Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Thomas S.

Upgrading IE8 to TLS 1.2

Recommended Posts

Posted (edited)

There is a new cumulative update for IE8 on PosReady kb4316682.

"Adds the ability to use TLS 1.2 support in Internet Explorer (8)."

But it seems that here must be some settings in registry to activate this.

I look around, and in an russian forum is this given:

Quote

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"="3.6.1.0.0"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"="3.6.1.0.0"

And this information:

Quote

Depending on the OS-Version
3.6.1.0.0 für Win7 und höher(6.1)
3.5.1.0.0 für WinXP oder höher (5.1)

Here in the forum we are advised (among other things) to delete the entry:

https://msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/?page=149&tab=comments#comment-1150757

There are some other entrys for an older update (kb4019276) to bring support for TLS 1.1 / 1.2 for XP and Server connections.

At this point all this information is not clear (for me :rolleyes: ).

Is the older update necessary for the new one?

In the kb base article there is no such a hint ("There are no special requirements to install this update.").

So what is right here?

And where came the information from about the registry settings for the new IE8 update?

Any official MS site?

 

Edited by Thomas S.

Share this post


Link to post
Share on other sites

You need to modify registry settings you mentioned above to enable TLS 1.1/1.2 checkboxes in IE settings. You may set the values to 3.5.1.0.0 or delete them - both way work. I don't know if there is an official source for this.

12 minutes ago, Thomas S. said:

Is the older update necessary for the new one?

Yes. If kb4019276 isn't installed, you can "enable" the TLS 1.1/1.2 in IE settings, but it will not really work.

Share this post


Link to post
Share on other sites

Hmmm ..., I tested now with the older update, and right, I can use TLS1.2 in IE8.

But: no registry settings for the older update necessary!

And strange is, that https://www.howsmyssl.com/ works (confirmed TLS1.2) but no connection possible is to https://www.ssllabs.com/

No idea :wacko:

With HTTPSProxy there is no problem to access both sites.

Share this post


Link to post
Share on other sites

@Thomas S.

ssllabs.com use elliptic curve cryptography which IE8 doesn't support (without local HTTPS proxy, of course).

Share this post


Link to post
Share on other sites

@Bersaglio: please, bear with me. (i) suppose one downloads this NPAPI Flash installer <link> and renames it Bad_Flash.exe. On looking at it's properties, one will see it's the installer for the NPAPI Flash v. 30.0.0.113 and will see that Win 7 SP1 x86 considers it's signature Valid but Win XP SP3 considers it not valid.  (ii) suppose now one downloads this NPAPI Flash installer <link> and renames it Good_Flash.exe. On looking at it's properties, one will see it's another installer for the NPAPI Flash v. 30.0.0.113,  but this one both Win 7 SP1 x86 and Win XP SP3 consider it's signature valid. (iii) suppose then one removes the signatures from both installers with delcert, and finds out the remaining installers are binarily identical, so all difference was in the signatures. Now I ask you, is this also due just to lack of ECC in XP SP3, or is there more than that behind it? TIA.

Share this post


Link to post
Share on other sites
2 hours ago, Thomas S. said:

But: no registry settings for the older update necessary!

You are right: the registry settings recommended to use with kb4019276 needed only if you use TLS 1.1/1.2 to connect your XP to a domain.

Share this post


Link to post
Share on other sites
Posted (edited)

@dencorso

I have not even noticed, the only difference I've found between valid and invalid certificate.

 

fpcert1.jpgfpcert2.jpg

Update:
In connection with the Explorer (shell32.dll), an adjustment seems to be necessary by MS, because of the encryption.

:)

Edited by heinoganda

Share this post


Link to post
Share on other sites
Posted (edited)

@dencorso and @heinoganda

Please read:

https://support.globalsign.com/customer/portal/articles/2169296-windows-code-signing-hash-algorithm-support

XP SP3 and Vista SP2 can't validate file digital signatures (code signing certificates) with SHA256 file digest (i.e. hash algorithm) :( ; Win7 SP1 upwards can!

Other useful reads:

https://blogs.technet.microsoft.com/pki/2010/09/30/sha2-and-windows/

https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility

Edited by VistaLover
Refined terminology

Share this post


Link to post
Share on other sites

OK. I'm better informed now. But the question that remains is what else is needed for Vista SP2 and XP SP3 to be able to validate /fd sha256 certificates and, hence, identify correctly invalid certificates in executables. And, then, can it be fixed?

sha256.gif

Share this post


Link to post
Share on other sites
Posted (edited)
21 hours ago, Thomas S. said:

Hmmm ..., I tested now with the older update, and right, I can use TLS1.2 in IE8.

But: no registry settings for the older update necessary!

And strange is, that https://www.howsmyssl.com/ works (confirmed TLS1.2) but no connection possible is to https://www.ssllabs.com/

No idea :wacko:

With HTTPSProxy there is no problem to access both sites.

 

Edited by Sampei.Nihira

Share this post


Link to post
Share on other sites

Good news, everyone.

Before MSDN wiped out all the messages, I said that I was going back to Microsoft to ask them about ECC and I did.

I called them and I spoke with John Paul I and he said "it really is important for us to get this worked on".

In other words, even though he didn't tell me when it's gonna be included in the next update cycles, it seems that Microsoft *will* include it in the next update cycles.

I'm as happy as Larry. :D

  • Upvote 1

Share this post


Link to post
Share on other sites
13 hours ago, FranceBB said:

In other words, even though he didn't tell me when it's gonna be included in the next update cycles, it seems that Microsoft *will* include it in the next update cycles.

For an operating system that will be supported until April 2019? I am not so optimistic, since even TLS 1.2 should be considered unsafe. Hope dies last.

13 hours ago, FranceBB said:

I'm as happy as Larry. :D

If there is no EEC support up to the end of support, you have to rename yourself Larry. :D

:)

Share this post


Link to post
Share on other sites
13 hours ago, FranceBB said:

I'm as happy as Larry. :D

2 hours ago, heinoganda said:

If there is no EEC support up to the end of support, you have to rename yourself Larry. :D

:dubbio: Who's Larry? :unsure:
This one? Or, maybe, this one? Or do you mean @larryb123456?

 

Share this post


Link to post
Share on other sites

lol. I know that it might sounds weird if you don't live in the UK. You know, when I moved I heard on TV and radio commercials "I'm as happy as Larry" and I had no clue what they meant. One day, I was on my way to work and I was listening to the Mistery Hour on LBC and someone asked Mr. James O' Bryan where did it come from. Someone picked up the phone, called the LBC and said that it originates from a boxer that won many fights and got a very big prize in money. One of the papers wrote "happy as Larry" in the headline and since then it has been used by everyone to express joy. In this case, if the guy from the support didn't troll me and Microsoft is gonna add ECC in the future, installing the update that adds ECC support will eventually make me "as Happy as Larry" when he won the prize. XD

@Dave-H is British, I think he can confirm/explain it better ;)

  • Upvote 1

Share this post


Link to post
Share on other sites
Posted (edited)

Did anyone got this KB4316682 over the Auto Update?

Edited by Mike86

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×