Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


WinFX

Enable TLS 1.1 and 1.2 in Windows XP correctly

Recommended Posts

I in a VM install Windows XP Pro SP3 x86, then disable SSL 2 and 3, to enable TLS 1.0. I was able to access Google, but even many sites were not accessible, then I installed KB3081320 to have AES-256 support and I could access more sites with that supported encryption.
But there are sites that I can not yet access, for me the problem was that my Windows XP had the IE6SP3 so I updated it to IE8, but everything was the same. Draw the conclusion that the problem was that it was only compatible with TLS 1.0 and not later, which installed KB4019276 and followed all the steps in the microsoft page: https://support.microsoft.com/en-us/help / 4019276 / update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows. But when checking in https://www.howsmyssl.com he still told me that TLS 1.0 was only activated; I know that some in WinXP + IE8 managed to make these protocols work.

Share this post


Link to post
Share on other sites

Posted (edited)

Maybe try this:

A while ago I've had an XP VM too and following the steps on Microsoft's websites didn't help me at all as well, only had TLS 1.0 available, but after running this, TLS 1.1 and 1.2 finally appeared in IE's settings.

Edited by Tamris

Share this post


Link to post
Share on other sites

Or this (ignore the references to Skype, and you can skip step 4 & 5 since you already installed KB4019276):

On 1/4/2019 at 2:45 AM, alstring said:

Below I'm posting a step-by-step fix to add TLS1.2 to IE8, so that Skype 7.36.0.150 will continue to run on Windows XP-SP3.  (While 7.38.x.x may be actual "last" for WinXP, it may or not nag you to "update".)   

...

One or more MSFN gurus noticed that Microsoft is still updating Windows XP embedded OS for computerized cash registers (etc.), a WinXP variant known as "POSReady" (POS= Point Of Sale).  They figured out how to spoof WinXP-SP3's identity, so that it will pose as, and accept POSReady updates, including those which to add TLS1.2 to IE8.  

-----------------------------------------------------
INSTRUCTIONS TO ADD TLS1.2 TO IE8  
   for Windows XP Skype 7.36.0.150
      
(Worked for me, but YMMV)
-----------------------------------------------------

1) If not already updated, download and install Microsoft's updated Windows Installer 4.5 (KB942288-v3) from
https://download.microsoft.com/download/2/6/1/261fca42-22c0-4f91-9451-0e0f2e08356d/WindowsXP-KB942288-v3-x86.exe

2) Set a System Restore point marked, say, "Spoof POSReady ID registry edit"

3) Put the following POSReady spoof text (omit the hyphen lines) in POSReady.txt, rename to POSReady.reg, right-click Merge, Yes.
----------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001
                                                                                [<-- BLANK LINE]
                                                                                [<-- BLANK LINE]
----------

4) Navigate to:

https://www.catalog.update.microsoft.com/search.aspx?q=kb4019276

5) Find down to POSReady, Windows XP Embedded versions of KB4019276

Click Download button for that version. Click English in the opening language window (or other language).

6) Navigate to:

https://www.catalog.update.microsoft.com/search.aspx?q=KB4230450
 
7) Find down to POSReady, Windows XP Embedded versions of KB4230450:

Click Download button for that version. Click English in the opening language window (or other language).

8) For each KB file: click, accept install, reboot.  (Both create restore points just in case.)

9A) Now edit the following registry entries to read as shown:
(These may be automatic merge .reg texts, but to be careful, I entered them manually.  If you aren't sure how, look up Regedit 5 editing instructions.)

9B) After navigating the chain of registry keys, click the key TLS1.1, in the right panel, right-click "OSVersion", click Modify, enter the Value data shown above, click OK.  (I had to change "3.6.1.0.0" to "3.5.1.0.0" shown in obvious German in the source.)
----------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"="3.5.1.0.0"
----------

9C) Next click the key TLS1.2, in the right panel, right-click "OSVersion", click Modify, enter the Value data shown above, click OK.  (Likewise I had to change "3.6.1.0.0" to "3.5.1.0.0")
----------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"="3.5.1.0.0"
----------

10) Open IE8, click Tools, Internet Options, Advanced tab, pull the thumb bar all the way down.  You should see new checkbox options for "Use TLS 1.1", "Use TLS 1.2". (KB4230450 will install these checkboxes, but they won't work without KB4019276.)

11) Uncheck "Use TLS 1.0" (insecure). Leave unchecked "Use TLS 1.1" (already obsolete).  Check "Use TLS 1.2".  Click OK.  

 

Now run Skype 7.36.0.150 (similar versions should also work).  When I did this, the "we couldn't connect to Skype" error went away. However, a new sub-login dialog appeared that only allows a Microsoft school or business account.  This dialog went away after I clicked on an existing chat account.  So it may be only an occasional nuisance glitch, perhaps related to help-bot accounts?

Pardon any source text compiling errors.  If you have problems, try reading the sources (long).  

Sources:  
----------
https://msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/
POSReady 2009 updates ported to Windows XP SP3 ENU
By glnz, March 19, 2013 in Windows XP
----------
https://msfn.org/board/topic/177500-upgrading-ie8-to-tls-12/
Upgrading IE8 to TLS 1.2
By Thomas S., June 9, 2018 in Windows XP
----------

I hope this helps.

Al

 

BTW I recommend leaving TLS 1.0 enabled in step 11 for older Web sites that still need it; but it's your choice.

Share this post


Link to post
Share on other sites

They are already enabled correctly and I can not access wikipedia or betaarchive

Share this post


Link to post
Share on other sites
8 hours ago, VistaPAE said:

They are already enabled correctly and I can not access wikipedia or betaarchive

if you're trying with IE8 then you can't (i think). I rememeber trying myself, too, but it doesnt display the page

Share this post


Link to post
Share on other sites

Wikipedia uses a certificate with an Elliptic Curve public key algorithm. XP still doesn't support that. I doubt we'll get a patch by April either.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...