Jump to content
MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. ×

Microsoft expiring SHA-1 updates; Will this kill XP?


Tonny52
 Share

Recommended Posts

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/microsoft-to-use-sha-2-exclusively-starting-may-9-2021/ba-p/2261924

Microsoft startin May 9, 2021, will expire the SHA-1 Root Certificate Authority in Windows. Could this possibly kill XP? Most of the XP drivers are SHA-1 signed, as well as internal programs. Will XP "expire"?

  • Like 1
Link to comment
Share on other sites


I don't know. I tried looking into what this means for XP. Over on VOGONS there was some talk about the Windows Update issue, and this was mentioned:

Quote

To get SHA2 support in in XP, you have to install KB968730, which is not in windows update. But if it will resolve problem you have, I dont know.

Microsoft Technet has a blog post from 2010 saying this:
 

Quote

Windows XP Support

Prior to Windows XP Service Pack 3, there was no SHA2 functionality within Windows XP. With the release of Service Pack 3 some limited functionality was added to the crypto module rsaenh.dll. This includes the following SHA2 hashes: SHA-256, SHA-384, SHA-512. SHA-224 was not included.

Windows Server 2003 Support

Windows Server 2003 Service Pack 2 does not ship with support for SHA2. This limitation can become an important concern when processing smart card logons and for mutual TLS authentications to web servers. As unlike other technologies, smart card logon and mutual TLS both use strict revocation checking; so should either the certificate itself or the revocation information (CRL/OCSP) use SHA2, the logon would fail.

KB 938397

Though support SHA2 is not included in Windows Server 2003 Service Pack 2, it is available for download. KB 938397 will bring Windows Server 2003 to the same level of functionality as Windows XP with Service Pack 3. KB 938397 is not available via Windows Update; it needs to be requested via the “View and request hotfix downloads” link on the support page . Note, KB 938397 is also offered for Windows Server 2003 Service Pack 1.

KB 968730

With the release of Windows Server 2008 it was found that Windows XP Service Pack 3 and Windows Server 2003 Service Pack 2 with KB 938397 were unable to request certificates from a Windows Server 2008 (and 2008 R2) certificate authority (CA) who’s certificate was signed with a SHA2 hash. KB 968730 was release to address this issue. Incidentally, KB 968730 completely supersedes KB 938397; so if a Windows Server 2003 Service Pack 2 system would need to both enroll from a SHA2 certificate authority and process SHA2 certificates, only KB 968730 would need to be installed. As before, KB 968730 is not available via Windows Update; it needs to be requested via the “View and request hotfix downloads” link on the support page . Note, KB 968730 is not offered for Windows Server 2003 Service Pack 1.

No information's provided for XP64, and my rig doesn't appear to have either hotfix. I'm not even sure which one would apply to XP64.

Link to comment
Share on other sites

10 hours ago, TrevMUN said:

No information's provided for XP64, and my rig doesn't appear to have either hotfix. I'm not even sure which one would apply to XP64.

WinXP X64 is based on the Server 2003 kernel (NT 5.2), so you need the Server 2003 version of the hotfix if you are running XP x64.
If you need any version of the KB968730 hotfix, look on Thehotfixshare site.

  • Like 3
Link to comment
Share on other sites

I didn't appear to have KB968730 installed on my machine, so I downloaded it and installed it.
It appeared to install OK, and its registry entries are now there, but a system file check didn't reveal any changed files.

It should change CRYPT32.DLL.

The version in the hotfix is 5.131.2600.5779.
When I checked I found that I already have version 5.131.2600.6459, which is presumably why the hotfix didn't do anything!

Where would that later version have come from though, would it have been a POSReady update?
:dubbio:

  • Like 1
Link to comment
Share on other sites

If you're not using any networked or new Microsoft software does it even matter? :dubbio:

Third party developers can still sign their applications with SHA-1 and implement their own SHA-2 support if needed, no?

Edited by NicePics13
  • Like 1
Link to comment
Share on other sites

4 hours ago, Dave-H said:

It should change CRYPT32.DLL.

The version in the hotfix is 5.131.2600.5779.
When I checked I found that I already have version 5.131.2600.6459, which is presumably why the hotfix didn't do anything!

TY! I downloaded it, but after reading your posting.. I check and my version of CRYPT32.DLL is 5.131.2600.6459 (xpsp_sp3_qfe.131005-0434) as well, so I guess there is no need to install it as that would be a downgrade as you stated.

Edited by XPerceniol
Link to comment
Share on other sites

I just took a look at my rig's DLL, too: version number 5.131.3790.5235.

I wonder if that's different for XP64 though? Does XP64 have a different version of crypt32 by default, and after the hotfix?

Link to comment
Share on other sites

4 hours ago, NicePics13 said:

If you're not using any networked or new Microsoft software does it even matter? :dubbio:

Third party developers can still sign their applications with SHA-1 and implement their own SHA-2 support if needed, no?

This was my first thoughts actually.

What exactly does this mean for those of us that are just using our system 'as is' and don't plan to change or update any further?

Quote

...all major Microsoft processes and services—including TLS certificates, code signing and file hashing—will use the SHA-2 algorithm exclusively.

Quote

Manually installed enterprise or self-signed SHA-1 certificates will not be impacted; however we strongly encourage your organization to move to SHA-2 if you have not done so already.

 

Edited by XPerceniol
Link to comment
Share on other sites

1 hour ago, XPerceniol said:

What exactly does this mean for those of us that are just using our system 'as is' and don't plan to change or update any further?

Nothing. It's irrelevant, except for paranoia mongering, of course!  :angel :boring:

  • Like 3
Link to comment
Share on other sites

Thank you; dencorso! Phew ... now I can breathe again. I mean.. last night I just curled up in the fetal position on my sofa crying with a 1/2 gallon tub of ice cream over this :lol:

spacer.png

Edited by XPerceniol
  • Like 1
Link to comment
Share on other sites

On 4/29/2021 at 4:43 AM, TrevMUN said:

I wonder if that's different for XP64 though? Does XP64 have a different version of crypt32 by default, and after the hotfix?

Server 2003 and Windows XP X64 shared updates, so you need to install the KB3072630 update, the CRYPT32.DLL file version will be 5.131.3790.5668.

Windows XP has a KB2868626 update with the version of the Crypt32.dll file 5.131.2600.6459. This is another normal update, not PosReady.

  • Like 1
Link to comment
Share on other sites

(Edit: Please refer to the next post. I was too quickly on the keyboard here... sorry!)

Hm... a new millenium bug hystery? I just tested this on my old XP machine (Pentium 3 with XP SP2), switching the date in my computers BIOS to 13th of May 2021 to see if it "expires"... no, it didn't.

All drivers were still in place and did their job. Networking worked fine. I recall some troubles, if the BIOS battery on old computers is dead, then it sets the date back to 1980, and then plenty of HTTPS certificates were broken. Maybe you've noticed some files on your hard drive have the edit date 01.01.1980, which were probably created on a computer with a broken BIOS battery. But nothing of that happend in this case.

Edited by Gansangriff
Unfortuneatly I was wrong... sorry!
  • Upvote 2
Link to comment
Share on other sites

Would be interested to know whether this effects trying to log into networking devices that use old TLS. The only reason why I keep an XP system around is to be able to log into "secured" routers, which is something that my modern systems cannot do since they removed the ability to recognise the certificates those devices use.

Link to comment
Share on other sites

Oh no! Bad news: There are SHA-1 troubles indeed! By accident, I only tested HTTPS sites that still work here, like "msfn.org" and my search engine "swisscows.com". However "startpage.com" and "duckduckgo.com" are broken, so are probably 60% of the HTTPS sites.

This machine is an non-updated Windows XP SP2 with crypt32.dll of 2004, version 5.131.2600.2180. More investigation regarding that will follow...

@Tripredacus Good, that you've written this! I wouldn't have given it another test!

  • Like 2
  • Upvote 1
Link to comment
Share on other sites

Posted (edited)
On 4/28/2021 at 6:35 PM, Dave-H said:

I didn't appear to have KB968730 installed on my machine, so I downloaded it and installed it.
It appeared to install OK, and its registry entries are now there, but a system file check didn't reveal any changed files.

It should change CRYPT32.DLL.

The version in the hotfix is 5.131.2600.5779.
When I checked I found that I already have version 5.131.2600.6459, which is presumably why the hotfix didn't do anything!

Where would that later version have come from though, would it have been a POSReady update?
:dubbio:

my version is 5.131.2600.6459

shall i still install kb update hotfix for sha-2

if the kb isnt in M$ catalog where do i get it

last kb updates i did was for the ransomeware emergency update

Edited by DrWho3000
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.


×
×
  • Create New...