Thomas S. Posted June 9, 2018 Posted June 9, 2018 (edited) There is a new cumulative update for IE8 on PosReady kb4316682. "Adds the ability to use TLS 1.2 support in Internet Explorer (8)." But it seems that here must be some settings in registry to activate this. I look around, and in an russian forum is this given: Quote Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1] "OSVersion"="3.6.1.0.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2] "OSVersion"="3.6.1.0.0" And this information: Quote Depending on the OS-Version 3.6.1.0.0 für Win7 und höher(6.1) 3.5.1.0.0 für WinXP oder höher (5.1) Here in the forum we are advised (among other things) to delete the entry: https://msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/?page=149&tab=comments#comment-1150757 There are some other entrys for an older update (kb4019276) to bring support for TLS 1.1 / 1.2 for XP and Server connections. At this point all this information is not clear (for me ). Is the older update necessary for the new one? In the kb base article there is no such a hint ("There are no special requirements to install this update."). So what is right here? And where came the information from about the registry settings for the new IE8 update? Any official MS site? Edited June 9, 2018 by Thomas S.
Yellow Horror Posted June 9, 2018 Posted June 9, 2018 You need to modify registry settings you mentioned above to enable TLS 1.1/1.2 checkboxes in IE settings. You may set the values to 3.5.1.0.0 or delete them - both way work. I don't know if there is an official source for this. 12 minutes ago, Thomas S. said: Is the older update necessary for the new one? Yes. If kb4019276 isn't installed, you can "enable" the TLS 1.1/1.2 in IE settings, but it will not really work.
Thomas S. Posted June 9, 2018 Author Posted June 9, 2018 Hmmm ..., I tested now with the older update, and right, I can use TLS1.2 in IE8. But: no registry settings for the older update necessary! And strange is, that https://www.howsmyssl.com/ works (confirmed TLS1.2) but no connection possible is to https://www.ssllabs.com/ No idea With HTTPSProxy there is no problem to access both sites.
Bersaglio Posted June 9, 2018 Posted June 9, 2018 @Thomas S. ssllabs.com use elliptic curve cryptography which IE8 doesn't support (without local HTTPS proxy, of course).
dencorso Posted June 9, 2018 Posted June 9, 2018 @Bersaglio: please, bear with me. (i) suppose one downloads this NPAPI Flash installer <link> and renames it Bad_Flash.exe. On looking at it's properties, one will see it's the installer for the NPAPI Flash v. 30.0.0.113 and will see that Win 7 SP1 x86 considers it's signature Valid but Win XP SP3 considers it not valid. (ii) suppose now one downloads this NPAPI Flash installer <link> and renames it Good_Flash.exe. On looking at it's properties, one will see it's another installer for the NPAPI Flash v. 30.0.0.113, but this one both Win 7 SP1 x86 and Win XP SP3 consider it's signature valid. (iii) suppose then one removes the signatures from both installers with delcert, and finds out the remaining installers are binarily identical, so all difference was in the signatures. Now I ask you, is this also due just to lack of ECC in XP SP3, or is there more than that behind it? TIA.
Yellow Horror Posted June 9, 2018 Posted June 9, 2018 2 hours ago, Thomas S. said: But: no registry settings for the older update necessary! You are right: the registry settings recommended to use with kb4019276 needed only if you use TLS 1.1/1.2 to connect your XP to a domain.
heinoganda Posted June 9, 2018 Posted June 9, 2018 (edited) @dencorso I have not even noticed, the only difference I've found between valid and invalid certificate. Update: In connection with the Explorer (shell32.dll), an adjustment seems to be necessary by MS, because of the encryption. Edited June 10, 2018 by heinoganda
VistaLover Posted June 10, 2018 Posted June 10, 2018 (edited) @dencorso and @heinoganda Please read: https://support.globalsign.com/customer/portal/articles/2169296-windows-code-signing-hash-algorithm-support XP SP3 and Vista SP2 can't validate file digital signatures (code signing certificates) with SHA256 file digest (i.e. hash algorithm) ; Win7 SP1 upwards can! Other useful reads: https://blogs.technet.microsoft.com/pki/2010/09/30/sha2-and-windows/ https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility Edited June 10, 2018 by VistaLover Refined terminology
dencorso Posted June 10, 2018 Posted June 10, 2018 OK. I'm better informed now. But the question that remains is what else is needed for Vista SP2 and XP SP3 to be able to validate /fd sha256 certificates and, hence, identify correctly invalid certificates in executables. And, then, can it be fixed?
Guest Posted June 10, 2018 Posted June 10, 2018 (edited) 21 hours ago, Thomas S. said: Hmmm ..., I tested now with the older update, and right, I can use TLS1.2 in IE8. But: no registry settings for the older update necessary! And strange is, that https://www.howsmyssl.com/ works (confirmed TLS1.2) but no connection possible is to https://www.ssllabs.com/ No idea With HTTPSProxy there is no problem to access both sites. Edited June 10, 2018 by Sampei.Nihira
FranceBB Posted June 10, 2018 Posted June 10, 2018 Good news, everyone. Before MSDN wiped out all the messages, I said that I was going back to Microsoft to ask them about ECC and I did. I called them and I spoke with John Paul I and he said "it really is important for us to get this worked on". In other words, even though he didn't tell me when it's gonna be included in the next update cycles, it seems that Microsoft *will* include it in the next update cycles. I'm as happy as Larry. 1
heinoganda Posted June 11, 2018 Posted June 11, 2018 13 hours ago, FranceBB said: In other words, even though he didn't tell me when it's gonna be included in the next update cycles, it seems that Microsoft *will* include it in the next update cycles. For an operating system that will be supported until April 2019? I am not so optimistic, since even TLS 1.2 should be considered unsafe. Hope dies last. 13 hours ago, FranceBB said: I'm as happy as Larry. If there is no EEC support up to the end of support, you have to rename yourself Larry.
dencorso Posted June 11, 2018 Posted June 11, 2018 13 hours ago, FranceBB said: I'm as happy as Larry. 2 hours ago, heinoganda said: If there is no EEC support up to the end of support, you have to rename yourself Larry. Who's Larry? This one? Or, maybe, this one? Or do you mean @larryb123456?
FranceBB Posted June 11, 2018 Posted June 11, 2018 lol. I know that it might sounds weird if you don't live in the UK. You know, when I moved I heard on TV and radio commercials "I'm as happy as Larry" and I had no clue what they meant. One day, I was on my way to work and I was listening to the Mistery Hour on LBC and someone asked Mr. James O' Bryan where did it come from. Someone picked up the phone, called the LBC and said that it originates from a boxer that won many fights and got a very big prize in money. One of the papers wrote "happy as Larry" in the headline and since then it has been used by everyone to express joy. In this case, if the guy from the support didn't troll me and Microsoft is gonna add ECC in the future, installing the update that adds ECC support will eventually make me "as Happy as Larry" when he won the prize. XD @Dave-H is British, I think he can confirm/explain it better 1
Mike86 Posted June 11, 2018 Posted June 11, 2018 (edited) Did anyone got this KB4316682 over the Auto Update? Edited June 11, 2018 by Mike86
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now