share on other sites
Posted (edited)

The KB4019276 update is no longer needed as it is superseded/replaced by the KB4056564 security update for Windows Server 2008 SP2 [released March 13, 2018].  According to the Microsoft Update Catalog site, KB4056564 replaces the KB4019276 & KB4056448 updates.

If the KB4056564 security update is installed, it will block/prevent the KB4019276 update from installing.

Doesn't matter to me as I've uninstalled the KB4019276 update & have installed the KB4056564 update on my old Vista laptop, which has newer files.

Edited by erpdude8
  • Upvote 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×