Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Sign in to follow this  
skeleton11223

TLS 1.1 and 1.2

Recommended Posts

There is an update for xp posready 2009 that adds tls 1.1 and 1.2 support, but I have not gotten it to work, tried on posready and xp pro, the update is here:https://www.catalog.update.microsoft.com/Search.aspx?q=KB4019276

and I tried this:https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows

and then this:

I got the options showing in internet options, but they do not work, has anyone gotten it to work on posready?

Share this post


Link to post
Share on other sites

KB4019276 does add support for TLS 1.1 & 1.2 to the OS, and the registry fixes add the TLS 1.1 & 1.2 checkboxes to Advanced Internet Options. But IE8 has never been updated to use them, so it's all for naught. Other XP browsers include their own TLS 1.1 & 1.2 support and don't need the updates anyway.

Share this post


Link to post
Share on other sites
Posted (edited)
3 hours ago, Mathwiz said:

KB4019276 does add support for TLS 1.1 & 1.2 to the OS, and the registry fixes add the TLS 1.1 & 1.2 checkboxes to Advanced Internet Options. But IE8 has never been updated to use them, so it's all for naught. Other XP browsers include their own TLS 1.1 & 1.2 support and don't need the updates anyway.

Then why would MS release these updates? There has to be something missing...

Edited by skeleton11223

Share this post


Link to post
Share on other sites

The updates are for third-party applications (say, for e-commerce) that use POSReady's built-in SSL/TLS support, instead of providing their own - but said applications still have to be updated to specify that TLS 1.1 and/or 1.2 be used.

  • Like 1

Share this post


Link to post
Share on other sites

I created the following DWORD entries in TLS1.1 and TLS1.2:

DisabledByDefault - DWORD - Hexadecimal - value 0

Client - DWORD - Hexadecimal - value 0

Server - DWORD - Hexadecimal - value 0

Enabled - DWORD - Hexadecimal - value 1

 

Is it correct?

Z2Uz6Gu.png

j3ph6if.png

Share this post


Link to post
Share on other sites

Well, not quite: Client and Server are subkeys of the TLS 1.1 and TLS 1.2 keys, respectively. (Expand the +'s.) You would create the DisabledByDefault and Enabled DWORD values in those subkeys, not in the TLS 1.1 and 1.2 keys. But it won't help with IE8.

There is a workaround, but it doesn't involve installing this POSReady update. Won't hurt to have it, but the workaround bypasses schannel.dll completely: PM Heinoganda for his updated copy of ProxHTTPSProxyMII.

It's a proxy server that sits between IE8 and your Internet connection, and provides all the latest security protocols via OpenSSL:

On 3/20/2018 at 5:05 PM, heinoganda said:

@Dave-H

If you run ProxHTTPSProxyMII, it would explain this phenomenon. :yes:

The following website works for me under IE8 in Windows XP only with ProxHTTPSProxyMII.

https://dev.ssllabs.com/ssltest/viewMyClient.html

:)

Heinoganda has been keeping it updated with the latest versions of OpenSSL, so it should support just about anything. However, some have reported that its root certificate database, cacerts.pem, isn't complete, so you may still have some problems....

Share this post


Link to post
Share on other sites
Posted (edited)

Oh, right, got it. I didn't see Client and Server. Deleted and created from scratch the DisabledByDefault and Enabled DWORD values. Thank you.

By the way, I already know the heinoganda Proxy and I've been using it for a while. I was wondering about third party apps.

Thank you!!

Edited by FranceBB

Share this post


Link to post
Share on other sites
On Tuesday, May 15, 2018 at 5:34 PM, skeleton11223 said:

There is an update for xp posready 2009 that adds tls 1.1 and 1.2 support, but I have not gotten it to work, tried on posready and xp pro, the update is here:https://www.catalog.update.microsoft.com/Search.aspx?q=KB4019276

and I tried this:https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows

and then this:

I got the options showing in internet options, but they do not work, has anyone gotten it to work on posready?

 

On Wednesday, May 16, 2018 at 3:07 PM, Mathwiz said:

KB4019276 does add support for TLS 1.1 & 1.2 to the OS, and the registry fixes add the TLS 1.1 & 1.2 checkboxes to Advanced Internet Options. But IE8 has never been updated to use them, so it's all for naught. Other XP browsers include their own TLS 1.1 & 1.2 support and don't need the updates anyway.

 

On Wednesday, May 16, 2018 at 3:50 PM, skeleton11223 said:

Then why would MS release these updates? There has to be something missing...

From what it appears, Microsoft probably tried to make an update for Windows Server 2008/Windows Vista to add or complete TLS 1.1 and TLS 1.2 support for the operating system.  It then may have tried packaging an update that does the same for Windows XP with Service Pack 3 that was done on Windows Server 2008/Windows Vista.  Unlike Windows Server 2008/Windows Vista, Windows XP does not support Elliptic Curve Cryptography (ECC), so an update that may do what was done for Windows Server 2008/Windows Vista would be insufficient for Windows XP.  After the updates, Windows XP still does not have true support TLS 1.1 and TLS 1.2; it is incomplete.

Microsoft appears to have been sloppy with the TLS 1.1 and TLS 1.2 updates, but they are still good to apply because they add cipher suites and do not seem to break anything that was not broken before.

 

 

  • Like 1

Share this post


Link to post
Share on other sites

It is true; ECC key exchange was never added to XP, since it would require upgrading XP's certificate database. So even if TLS 1.1 and 1.2 worked with IE8, there would still be many sites it couldn't connect to. But the TLS 1.1 and 1.2 protocols don't require ECC; they support it but can be used with traditional RSA key exchange as well. But not even that much works with IE8. TLS 1.1 and 1.2 don't work at all with IE8, whether the Web site uses ECC or not.

128- and 256-bit AES cipher suites have also been added to XP recently, along with new 256-, 384- and 512-bit SHA2 hash algorithms; but I think those preceded the TLS 1.1/TLS 1.2 update.

  • Like 1

Share this post


Link to post
Share on other sites

Today I tested a site that I used to open using Firefox 'cause Chromium didn't manage to load it, but after I added all the registry keys and rebooted, it actually worked fine on Chromium. I also loaded a TLS tester website and it worked fine on Chromium. So it seems that Microsoft really did it for client usage as well and not for IIS etc only. Check it out:

cb4rjoD.png

 

Xa6DOqW.png

Edited by FranceBB
  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×