Jump to content

Upgrading IE8 to TLS 1.2


Thomas S.

Recommended Posts

Off Topic

On 6/10/2018 at 10:51 PM, FranceBB said:

Before MSDN wiped out all the messages, I said that I was going back to Microsoft to ask them about ECC and I did.

I called them and I spoke with John Paul I and he said "it really is important for us to get this worked on".

In other words, even though he didn't tell me when it's gonna be included in the next update cycles, it seems that Microsoft *will* include it in the next update cycles.

If you have had the opportunity to speak with someone from MS, have you also addressed the issues with KB4134651 (oleaut32.dll)? Many programs are no longer working properly, like MBAM v3.

:)

Link to comment
Share on other sites


On 6/13/2018 at 8:59 AM, Sampei.Nihira said:

 

https://www.wilderssecurity.com/threads/tls-1-1-and-browser-upgrades.404679/#post-2762861

The Microsoft Update is OK.

 

:)

Edited by Sampei.Nihira
Link to comment
Share on other sites

21 hours ago, heinoganda said:

Purely of logic, why should MS publish a Cumulative Update for IE8 where TLS 1.2 works properly and a little later a Cumulative Security Update for IE8 where TLS 1.2 stops working?

:)

My experience was that the latter update did not stop TLS 1.2 from working, but apparently it doesn't enable TLS 1.2 either; you still must install the former update. The latter update is apparently "cumulative" only for security fixes; the former is "cumulative" for enhancements too, and MS must consider TLS 1.2 support an "enhancement." IOW, MS's use of the word "cumulative" is a bit misleading. Edit: Never mind; I either missed or misread @Dave-H's post above, where he said KB4230450 was enough to enable TLS 1.2. I installed KB4316682, and that was also enough to enable TLS 1.2. Furthermore, @antiproton reported that KB4230450 wasn't offered after installing KB4316682, so apparently there's nothing new in KB4230450 that wasn't in KB4316682 from a few days before.

So why two different updates then? I suppose it's still possible that KB4316682 included something that KB4230450 didn't; but if so, it wasn't TLS 1.2 since that was included in both.

Sometimes MS just makes no sense at all....

Edited by Mathwiz
Link to comment
Share on other sites

On 6/15/2018 at 9:41 PM, Mathwiz said:

My experience was that the latter update did not stop TLS 1.2 from working, but apparently it doesn't enable TLS 1.2 either; you still must install the former update. The latter update is apparently "cumulative" only for security fixes; the former is "cumulative" for enhancements too, and MS must consider TLS 1.2 support an "enhancement." IOW, MS's use of the word "cumulative" is a bit misleading.

Definitely I can tell you, because I create my own update rollups and make monthly test installs in my VM, so that the support for TLS 1.2 works for IE8 with KB4230450 without previous updates KB4316682 and / or KB4103768. Condition is that KB4019276 is installed!
The two registry entries

HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1","OSVersion"
HKLM,"SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2","OSVersion"

should be deleted so that the possibility exists to activate TLS 1.1 and TLS 1.2 in IE8.

Update:

The version number was not changed, but the creation date. Think in a binary comparison, there are certainly some differences.

In this case, because of the same file version, the update KB4230450 can not be found when checking for updates if KB4316682 is installed.


:)

Edited by heinoganda
Link to comment
Share on other sites

@heinoganda I already told them long time ago, but they fixed only one of the two issues I reported back then. Anyway, anyone can contact Microsoft and speak with one of their operators, you just have to call their support number or contact them via the form on their site. I mean, support is there for a reason, just pretend you have Windows Embedded POSReady 2009 and you are good to go. You should report it too. The more we are reporting the same issues, the better it is, right?

Link to comment
Share on other sites

Off Topic

@FranceBB

Thanks for your efforts.

@Dibya

For me MBAM 3 works just as well, it was about the statement "MBAM v3 dropped suport to XP long ago" and the claim that MBAM 3 could not be installed. Following information about this from Malwarebytes.


Support for older versions of Windows operating systems

Document created by xxxxxxx in 05/19/2017

Malwarebytes is committed to continue support for Windows XP, for as long as Microsoft allows us to.  In fact, we're one of the few providers still willing to do so.  This stand means that we'll continue offering our core anti-malware protection to the bed of our ability, given technical limitations.  New features added over time will be supported as technically feasible.

If a new feature , such as our Anti-Ransomware protection, relies on newer technologies not supported on older operating systems.  

Any features not support are listed in our official system requirements by product.


Source:
https://support.malwarebytes.com/docs/DOC-1469

In addition I will not write any further comment, because off Topic!

:)

Edited by heinoganda
Link to comment
Share on other sites

On 6/15/2018 at 3:21 PM, heinoganda said:

Definitely I can tell you, because I create my own update rollups and make monthly test installs in my VM, so that the support for TLS 1.2 works for IE8 with KB4230450 without previous updates KB4316682 and / or KB4103768.

Update:

The version number was not changed, but the creation date. Think in a binary comparison, there are certainly some differences.

ie8diff.jpg

In this case, because of the same file version, the update KB4230450 can not be found when checking for updates if KB4316682 is installed.


:)

I checked my own system, and the mshtml.dll file from KB4230450 is installed there. (Fearing the typical long wait from MU, I had downloaded and installed KB4230450 directly from the Microsoft Update Catalog, and didn't rely on MU to find it.) Given its later date, it probably has some security fixes beyond KB4316682, since we know TLS 1.2 support is included in both updates.

It seems KB4316682 is superseded by KB4230450. But if folks installed KB4316682 and relied on MU/WU/AU to find the latest updates, they would have missed KB4230450 due to the version number mix-up, so they should now download and install it manually from the catalog.

It will probably all shake out next month anyway, when the next Cumulative IE8 Update or Security Update is released. The version numbers probably won't stay the same next time....

Link to comment
Share on other sites

I was impressed this morning when I had an e-mail from PayPal saying that they would be blocking browsers they consider insecure very soon, that when I tried their test on IE8, it now said it was fine, without HTTPSProxy enabled!
:thumbup

Edited by Dave-H
Addition
Link to comment
Share on other sites

  • 4 weeks later...

So I just tried this and it seemed to work. The only thing is,  right-clicking and selecting 'Properties' on an HTTPS encrypted page I've navigated to causes a couple of page errors (the same ones, each time - see attached images) to show up, and lists Connection as 'Unavailable'. Is this happening to everybody else, or...? I guess it doesn't matter that much functionality-wise (I don't really know of an alternative way to confirm which ciphers are being used for a given connection) but it's still annoying. Is anybody else experiencing this too?

ED: Is this somehow related to the validation failures documented in this comment?

 

 

 

properties_1_cropped.png

properties_2_cropped.png

Edited by bilditup1
Added speculative note; replaced screenshots with cropped versions
Link to comment
Share on other sites

Yes, I'm seeing the same error, now that I've tried that (right-click and click "Properties").

A workaround might be to click the padlock icon to the right of the address bar. This also lets you view the site's certificate, but doesn't seem to run the same buggy code.

Link to comment
Share on other sites

On 7/13/2018 at 5:39 PM, Mathwiz said:

Yes, I'm seeing the same error, now that I've tried that (right-click and click "Properties").

A workaround might be to click the padlock icon to the right of the address bar. This also lets you view the site's certificate, but doesn't seem to run the same buggy code. 

That doesn't show you TLS version or ciphers used though, which is what interests me. Thanks for confirming that this is an issue though.

Edited by bilditup1
Link to comment
Share on other sites

  • 10 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...