Enable TLS 1.1 and 1.2 in Windows XP correctly

[WinFX]

I in a VM install Windows XP Pro SP3 x86, then disable SSL 2 and 3, to enable TLS 1.0. I was able to access Google, but even many sites were not accessible, then I installed KB3081320 to have AES-256 support and I could access more sites with that supported encryption.
But there are sites that I can not yet access, for me the problem was that my Windows XP had the IE6SP3 so I updated it to IE8, but everything was the same. Draw the conclusion that the problem was that it was only compatible with TLS 1.0 and not later, which installed KB4019276 and followed all the steps in the microsoft page: https://support.microsoft.com/en-us/help / 4019276 / update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows. But when checking in https://www.howsmyssl.com he still told me that TLS 1.0 was only activated; I know that some in WinXP + IE8 managed to make these protocols work.

[Tamris]

Maybe try this:

A while ago I've had an XP VM too and following the steps on Microsoft's websites didn't help me at all as well, only had TLS 1.0 available, but after running this, TLS 1.1 and 1.2 finally appeared in IE's settings.

Edited January 21, 2019 by Tamris

[Mathwiz]

Or this (ignore the references to Skype, and you can skip step 4 & 5 since you already installed KB4019276):

On 1/4/2019 at 2:45 AM, alstring said:

Below I'm posting a step-by-step fix to add TLS1.2 to IE8, so that Skype 7.36.0.150 will continue to run on Windows XP-SP3.  (While 7.38.x.x may be actual "last" for WinXP, it may or not nag you to "update".)   

...

One or more MSFN gurus noticed that Microsoft is still updating Windows XP embedded OS for computerized cash registers (etc.), a WinXP variant known as "POSReady" (POS= Point Of Sale).  They figured out how to spoof WinXP-SP3's identity, so that it will pose as, and accept POSReady updates, including those which to add TLS1.2 to IE8.  

-----------------------------------------------------
INSTRUCTIONS TO ADD TLS1.2 TO IE8  
   for Windows XP Skype 7.36.0.150
       (Worked for me, but YMMV)
-----------------------------------------------------

1) If not already updated, download and install Microsoft's updated Windows Installer 4.5 (KB942288-v3) from
https://download.microsoft.com/download/2/6/1/261fca42-22c0-4f91-9451-0e0f2e08356d/WindowsXP-KB942288-v3-x86.exe

2) Set a System Restore point marked, say, "Spoof POSReady ID registry edit"

3) Put the following POSReady spoof text (omit the hyphen lines) in POSReady.txt, rename to POSReady.reg, right-click Merge, Yes.
----------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001
                                                                                [<-- BLANK LINE]
                                                                                [<-- BLANK LINE]
----------

4) Navigate to:

https://www.catalog.update.microsoft.com/search.aspx?q=kb4019276

5) Find down to POSReady, Windows XP Embedded versions of KB4019276

Click Download button for that version. Click English in the opening language window (or other language).

6) Navigate to:

https://www.catalog.update.microsoft.com/search.aspx?q=KB4230450
 
7) Find down to POSReady, Windows XP Embedded versions of KB4230450:

Click Download button for that version. Click English in the opening language window (or other language).

8) For each KB file: click, accept install, reboot.  (Both create restore points just in case.)

9A) Now edit the following registry entries to read as shown:
(These may be automatic merge .reg texts, but to be careful, I entered them manually.  If you aren't sure how, look up Regedit 5 editing instructions.)

9B) After navigating the chain of registry keys, click the key TLS1.1, in the right panel, right-click "OSVersion", click Modify, enter the Value data shown above, click OK.  (I had to change "3.6.1.0.0" to "3.5.1.0.0" shown in obvious German in the source.)
----------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"="3.5.1.0.0"
----------

9C) Next click the key TLS1.2, in the right panel, right-click "OSVersion", click Modify, enter the Value data shown above, click OK.  (Likewise I had to change "3.6.1.0.0" to "3.5.1.0.0")
----------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"="3.5.1.0.0"
----------

10) Open IE8, click Tools, Internet Options, Advanced tab, pull the thumb bar all the way down.  You should see new checkbox options for "Use TLS 1.1", "Use TLS 1.2". (KB4230450 will install these checkboxes, but they won't work without KB4019276.)

11) Uncheck "Use TLS 1.0" (insecure). Leave unchecked "Use TLS 1.1" (already obsolete).  Check "Use TLS 1.2".  Click OK.  

 

Now run Skype 7.36.0.150 (similar versions should also work).  When I did this, the "we couldn't connect to Skype" error went away. However, a new sub-login dialog appeared that only allows a Microsoft school or business account.  This dialog went away after I clicked on an existing chat account.  So it may be only an occasional nuisance glitch, perhaps related to help-bot accounts?

Pardon any source text compiling errors.  If you have problems, try reading the sources (long).  

Sources:  
----------
https://msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/
POSReady 2009 updates ported to Windows XP SP3 ENU
By glnz, March 19, 2013 in Windows XP
----------
https://msfn.org/board/topic/177500-upgrading-ie8-to-tls-12/
Upgrading IE8 to TLS 1.2
By Thomas S., June 9, 2018 in Windows XP
----------

I hope this helps.

Al

 

BTW I recommend leaving TLS 1.0 enabled in step 11 for older Web sites that still need it; but it's your choice.

[WinFX]

They are already enabled correctly and I can not access wikipedia or betaarchive

[NojusK]

8 hours ago, VistaPAE said:

They are already enabled correctly and I can not access wikipedia or betaarchive

if you're trying with IE8 then you can't (i think). I rememeber trying myself, too, but it doesnt display the page

[Mathwiz]

Wikipedia uses a certificate with an Elliptic Curve public key algorithm. XP still doesn't support that. I doubt we'll get a patch by April either.

[visionhelp]

(Hi. If displaced here, please, one word. Thanks.)

Need: TLS 1.2 for OE6 (XP Prof. (Corporate; no registration necessary) SP3). For further access to my mail-accounts, which require TLS 1.2, and are being deactivated these days: TLS 1.1 (or and 1.0).

Tries and troubles, until now: different versions - examples: 1,1 MB, 10,8 MB, english versions (on german XP) - of POSReady Update(s).

All stop installation with ´not fitting system-version´, or ´language not fitting´.

As last I recognized that the already did (...)WPA "Installed" worth is not to set to ´1´, for enabled. Before staying - by manual set to ´1´ it appears as set to ´1´ (despite error message), but click on another key and back it is back to ´0´ -  at ´1´ install can not work. (Firewall and Avast (AntiVir) deactivated.), message "Some keys from system or other processes opened". From setting this to ´1´ with .reg-file

(Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001)

Before this message I did read about ´Permissions´ for the registry, even for single key. Without knowing what doing, now all user-accounts, my personal some in XP, are now having all ´Permissions´. (Ok. So far, for now. But not for long term.)

On https://www.emailarchitect.net/forum/posts/t3232findlastpost-Enable-TLS-1-2-on-Windows-XP-for-EASendMail I could find the german version PosReady. In addition a .cab-file.

Finding TLS 1.2 installing system-wide for XP (more below the site https://www.rebex.net/tls-proxy/) is to recognize, that such install of TLS 1.2 is more elegant, than having to set, to create (at all): (...)WPA "Installed" to ´1´.  (But handling this proxy-things overhelms me. And this rebex free, I still do not know. OK. Just to mention, please.)

 

Edited June 25, 2022 by visionhelp
corrections, betterments wording and graphical appearance

[AstroSkipper]

4 hours ago, visionhelp said:

Finding TLS 1.2 installing system-wide for XP (more below the site https://www.rebex.net/tls-proxy/) is to recognize, that such install of TLS 1.2 is more elegant, than having to set, to create (at all): (...)WPA "Installed" to ´1´.  (But handling this proxy-things overhelms me. And this rebex free, I still do not know. OK. Just to mention, please.)

Hi @visionhelp, with my release ProxHTTPSProxy's PopMenu 3V1, it is totally easy to use a TLS 1.2 proxy system-widely. I integrated an extra menu item in its systray's PopMenu to activate the most recent version ProxHTTPSProxy REV3e system-widely. Here is the link to my release: 

And here is my article "ProxHTTPSProxy and HTTPSProxy in Windows XP for future use" about ProxHTTPSProxy containing all information what it is for, and how to install, configure, use, and maintain this proxy which you should read first: 

If you have further questions associated with ProxHTTPSProxy, after reading my article, you can post it in my mentioned thread. Here, in this thread, I won't reply, its about enabling TLS 1.1 and TLS 1.2 only.

Cheers, AstroSkipper 

Edited June 25, 2022 by AstroSkipper

[visionhelp]

Astroskipper, thanks the fast reaction. Thanks the links. Thanks the effort this software possibility to be able to realize for XP still working to install the now needed TLS 1.2 support, system-wide, but at least - at all - for OE6 (XP).

"Here, in this thread, I won't reply, its about enabling TLS 1.1 and TLS 1.2 only.": OK.

"totally easy to use a TLS 1.2 proxy system-widely": TLS 1.2 proxy is not equal to TLS 1.2 system-wide. But I hope I may understand it correct, thinking this is meant ..., at least: with.

To "easy": 2 OSs experienced each lasting about 5 years, to have it running, and to get, to have it, to keep it in (my) hand, instead of (Windows) having me, in its hand. To compare, this Proxy - many, many single topic packages, my impressions from reading now - things, not un-interesting a Proxy at all, but for me NOT with this effort, if from interesst: not to step-in into under less than 2 years, figuring out. Just once to say - must have / with Your permission - to "easy", please. (Reason: With every single topic from those lots of single topics NEEDS to be understood the things: what is doing what. And as best: NOT to forget.) OK. ´Easy´ to me is different:

When now installing this Proxy ´thing´, sorry, will meet my need, my expactation, just - in the main working TLS 1.2 for OE6 (XP) - I do not have to use the Proxy, but if it works this way, then, for me, installing TLS 1.2 to XP is "easy" ... Is this OK for You ?

(Sorry, sadnessly for me the POSReady Update does not work, because than this would have it done. So, sorry again. And but also: thanks again.)

If from interesst, clienttest.ssllabs.com: 8443/ssltest/viewMyClient.html (Not to forget to mention, that Proxy for TLS 1.2 still is not done the install):

First - and 3rd - call up the test-site says OK, second call up not, third call up again OK.

 Second call up:

Also second call up:

 

Off topic, but from importance, please: By the current experience by the way, please:

The entire text at "Submit Reply" is not being replied, it is gone ... Undo does not work !
Not sure, I can do the entire text again. It was a very well been done text.
From have been logged out. Logging in again did ´bring´ the "stored" text back. WOUH. What a shock. But thankful being back. Being logged out during working (without notifying) ... wouh ... this: one must know first. Note: At Log-in - at "Remember me" ´uncheck´ must be mentioned, that log-out happens after - when ? - 1 hour ? And in the text-window - after being logged out and - before or while - trying to ´Submit Reply´, the text MAY not go; but a message is needed that being logged out - the text MAY not just dis-appear ... PLEASE. Such an evil shock. Thanks the interesst.

Edited June 25, 2022 by visionhelp
continuing, more exact wording and statement, screen-shots

[visionhelp]

(Have to post the warning here.)

Sadnessly avast-popup (message: warning) with XnView (´get screen-content´) does the pop-up make disappear from the screen. So only this screen-image possible. (From  unpack: ProxHTTPSProxy_REV3e_PopMenu_3V1.7z)

 

Edited June 26, 2022 by visionhelp
betterments

[AstroSkipper]

1 hour ago, visionhelp said:

(Have to post the warning here.)

Sadnessly avast-popup (message: warning) with XnView (´get screen-content´) does the pop-up make disappear from the screen. So only this screen-image possible. (From  unpack: ProxHTTPSProxy_REV3e_PopMenu_3V1.7z)

 

Your post is off-topic! You have to post with regard to the topic. Please post your problem in my already mentioned thread: 
https://msfn.org/board/topic/183352-proxhttpsproxy-and-httpsproxy-in-windows-xp-for-future-use/

There, I'll answer your questions associated with ProxHTTPSProxy. And BTW, all my provided files are clean, of course.
Anyway, you are a newbie, therefore, you should read the forum rules first: https://msfn.org/board/guidelines/

Regards, AstroSkipper

[visionhelp]

("Peace for the world!": to me, please, too. Thank You.

I DO insinuate: it is clean.

It is just information with for others here probably reading with, also.)
And very sorry, please, "Enable TLS 1.1 and 1.2 in Windows XP correctly": isn´t it this the topic here, please ?

Edited June 26, 2022 by visionhelp
betterment

[AstroSkipper]

On 6/26/2022 at 4:32 PM, visionhelp said:

And very sorry, please, "Enable TLS 1.1 and 1.2 in Windows XP correctly": isn´t it this the topic here, please ?

Of course! Here, you can post all questions or requests relating to enabling of TLS 1.1 and 1.2 in Windows XP. Actually, you shouldn't have opened a new thread for such requests. But everything associated with ProxHTTPSProxy's PopMenu 3V1, is off-topic here, and should have been posted in my thread "ProxHTTPSProxy and HTTPSProxy in Windows XP for future use". It's not as complicated as it seems to be. 

Cheers, AstroSkipper 

[visionhelp]

To (Quote) "Actually, you shouldn't have opened a new thread for such requests":

In this new thread You could help, out of from "ProxHTTPSProxy and HTTPSProxy", which would be THERE: off-topic.

To (Quote) "But everything associated with ProxHTTPSProxy's PopMenu 3V1, is off-topic here":

Exact.