Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Recommended Posts

On 28/2/2018 at 11:58 PM, Mathwiz said:

The TLS 1.1 and 1.2 boxes appear. I checked them. But in IE8, howsmyssl.com still reports I'm using TLS 1.0.

If I uncheck TLS 1.0, I get "cannot display the Web page."

I tried adding the "Enabled" DWORD value to

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.1\Client

(and same for TLS1.2\Client); no change.

Hello :) I'm sorry to learn you can't get TLS 1.1/1.2 working in IE8/XPSP3; FWIW, here's how I patched the registry after installing Vista's KB4019276 counterpart (TLS 1.2 key shown):

dV6njzv.jpg

KB4019276 states:

Quote

To benefit from the TLS 1.1 and TLS 1.2 support, you must set one or more of the registry subkeys as described in the "More Information" section.

and

Quote

Note For TLS 1.2 to be enabled and negotiated, you must create the DisabledByDefault DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0. 

By default, this entry does not exist in the registry.

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2

As detailed previously in this thread, the lack of ECC + SNI support on XP makes TLS 1.2 implementation on IE8 problematic :(; but if M$ do insist they bring it to POSReady, why is it not feasible on XP?

For testing purposes, please use IE8 and https://cc.dcsec.uni-hannover.de/

then kindly share here the full set of cipher suites IE8 supports on your setup...

OTOH, a Server test on SSL Labs for howsmyssl.com reveals they support SSL3 all the way to TLS 1.2, with a different set of suites for each protocol; if there are no common suites between what IE8 on your system supports and the suites configured in the server for TLS 1.1/1.2, then, in theory, IE8 will fall back to TLS 1.0 even if TLS 1.1+ is somehow enabled; remember, KB4019276 does not introduce any stricter cipher suites with it, only the apparent promise to enable TLS 1.2 OS wide...

FTR, that test discloses the following info:

# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_RC4_128_SHA (0x5)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa

# TLS 1.1 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_RSA_WITH_RC4_128_SHA (0x5)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)

# TLS 1.0 (server has no preference)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_RSA_WITH_RC4_128_SHA (0x5)
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

FWIW, their "Handshake Simulation" suggests IE8/XP[no SP specified] is expected to connect via TLS 1.0, with TLS_RSA_WITH_RC4_128_SHA

Honestly hope you do get this somehow resolved...

Share this post


Link to post
Share on other sites

Thanks for that Vistalover! Since Ive been using ie6 for a while now, I haven't been able to look into that yet. With that being said Im planning on upgrading to 8 the next time I use my computer. But I have decided that Im only going to be upgrading to 8 if there is a way to force YouTube to play flash instead of html5 in ie8 so that way I don't have to keep using google chrome frame to watch YouTube. Otherwise its probably not worth upgrading. Does anyone know of anything?

Share this post


Link to post
Share on other sites
33 minutes ago, apreese16 said:

if there is a way to force YouTube to play flash instead of html5 in ie8

YouTube (read Google) have abandoned Adobe Flash Player on all browsers, period! :angry:; to be able to watch YT, you'd have to use a HTML5 capable browser (MSE also needed for live streams); if the browser/OS doesn't support h264/aac decoding (the case of IE8/XP), then at least your browser should support VP8/VP9 decoding (Firefox e.a.); NB, not all live YT streams have VP8/9 flavours :(

Google Chrome Frame uses the proprietary h264/aac decoders (whose licence costs are paid to patent holders) + free WebM decoders, that normally come bundled with Chrome, to enable html5 YT playback in IE8/XP.

====================================================

Trivia (possibly OT for you XP-ers :P):

On Vista SP2, IE9 can play on-demand YT (but not live YT streams) with the h264/aac decoders, because the OS (via Windows Media Foundation framework) has native support for these; there's also another project from Google, WebM Video for MSIE, which installs VP8/VP9 (only) decoding support to IE; unfortunately for you on XP, it requires IE9+/Vista+

When YT first disabled Flash on their main site, for a few weeks after it was possible to re-enable Flash and YT MP4 playback via some userscripts on Firefox, exploiting the fact that embedded YT vids could still call Flash; if you've got time to kill, you can read the following google (the irony!) forum thread:

https://productforums.google.com/forum/?hl=en#!topic/youtube/CUaTWvKhAuE

The now defunct userscript project:

https://github.com/juneyourtech/GM_YT_Flash

https://github.com/juneyourtech/GM_YT_Flash/issues/6

Share this post


Link to post
Share on other sites
On 3/2/2018 at 1:03 PM, VistaLover said:

Hello :) I'm sorry to learn you can't get TLS 1.1/1.2 working in IE8/XPSP3; FWIW, here's how I patched the registry after installing Vista's KB4019276 counterpart (TLS 1.2 key shown):

dV6njzv.jpg

If M$ do insist they bring it to POSReady, why is it not feasible on XP?

For testing purposes, please use IE8 and https://cc.dcsec.uni-hannover.de/

then kindly share here the full set of cipher suites IE8 supports on your setup...

I added the DisabledByDefault DWORDs to my registry as above. However, IE8 still does not use TLS 1.1 or 1.2.

I believe both protocols are installed and usable, but IE8 isn't using them.

Here are the cipher suites reported by the site above (result of Paste looks terrible, but it's readable):

Quote

SSL Cipher Suite Details of Your Browser

This websites gives you information on the SSL cipher suites your browser supports for securing HTTPS connections.

 

Cipher Suites Supported by Your Browser (ordered by preference):

Spec

Cipher Suite Name

Key Size

Description

(00,35)

RSA-AES256-SHA

256 Bit

Key exchange: RSA, encryption: AES, MAC: SHA1.

(00,2f)

RSA-AES128-SHA

128 Bit

Key exchange: RSA, encryption: AES, MAC: SHA1.

(00,0a)

RSA-3DES-EDE-SHA

168 Bit

Key exchange: RSA, encryption: 3DES, MAC: SHA1.

(00,13)

DHE-DSS-3DES-EDE-SHA

168 Bit

Key exchange: DH, encryption: 3DES, MAC: SHA1.

 

Further information:

User-Agent:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; .NET4.0C; .NET CLR 3.0.04506.30; Open Codecs 0.85.17777; .NET4.0E)

Preferred SSL/TLS version:

TLSv1

 

Share this post


Link to post
Share on other sites

I'm a bit puzzled here.
I have KB4019276 installed, and have had for some time.
When I visit those test sites in IE8, https://www.howsmyssl.com and https://cc.dcsec.uni-hannover.de/ with no registry modifications, and just TLS 1.0 checked in the Internet Options, both tell me I'm using TLS 1.2!
Is that correct, and if so isn't it working anyway?
:dubbio:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×