Jump to content

Update Windows XP & IE8 to TLS1.2 (Connected Last Skype 7)


alstring

Recommended Posts

Original January 4, 2019 post title was "Update IE8 to TLS1.2 for (nearly) Last Skype 7.36.0.150 on Windows XP".  Update title changed May 1, 2019.   Readers wanting Skype-specific info should page or find down to the ORIGINAL INTRODUCTION. 

UPDATE INTRODUCTION:
This compiled procedure, Instructions To Add TLS1.2 To Windows XP OS & IE8, turns out to be useful for non-Skype purposes, and may now be obsolete for the intended purpose of running Windows XP Skype 7.36.0.150 (see posts below).  For convenience of other readers, I've reorganized the original post so that the procedure steps now start near the top.  I've also edited OS registry variations in steps 9A and 9B, made a change in step 11, and added a 12th procedure step, each helpfully noted by posters below.  

-----------------------------------------------------------------
INSTRUCTIONS TO ADD TLS1.2 TO WINDOWS XP OS & IE8  
             
(Compiled from MSFN source posts credited)
-----------------------------------------------------------------

1) If not already updated, download and install Microsoft's updated Windows Installer 4.5 (KB942288-v3) from
https://download.microsoft.com/download/2/6/1/261fca42-22c0-4f91-9451-0e0f2e08356d/WindowsXP-KB942288-v3-x86.exe

2) Set a System Restore point marked, say, "Spoof POSReady ID registry edit"

3) Put the following POSReady spoof text (omit the hyphen lines) in POSReady.txt, rename to POSReady.reg, right-click Merge, Yes.
----------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001
                                                                                [<-- BLANK LINE]
                                                                                [<-- BLANK LINE]
----------

4) Navigate to:

https://www.catalog.update.microsoft.com/search.aspx?q=kb4019276

5) Find down to POSReady, Windows XP Embedded versions of KB4019276

Click Download button for that version. Click English in the opening language window (or other language).

6) Navigate to:

https://www.catalog.update.microsoft.com/search.aspx?q=KB4230450
 
7) Find down to POSReady, Windows XP Embedded versions of KB4230450:

Click Download button for that version. Click English in the opening language window (or other language).

8) For each KB file: click, accept install, reboot.  (Both create restore points just in case.)

9) Edit the following Windows XP registry entries in 9A and 9B to read as shown.  If you aren't sure how, look up Regedit 5 editor instructions.  For convenient automatic registry edit-merge, these lines may be pasted into Notepad text files, renamed .reg ,then just click the file after closing it (expect no response).  (But to be careful, I edited them manually with Regedit 5.)

9A) After navigating the chain of registry keys, click the key TLS1.1, in the right panel, right-click "OSVersion", click Modify, enter the Value data already shown (not sure why), click OK.  (I had to change "3.6.1.0.0" to "3.5.1.0.0" shown in obvious German in the source.) (EDIT: Other posters report below that if this key is absent, this step may be safely skipped.)
----------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"="3.5.1.0.0"
----------

9B) Next click the key TLS1.2, in the right panel, right-click "OSVersion", click Modify, enter the Value data shown above, click OK.  (Likewise I had to change "3.6.1.0.0" to "3.5.1.0.0") (EDIT: Likewise, if missing, skip this step.)
----------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"="3.5.1.0.0"
----------

10) Click Start, hover Control Panel, click Internet Options, Advanced tab, pull the thumb bar all the way down.  You should see new checkbox options for "Use TLS 1.1", "Use TLS 1.2". (KB4230450 will install these checkboxes, but they won't work without KB4019276.)

11) Check "Use TLS 1.2"Leave unchecked "Use TLS 1.1" (already obsoleted by TLS 1.2; and, TLS 1.3 was approved in 2018).  (EDIT:) Leave checked "Use TLS 1.0".  Click OK.  The TLS 1.0's AES component is not insecure.  TLS 1.0 may best remain checked for legacy websites needing AES or 3DES.  (See explainers in posts below.) 

12) (EDIT:) The following registry edits disable TLS 1.0's insecure cipher suites: DES, RC2, RC4, plus the insecure MD5 cipher hash.  3DES may be disabled optionally, but legacy websites without AES may need 3DES (Triple DES).  TLS 1.0's secure cipher suite AES remains enabled, unchanged (no edit shown).  Edit the following registry entries to read as shown: 
----------
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:00000000
----------

You may need Triple DES (3DES) at websites which don't (yet) support AES.  Here is the optional edit (not yet recommended) to disable 3DES (0's mean Not "Enabled", equals Disabled):
----------
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:00000000
----------

The above registry edits (manual for transparency) are included in a larger set of one-click automatic edits in a download .reg file posted below. 

Pardon any source text compiling errors.  If you have problems, try reading the sources (long).  

Source posts credited:  
https://msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/
POSReady 2009 updates ported to Windows XP SP3 ENU
By glnz, March 19, 2013 in Windows XP
https://msfn.org/board/topic/177500-upgrading-ie8-to-tls-12/
Upgrading IE8 to TLS 1.2
By Thomas S., June 9, 2018 in Windows XP
https://msfn.org/board/topic/178087-update-ie8-to-tls12-for-nearly-last-skype-7360150-on-windows-xp/
Update IE8 to TLS1.2 for (nearly) Last Skype 7.36.0.150 on Windows XP
By Mathwiz, January 4, 2019 in Windows XP

----------


ORIGINAL INTRODUCTION:

I'm posting a step-by-step fix to add TLS1.2 to IE8, so that Skype 7.36.0.150 (for a few months did) run on Windows XP-SP3.  (While 7.41.x.x may be actual "last" for WinXP, it may or not nag you to "update", requiring a separate fix or version downgrade.  My version 7.36 didn't get the nag, and 7.40 was also reported to lack the nag when it mattered before April 12.)   

I've compiled pieces of the fix puzzle I found elsewhere on MSFN, because the complete fix isn't obvious to WinXP Skypers searching from elsewhere on the web.  The fix isn't that difficult, but the usual warnings that novices should back up the registry before editing it, do apply.  The download KB file installs, and each set their own restore points.  I hope just setting a Restore point before starting the edit will be adequate.  


I haven't used my desktop PC WinXP-SP3 Skype (mostly chat) for months while the power supply was down.  Yesterday I fixed it.  To my surprise, Skype errored with "Sorry, we couldn't connect to Skype.  Please check your Internet connection and try again."  But the internet was ok.

Many Skypers aren't techies, and most of the posted complaints about  "Sorry, we couldn't connect to Skype", don't have a fix other than get a new OS like Win7, or use web Skype. 

For good reasons, we don't want to give up WinXP, at least as a backup to Win7 (or even Win8.1 for my keytablet).  I've thoroughly tested Win10, but I'm not interested in that control-freak bugfest.

One elsewhere-posted answer with no fix, helpfully explained that Skype had switched to using the more secure https encryption protocol TLS1.2.  Skype for WinXP uses the SSL/TLS protocols built into Internet Explorer 8, which is the last Internet Explorer version for WinXP.  IE8 normally has a maximum version of TLS1.0.  Skype servers apparently turned off insecure TLS 1.0 sometime after I had to quit using this Skype last year (2018).  So the fix is to add TLS1.2 to IE8, and it did work for me.  

At MSFN I found the bitter-end holdouts on WinXP, same website where I found the Win98 bitter-enders. (Btw, one poster at MSFN said the famous Windows OS bitter-ender AXCEL216 aka MDGx aka George, is still alive!).

One or more MSFN gurus noticed that Microsoft is still updating Windows XP embedded OS for computerized cash registers (etc.), a WinXP variant known as "POSReady" (POS= Point Of Sale).  They figured out how to spoof WinXP-SP3's identity, so that it will pose as, and accept POSReady updates, including those which to add TLS1.2 to IE8.  

(If still relevant to Skype readers, do the procedure above.  Even if another post-April 12 Skype for XP fix is found, this procedure will likely be needed as well.)

When I did this procedure (in January of 2019), the "we couldn't connect to Skype" error went away.  However, a new sub-login dialog appeared that only allows a Microsoft school or business account.  This dialog went away after I clicked on an existing chat account. 

(See new Skype 7 login obsolescence described in posts below, first reported elsewhere as of about April 12, 2019.)

 

I hope this helps.

Al

Edited by alstring
Adding updated information from followup posts
Link to comment
Share on other sites


Thank you for that excellent step-by-step guide.

One note: there are still a few web servers around that don't yet support TLS 1.2. So in the last step (11), one may opt to leave TLS 1.0 checked (particularly if they use Chrome 49 or Advanced Chrome web browsers, which also use XP's Internet settings). That way their connection will use TLS 1.2 if it's available but fall back to TLS 1.0 if not. (No real reason to enable TLS 1.1 though; I've never seen a site that supports TLS 1.1 but not 1.2.)

I wouldn't say TLS 1.0 is insecure by itself, but it does support several insecure cipher suites, so you may want to disable all cipher suites except AES (and perhaps 3DES; it's security was weakened by the "Sweet 32" attack, but as with TLS 1.2, there are still a few web sites that don't yet support AES, so you may need to leave it enabled for those).  I've attached a .reg file to disable the old RC2 and RC4 cipher and MD5 hash algorithms:

Disable insecure algorithms.reg

Edited by Mathwiz
Link to comment
Share on other sites

On 1/4/2019 at 9:45 AM, alstring said:

9B) After navigating the chain of registry keys, click the key TLS1.1, in the right panel, right-click "OSVersion", click Modify, enter the Value data shown above, click OK.  (I had to change "3.6.1.0.0" to "3.5.1.0.0" shown in obvious German in the source.)
----------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"="3.5.1.0.0"
----------

9C) Next click the key TLS1.2, in the right panel, right-click "OSVersion", click Modify, enter the Value data shown above, click OK.  (Likewise I had to change "3.6.1.0.0" to "3.5.1.0.0")
----------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"="3.5.1.0.0"
----------

 

I can't see OSVersion in my regedit panel. Is this change really worth? I've never seen this before

os_version.JPG

Link to comment
Share on other sites

Those values used to be there - I've seen them - but installing the latest IE8 update may have removed them. If they aren't there (they're gone from mine now too) don't worry about it. They were intended so that IE's registry keys could be configured the same for all OSes, but TLS 1.1 / 1.2 would still show up only on Win 7 and up, so they aren't needed now that TLS 1.1 / 1.2 work on XP.

Link to comment
Share on other sites

> On 1/6/2018 at 6:36 PM, roytam1 said:
> Skype seems dropping out v7 support. I hex-edited Russian's unpacked skype.exe 6.16 and changed version to 8.34 and it is able to login again.

I've read similar reports from early 2018.  Apparently Skype managers are determined to kill Skype 7, and collaterally, all use of Windows XP for Skype.  

Technically, they may urgently plan to decommission the current (more costly?) telephony server architecture.  Chat and photo files are cheap, so Skype 7 chat, photo, and better interface controls may be a collateral victim of rushed cost-cutting to telephony server upgrades.  Probably they are now using Azure distribution centers that function like telephone central offices ("there is no cloud").  

Why?  Speculatively, the business news of Microsoft having mere single digit growth with consequent technical staff layoffs, suggests they no longer have enough software engineers to support legacy product functions that would avoid another public relations disaster first seen with Windows 10. 

Link to comment
Share on other sites

Reportedly on or about April 12th, my Skype 7.36.0.150 stopped being able to log in, but I didn't notice.  I was using Hibernate state (S4) suspend-to-disk, so my Skype login session lasted for about two more weeks.  

Trying to reuse the Skype login in my hiberfil.sys, that file self-deleted by an attempt to copy it, probably due to XP security.  

For further investigation, I made folder copies of:
1) C:\[D&S]\Settings\HP_Administrator\Application Data\Skype
2) C:\Program Files\Skype
,renamed the original Application Data folder to:
"Skype (archived original 7.36 data after login refused on 2019_04_26)"
,renamed the copies to "Skype" (as previously).  

The most important reason for doing this was to preserve the year+ chat log for SkypeLogView, etc.  But also to be able to recover from experimentation errors.  In fact, after trying alternate reinstalls, my next attempt to execute the 7.36 program was met by an info box reading:
-----
Warning
A problem was found with the version of Skype installed on this device. [blah, download latest, blah]
Expected: 9d2996d08c13f0133168878e74cc3930
Found: -
-----
32 hex digits appears to be an MD5 checksum, to exit Skype if the installed program has been altered by malware (or bitter-end Skype 7 users?).  

 

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...