Jump to content

Upgrading IE8 to TLS 1.2


Thomas S.

Recommended Posts

There is a new cumulative update for IE8 on PosReady kb4316682.

"Adds the ability to use TLS 1.2 support in Internet Explorer (8)."

But it seems that here must be some settings in registry to activate this.

I look around, and in an russian forum is this given:

Quote

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"="3.6.1.0.0"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"="3.6.1.0.0"

And this information:

Quote

Depending on the OS-Version
3.6.1.0.0 für Win7 und höher(6.1)
3.5.1.0.0 für WinXP oder höher (5.1)

Here in the forum we are advised (among other things) to delete the entry:

https://msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/?page=149&tab=comments#comment-1150757

There are some other entrys for an older update (kb4019276) to bring support for TLS 1.1 / 1.2 for XP and Server connections.

At this point all this information is not clear (for me :rolleyes: ).

Is the older update necessary for the new one?

In the kb base article there is no such a hint ("There are no special requirements to install this update.").

So what is right here?

And where came the information from about the registry settings for the new IE8 update?

Any official MS site?

 

Edited by Thomas S.
Link to comment
Share on other sites


You need to modify registry settings you mentioned above to enable TLS 1.1/1.2 checkboxes in IE settings. You may set the values to 3.5.1.0.0 or delete them - both way work. I don't know if there is an official source for this.

12 minutes ago, Thomas S. said:

Is the older update necessary for the new one?

Yes. If kb4019276 isn't installed, you can "enable" the TLS 1.1/1.2 in IE settings, but it will not really work.

Link to comment
Share on other sites

Hmmm ..., I tested now with the older update, and right, I can use TLS1.2 in IE8.

But: no registry settings for the older update necessary!

And strange is, that https://www.howsmyssl.com/ works (confirmed TLS1.2) but no connection possible is to https://www.ssllabs.com/

No idea :wacko:

With HTTPSProxy there is no problem to access both sites.

Link to comment
Share on other sites

@Bersaglio: please, bear with me. (i) suppose one downloads this NPAPI Flash installer <link> and renames it Bad_Flash.exe. On looking at it's properties, one will see it's the installer for the NPAPI Flash v. 30.0.0.113 and will see that Win 7 SP1 x86 considers it's signature Valid but Win XP SP3 considers it not valid.  (ii) suppose now one downloads this NPAPI Flash installer <link> and renames it Good_Flash.exe. On looking at it's properties, one will see it's another installer for the NPAPI Flash v. 30.0.0.113,  but this one both Win 7 SP1 x86 and Win XP SP3 consider it's signature valid. (iii) suppose then one removes the signatures from both installers with delcert, and finds out the remaining installers are binarily identical, so all difference was in the signatures. Now I ask you, is this also due just to lack of ECC in XP SP3, or is there more than that behind it? TIA.

Link to comment
Share on other sites

2 hours ago, Thomas S. said:

But: no registry settings for the older update necessary!

You are right: the registry settings recommended to use with kb4019276 needed only if you use TLS 1.1/1.2 to connect your XP to a domain.

Link to comment
Share on other sites

@dencorso

I have not even noticed, the only difference I've found between valid and invalid certificate.

 

fpcert1.jpgfpcert2.jpg

Update:
In connection with the Explorer (shell32.dll), an adjustment seems to be necessary by MS, because of the encryption.

:)

Edited by heinoganda
Link to comment
Share on other sites

@dencorso and @heinoganda

Please read:

https://support.globalsign.com/customer/portal/articles/2169296-windows-code-signing-hash-algorithm-support

XP SP3 and Vista SP2 can't validate file digital signatures (code signing certificates) with SHA256 file digest (i.e. hash algorithm) :( ; Win7 SP1 upwards can!

Other useful reads:

https://blogs.technet.microsoft.com/pki/2010/09/30/sha2-and-windows/

https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility

Edited by VistaLover
Refined terminology
Link to comment
Share on other sites

OK. I'm better informed now. But the question that remains is what else is needed for Vista SP2 and XP SP3 to be able to validate /fd sha256 certificates and, hence, identify correctly invalid certificates in executables. And, then, can it be fixed?

sha256.gif

Link to comment
Share on other sites

21 hours ago, Thomas S. said:

Hmmm ..., I tested now with the older update, and right, I can use TLS1.2 in IE8.

But: no registry settings for the older update necessary!

And strange is, that https://www.howsmyssl.com/ works (confirmed TLS1.2) but no connection possible is to https://www.ssllabs.com/

No idea :wacko:

With HTTPSProxy there is no problem to access both sites.

 

Edited by Sampei.Nihira
Link to comment
Share on other sites

Good news, everyone.

Before MSDN wiped out all the messages, I said that I was going back to Microsoft to ask them about ECC and I did.

I called them and I spoke with John Paul I and he said "it really is important for us to get this worked on".

In other words, even though he didn't tell me when it's gonna be included in the next update cycles, it seems that Microsoft *will* include it in the next update cycles.

I'm as happy as Larry. :D

Link to comment
Share on other sites

13 hours ago, FranceBB said:

In other words, even though he didn't tell me when it's gonna be included in the next update cycles, it seems that Microsoft *will* include it in the next update cycles.

For an operating system that will be supported until April 2019? I am not so optimistic, since even TLS 1.2 should be considered unsafe. Hope dies last.

13 hours ago, FranceBB said:

I'm as happy as Larry. :D

If there is no EEC support up to the end of support, you have to rename yourself Larry. :D

:)

Link to comment
Share on other sites

lol. I know that it might sounds weird if you don't live in the UK. You know, when I moved I heard on TV and radio commercials "I'm as happy as Larry" and I had no clue what they meant. One day, I was on my way to work and I was listening to the Mistery Hour on LBC and someone asked Mr. James O' Bryan where did it come from. Someone picked up the phone, called the LBC and said that it originates from a boxer that won many fights and got a very big prize in money. One of the papers wrote "happy as Larry" in the headline and since then it has been used by everyone to express joy. In this case, if the guy from the support didn't troll me and Microsoft is gonna add ECC in the future, installing the update that adds ECC support will eventually make me "as Happy as Larry" when he won the prize. XD

@Dave-H is British, I think he can confirm/explain it better ;)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...