Jump to content
MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. ×

Microsoft expiring SHA-1 updates; Will this kill XP?


Tonny52
 Share

Recommended Posts

1 hour ago, Tonny52 said:

So to get around this, we would just be adding SHA-2 support to XP? Seems like that would fix any issues.

Who's "we"? :dubbio:

Link to comment
Share on other sites


Posted (edited)
7 hours ago, erpdude8 said:

this version of rsaenh.dll is included in KB4459091 update for XP embedded (need posready reg hack to install on other XP x86 editions)
also need to update schannel.dll file (KB4459091 has 5.1.2600.7567 of that DLL file)

edit - also read the following from this MS forum thread:

so KB968730 is not really needed at all as newer updates include it

 

Wait ... huh? I read through that thread and I'm a bit confused. Are those guys saying that updates after KB968730 also discreetly provide SHA-2 functionality to XP, and updates all the DLLs that would require the upgrade for said functionality? Or ... are they perhaps saying the updates can be verified/code signed with SHA-1 and SHA-2?

EDIT: I think it's the latter. I just hunted down the relevant URL for that update. Of course, it required going to the Wayback Machine, but if you take a look you can see that the relevant installation files have both an SHA-1 and SHA-256 hash.

Edited by TrevMUN
Link to comment
Share on other sites

On 5/2/2021 at 12:58 PM, i430VX said:

I am not a TLS expert, but it is my understanding that basically nothing is going to happen when this certificate expires. This cert is what microsoft signs stuff with (for example, new updates, drivers...). There aren't any new updates being made for any SHA-1 system anyway.
The reason you canot connect to HTTPS sites when you change the date is because you are changing the date, not any significance pertaining to what that date is.

Then there is even more reason to try connecting to a secure site that is also set for a future date. As in my previous post, my personal concern is the ability to connect to routers. A person could, say, set an old router to a future date, enable SSL and then connect to it via an XP computer with the same future date. That should eliminate any issue with the client date being wrong vs the server date. And when I am talking about old routers, pretty much any Wireless B/G router is going to be using the old certificate when SSL is enabled.

Also, this is not a task that I am fit to perform. My Win XP system is a custom build and it does not have the updates that are in common amongst users here.

Link to comment
Share on other sites

I suppose. The only thing is you might still get bit by OCSP/certificate checking if both dates are in the future. But I'm sure when the future becomes the present you'll still be able to log into https routers with no change.

  • Like 1
Link to comment
Share on other sites

This is the 4th of May. My previous assumption was wrong. The "SEC_ERROR_OSCP_OLD_RESPONSE" error comes up, if the time is set too far from the server time. Having it set to 11th of May (two days after the expiration) gave no problems on the dictionary at leo.org. Having it set to 12th of May did make the error. Some websites seem to be more tolerant than others.

@Tonny52 All I can say is that I've just updated a Windows XP computer which had the date set to 12th of May to SP3. I downloaded the 300 MB SP3 package from catalog.update.microsoft.com manually. Installed without problems. And it didn't make any unwanted connections either.

@Tripredacus Maybe have a look at about:config in a mozilla-based browser and search for "ssl3". There are some old cryptographic algorithms disabled. Another option could be using an old browser, like Netscape 9? It should work even on Windows 10.

  • Like 1
Link to comment
Share on other sites

Posted (edited)
23 hours ago, erpdude8 said:

this version of rsaenh.dll is included in KB4459091 update for XP embedded (need posready reg hack to install on other XP x86 editions)
also need to update schannel.dll file (KB4459091 has 5.1.2600.7567 of that DLL file)

edit - also read the following from this MS forum thread:

so KB968730 is not really needed at all as newer updates include it

 

I have installed KB4459091 which has updated (both) rsaenh.dll and schannel.dll to 5.1.2600.7567 and will forgo KB968730 :)

EDIT: @Dave-H @Gansangriff And this has also updated My rsaenh.dll is version 5.1.2600.7345.

Edited by XPerceniol
  • Like 1
Link to comment
Share on other sites

Now what else to test? I'm out of ideas. Are there any alternative Network Managers for Windows, like there are in the Linux world (wicd and nm-applet for example)? Maybe we have to wait and see what breaks on 9th of May. At least it's no surprise then.

  • Like 1
Link to comment
Share on other sites

Posted (edited)
3 hours ago, Gansangriff said:

Now what else to test? I'm out of ideas. Are there any alternative Network Managers for Windows, like there are in the Linux world (wicd and nm-applet for example)? Maybe we have to wait and see what breaks on 9th of May. At least it's no surprise then.

I know my friend, I'm out of ideas; as well - thank you for all your hard work and testing. I'll admit I've nearly pooped my skinny jeans several times thinking about this :lol: I normally turn everything off before bed so I won't know until I fire up this beast Sunday morning. We'll just keep our fingers crossed, I guess. If you don't see me again ... please, MSFN, promise me you'll put up a plaque up in that halls somewhere of me (MR. Blobfish) as I feel my presence here has been 'memorable' (to say the very least) or perhaps 'unforgettable' might be a better depiction Lol :P

Edited by XPerceniol
Link to comment
Share on other sites

On 5/3/2021 at 1:47 PM, XPerceniol said:

@Dixel Do you believe there is some (other) way we might obtain the certificates without having to take them from a 7/8/10 machine?

Thank you for your assistance and insight on this :)

And.. apparently I didn't ask politely enough the first time re this oh-so elusive and super secret: Server 2003 SHA-2 update (that I can not find anywhere?!?!?)

**pretty please w cherries whipped cream and mocha topping**

EDIT: after reading and reading and reading some more.. It appears this (so called) update might be a moot point anyway.

 

@XPerceniol , hi , I'm sorry for the delayed reply , I had busy days . It's the simpliest way , as far as I know . Other tools suggested here didn't work for me at all . I'm not saying they are bad . They just didn't work for me , maybe because I do not use updates , I dunno. Is the second part for me too ? I don't remember you asked me , maybe I missed something . BTW , tried playing with time-travel again , all is fine , I do not have any SHA-2 updates installed at all , but I'm on Vista , so it can be different from XP , though my Vista is actually older than XP SP3. If Dave will count the last sentence as OT , please delete.

  • Like 2
Link to comment
Share on other sites

Thanks for the reply.

Not a problem at all, real life has been a bit hectic for me as well with a lot of medical stuff going on this last week so we have to prioritize.

I appreciate everything everyone has done, so we'll wait and see then. I have this 'gut feeling' (though it could be indigestion .. hehe) that we're gonna be just fine come Sunday. 

As I've said, this was a learning experience for me, as I (fully) admit, this was (way) over my head, but better late than never to learn; so they say. Everyone in this thread was very helpful.

I think @Gansangriff really 'took one for the team' and updated as this member (so i gather) also doesn't normally update. This doesn't prove we are (in some way) unwilling to let go, rather we are determined.

I'll say it again, MSFN rocks!!

~OT~

Well, if they have to delete anything you wrote @Dixel, than practically everything I write here would deleted as I tend to go a tad (just a tad) off track now and again myself, so thank you for putting up with me :lol:

  • Like 1
Link to comment
Share on other sites

We only delete at a user request, a thread OP request or if there is something violating the forum rules. If you look, you can even find it is not against the rules to go OT, or talk about more than just the topic at hand in your post.

:)

  • Like 2
Link to comment
Share on other sites

Posted (edited)

Thank you for the clarification @Tripredacus @Dave-H and MSFN staff :)

~OT~

Hey @VistaEX how's it going? You enjoying life as best as can be given the state of the word? I try to get outside and get some fresh air, a struggle for me but I do what I can ... we all do!

~OT~

I'd bet a lot of us are so sick on thinking about this issue - I know I am. I will check out what you are offering. Thanks for your input and help re this topic.

Take good care

~XPerceniol

 

 

Edited by XPerceniol
  • Upvote 1
Link to comment
Share on other sites

Someone knows why 9th of May ? Why not the 8th ? Or any other date ? I noticed right away , just waited for someone to notice too.

  • Upvote 1
Link to comment
Share on other sites

i dont know i just found this topic today but i have a link to my sha2 updates for all windows versions archive in a topic above yours

  • Like 2
  • Upvote 1
Link to comment
Share on other sites

Posted (edited)

in 2 hours is the sha1 certificate expire date this really is the end for it r.i.p windows xp  2001-2021 :(

Edited by legacyfan
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.


×
×
  • Create New...