Jump to content

Upgrading IE8 to TLS 1.2


Thomas S.

Recommended Posts

KB4316682 is only available through the WSUS catalog.

http://download.windowsupdate.com/d/msdownload/update/software/crup/2018/05/ie8-windowsxp-kb4316682-x86-embedded-enu_cc345109f94dd7b763cc415385974632a058fd07.exe

To enable TLS 1.1 and 1.2 in Internet Explorer 8, run the following code for a reg file.

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"SecureProtocols"=dword:00000a80

 

:)

Edited by heinoganda
Link to comment
Share on other sites


To summarize, KB4019276 adds TLS 1.2 support to Windows XP Embedded. That lets you use TLS 1.2 with, e.g., Chromium, but not IE8.

The new update, KB4316682 adds TLS 1.2 support to IE8. KB4316682 isn't available via Auto Update, although as a cumulative IE8 update, it's probably just as well (WU would take forever).

The registry changes (which I had already made) are needed in order to let you configure IE8 to use TLS 1.2.

So you need all three. (Although I haven't looked inside KB4316682, so I suppose it's possible that it includes the updated files from the earlier KB4019276.)

Link to comment
Share on other sites

On 6/10/2018 at 3:51 PM, FranceBB said:

Good news, everyone.

Before MSDN wiped out all the messages, I said that I was going back to Microsoft to ask them about ECC and I did.

I called them and I spoke with John Paul I and he said "it really is important for us to get this worked on".

In other words, even though he didn't tell me when it's gonna be included in the next update cycles, it seems that Microsoft *will* include it in the next update cycles.

I'm as happy as Larry. :D

If true, my concern is that M$ would do a "rush job" to get the necessary updates in before April 2019, and we'd wind up with a buggy update just as support ended.

On 6/11/2018 at 3:08 AM, heinoganda said:

For an operating system that will be supported until April 2019? I am not so optimistic, since even TLS 1.2 should be considered unsafe. Hope dies last.

:)

I would not consider TLS 1.2 unsafe. It's surely the best widely-supported protocol at present. TLS 1.3 is still mostly experimental.

The ultra-paranoid can disable all cipher suites except AES 128 and AES 256. (Edit: I found I also had to leave 3DES enabled in order to get Microsoft Update to work!) Start regedit and go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers and you will find a subkey for each possible cipher. Create a DWORD value named "Enabled" under each one (except AES 128 and AES 256) and leave its value at 0.

You can also disable the MD5 hash under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes the same way.

Edited by Mathwiz
Problem with MS Update
Link to comment
Share on other sites

I wonder if it is advisable to disable the 3 specific insecure cipher?

JV2DUJyQ_t.jpg

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

 

Edited by Sampei.Nihira
Link to comment
Share on other sites

On 6/11/2018 at 11:43 AM, FranceBB said:

lol. I know that it might sounds weird if you don't live in the UK. You know, when I moved I heard on TV and radio commercials "I'm as happy as Larry" and I had no clue what they meant. One day, I was on my way to work and I was listening to the Mistery Hour on LBC and someone asked Mr. James O' Bryan where did it come from. Someone picked up the phone, called the LBC and said that it originates from a boxer that won many fights and got a very big prize in money. One of the papers wrote "happy as Larry" in the headline and since then it has been used by everyone to express joy. In this case, if the guy from the support didn't troll me and Microsoft is gonna add ECC in the future, installing the update that adds ECC support will eventually make me "as Happy as Larry" when he won the prize. XD

@Dave-H is British, I think he can confirm/explain it better ;)

While I was aware of the expression, I must say that I didn't know that the original "Larry" was a boxer.
He was actually an Australian called Larry Foley apparently, and the phase originated there rather than in the UK. He boxed in the late 1800s, and apparently never lost a fight!
:)

Link to comment
Share on other sites

6 hours ago, Sampei.Nihira said:

I've had RC4 disabled for some time and never had an issue. But disabling 3DES blocked access to Microsoft Update :(

Link to comment
Share on other sites

23 hours ago, Mathwiz said:

To summarize, KB4019276 adds TLS 1.2 support to Windows XP Embedded. That lets you use TLS 1.2 with, e.g., Chromium, but not IE8.

The new update, KB4316682 adds TLS 1.2 support to IE8. KB4316682 isn't available via Auto Update, although as a cumulative IE8 update, it's probably just as well (WU would take forever).

The registry changes (which I had already made) are needed in order to let you configure IE8 to use TLS 1.2.

So you need all three. (Although I haven't looked inside KB4316682, so I suppose it's possible that it includes the updated files from the earlier KB4019276.)

I am a bit confused here!
I have KB4019276 installed (from February's updates) but not KB4316682.
Does today's update KB4230450 actually supersede it?
I have added the registry data to reveal the TLS 1.1 and 1.2 entries in the IE advanced settings options, and they were both already ticked, so presumably they were already activated, the registry keys just add them to the interface so you can turn them off if you want to.
:dubbio:

Link to comment
Share on other sites

One of the few, if not the only, things MS has always been consistent with, AFAICR, are the so called "cumulative updates", which, nowadays, apply almost only to browser updates, but once applied to othe components, too. Now, KB4019276 is not cumulative, but both  KB4316682 and KB4230450 are so. Hence, KB4230450 ought to supersede both KB4316682 and KB4109276, because it must include updated versions of the files and registry entries from both KB4019276 and KB4316682. Of course, there's then Murphy's law, and this one might be the feather that breaks the camel's back, so to say... one never knows unless we check (and then Schröndiger even goes on to say that even after checking we cannot really know what was there before...) so, just to remain on the safe side I'll state YMMV. :P

Link to comment
Share on other sites

It's weird that KB4230450 was released just a few days after KB4316682. Both are IE8 cumulative updates, so (in theory) KB4230450 should include everything that KB4316682 did; at least that's my understanding of the word "cumulative." But I never checked the contents so I don't know for sure. I just installed KB4316682, then found KB4230450 had been released and installed it too.

Nor did I check whether either/both of those also include everything KB4019276 did, but since @Dave-H already had that one installed it shouldn't matter.

Anyway, if he didn't install KB4316682, it's probably worth checking IE8 (bypassing ProxHTTPSProxy temporarily) to see if TLS 1.2 is working. Just visiting good ol' https://www.howsmyssl.com should do the trick. If it isn't, go ahead and install KB4316682 and check again. Inquiring minds want to know!

Link to comment
Share on other sites

53 minutes ago, Mathwiz said:

It's weird that KB4230450 was released just a few days after KB4316682. Both are IE8 cumulative updates, so (in theory) KB4230450 should include everything that KB4316682 did; at least that's my understanding of the word "cumulative."

I can reassure you, the files of KB4230450 are a little bit newer than those of KB4316682. The only thing MS has forgotten to change the version number of the files.

 

@Mathwiz

In the translation, an error has crept in, actually I wanted to write, the MS only further upgrades (ECC), if TLS 1.2 is uncertain.

:)

Edited by heinoganda
Link to comment
Share on other sites

I extracted the files from the installers and none of the files in KB4019276 are found in the IE8 updaters. So cumulative IE8 updates don't update KB4019276. Not a recent February update, it has been available from the Microsoft Update Catalog since at least early November 2017.

I compared KB4230450 and KB4316682 and all the files in both installers had the same version number, 8.0.6001.24078.

The thing that is different about KB4316682 is that it is described as a "Cumulative Update for Internet Explorer 8"

KB4230450 and the vast majority of previous updates for IE8 are described as a "Cumulative Security Update for Internet Explorer 8"

If we can take Microsoft at it's word, KB4316682 doesn't have any security updates built into it beyond those in KB4230450, so maybe it's about TLS 1.2

I had KB4316682 installed and KB4230450 wasn't among the updates offered by automatic updates this month. The only thing I haven't tried is to compare KB4316682 to KB4230450 file by file using a hex editor to see if there are any differences.

 

Link to comment
Share on other sites

So it appears you need both KB4019276 and KB4316682 for TLS 1.2 in IE8, and if you've installed those two, you probably don't need KB4230450. But you'll still need next month's cumulative security update, and you'll still need to install it manually to avoid the hours/days(/weeks?)-long wait for AU/MU/WU to offer it.

I didn't want to wait to see if KB4230450 would be offered, so I went ahead and installed it manually last Tues. (I had already installed KB4316682 and confirmed that TLS 1.2 worked.) Apparently I didn't need to do that, but it didn't hurt anything (TLS 1.2 still works).

I had installed KB4019276 back on 28 Nov. At least that's what Add/Remove Programs tells me.

Link to comment
Share on other sites

OK, thanks guys, so it looks as if KB4230450 is enough.
As I said earlier, I've never installed KB4316682, but I did have KB4019276 already installed.
https://www.howsmyssl.com shows TLS 1.2 working in IE8 with HTTPSProxy switched off (albeit with the certificate errors already mentioned) so I guess it's all OK.

BTW, sorry for the late response, am I the only one not getting any e-mail notifications from the forum now?
I've checked my forum settings and they are correct, but I had no notification of these recent posts.
:dubbio:

 

Link to comment
Share on other sites

Purely of logic, why should MS publish a Cumulative Update for IE8 where TLS 1.2 works properly and a little later a Cumulative Security Update for IE8 where TLS 1.2 stops working? IE8 is a no longer up-to-date web browser where many features are missing for which current web pages are needed. MS removes root certificates for each certificate update where they are classified as unsafe and therefore the IE8 (required for WU / MU) had to be retrofitted with TLS 1.2.

Ironically, perhaps MS takes pity and releases the IE11 for Windows XP.
 

@Dave-H

Not only you are affected by the e-mail notifications from the forum. There seems to be a problem with the forum software.
 

:)

Edited by heinoganda
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...