Beyond TLS 1.0: what could be done?

[david.lynch]

As a lot of websites are moving to TLS 1.2 as cryptographic protocol, I'm looking for a patch or any method for Windows XP to support TLS 1.1 and 1.2.

An example: https://cointelegraph.com/

I've even tried to replace XP's schannel.dll with the most updated one from Server 2008 x86 version, which doesn't work.

Any help would be greatly apreaciated!

[5eraph]

All I can suggest at the moment is to try Firefox. Still works under XP, and displays that website without incident.

[david.lynch]

All I can suggest at the moment is to try Firefox. Still works under XP, and displays that website without incident.

Thank you, 5eraph. We all owe you a lot here.

...unfortunately many other online resources are stopping to work, as they rely on functionality provided by Windows and not by an alternative web browser...

[vioplujjnsjzfg]

SRWare Iron version 39 (specifically 39, higher versions include proprietary codecs and further ways google tracks you)

+

Disconnect.ME

+

Chameleon from Gh0stwords

+

AdBlockPlus

+

The following shortcut switch

--allow-outdated-plugins --ppapi-flash-path=X:\PepperFlashDirectory\pepflashplayer.dll --user-agent="Insert latest Windows chrome generic user agent here"


X= whatever drive letter you use

+

Turn on the "click to play" option in irons settings for plugins.


Finally, always keep a blank " " (space) copied to your clipboard when surfing that is copied from the run box and not the browser.


The above combo i've found is the best way to go and still has good compatibility with most sites and is very fast.

[vioplujjnsjzfg]

Updated my above comment with a little bit more info.

Also, one final suggestion is to have generic user account names in XP and don't upload from any specific named folder names.

For instance when checking files using virustotal.com

Use it in good health and don't visit sites you know little about.

[Zephyr]

...unfortunately many other online resources are stopping to work, as they rely on functionality provided by Windows and not by an alternative web browser...

In my experience the only problem of this nature occurs when using the last version of Chromium that supported XP which is 49.0.2623.23. Apparently Chromium depends on libraries supplied by the OS for elliptical curve cryptography which means in practice that certain https sites are not available under XP.

Incidentally, the portable Chromium available at Sourceforge does not have the white screen problem with version 49.0.2623.23.

[Zephyr]

Here are lists of the cipher suites supported by various XP compatible browsers. From these lists it should be obvious that lack of native TLS 1.2 support in XP is not a problem if you do not intend to use Internet Explorer.

SEAMONKEY
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   Forward Secrecy 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112

CHROMIUM
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)   Forward Secrecy
256OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)   Forward Secrecy
256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy
128TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   Forward Secrecy
128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy
256TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   Forward Secrecy
256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy
128TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   Forward Secrecy
128TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff)-(1)

MIDORI
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 (0xc086) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 (0xc087) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (0xc072) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc073) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Forward Secrecy 112
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) INSECURE 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 (0xc08a) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 (0xc08b) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0xc076) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc077) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Forward Secrecy 112
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) INSECURE 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 (0xc07a) 128
TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 (0xc07b) 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0xba) 128
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0xc0) 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) Forward Secrecy 256
TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 (0xc07c) Forward Secrecy 128
TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 (0xc07d) Forward Secrecy 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) Forward Secrecy 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) Forward Secrecy 256
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) Forward Secrecy 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0xbe) Forward Secrecy 128
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) Forward Secrecy 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0xc4) Forward Secrecy 256
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) Forward Secrecy 112
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0xa2) Forward Secrecy2 128
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0xa3) Forward Secrecy2 256
TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 (0xc080) Forward Secrecy2 128
TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 (0xc081) Forward Secrecy2 256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32) Forward Secrecy2 128
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x40) Forward Secrecy2 128
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38) Forward Secrecy2 256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x6a) Forward Secrecy2 256
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x44) Forward Secrecy2 128
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 (0xbd) Forward Secrecy2 128
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x87) Forward Secrecy2 256
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 (0xc3) Forward Secrecy2 256
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13) Forward Secrecy2 112
TLS_DHE_DSS_WITH_RC4_128_SHA (0x66) INSECURE 128

LIGHT (FIREFOX)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112

PALE MOON
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 (0xc086) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 (0xc08a) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) Forward Secrecy 128
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32) Forward Secrecy2 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) Forward Secrecy 256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38) Forward Secrecy2 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) Forward Secrecy 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128

You can test your own browser for TLS/SSL capabilities by going to https://www.ssllabs.com

[Zephyr]

I've even tried to replace XP's schannel.dll with the most updated one from Server 2008 x86 version, which doesn't work.

I tried replacing XP's schannel.dll with the one available for Reactos which does support TLS 1.2, but I only managed to screw up my system. It ought to be possible to use the source code for the Reactos schannel.dll and perhaps Wine libraries to make a replacement for the XP schannel.dll, but not being a programmer I do not know how realistic this would be.

[Dibya]

any one can provide me schannel.dll of srv2k8?

[Zephyr]

Microsoft have released an update to add support for TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2 and Windows Embedded POSReady 2009 on 16/10/2017. The file name of the package for POSREADY 2009 is windowsxp-kb4019276-x86-embedded-enu.exe. Here is the knowledge base article that details how to make the registry changes to enable TLS 1.1 and 1.2:

https://support.microsoft.com/en-us/hel ... in-windows

I am not sure how this patch could be useful considering that only Microsoft applications use the OS cryptographic libraries, while all the third party browsers and email clients have built-in support for TLS 1.1 and TLS 1.2. I would love to have these more advanced protocols enabled in Outlook Express because it was the greatest email client ever produced, but unless someone can find a way of hacking the msimn.exe this will be an impossible dream. There is, of course. OE Classic which copies much of the GUI and functionality of OE, but it still does not support IMAP accounts.

[mockingbird]

I am not sure how this patch could be useful considering that only Microsoft applications use the OS cryptographic libraries, while all the third party browsers and email clients have built-in support for TLS 1.1 and TLS 1.2. I would love to have these more advanced protocols enabled in Outlook Express because it was the greatest email client ever produced, but unless someone can find a way of hacking the msimn.exe this will be an impossible dream. There is, of course. OE Classic which copies much of the GUI and functionality of OE, but it still does not support IMAP accounts.

Some apps force an IE browser window for logging on, so it could be very useful for that scenario.

Personally, I leave IE at 6.x on my XP x64 machine since I have no use for it. Some old apps break if anything higher than 6.x is installed.

[bphlpt]

Personally, I leave IE at 6.x on my XP x64 machine since I have no use for it. Some old apps break if anything higher than 6.x is installed.

If possible, it might be useful to some if you could post a list of apps that work correctly if IE6.x is installed and break if IE8.x+ is installed. Or, someone might be able to figure out how to make them work with IE8.x. Just a thought.

Cheers and Regards

[Zephyr]

There has been an update for POSREADY 2009 that enables TLS 1.1 and TLS 1.2 support in XP, but first you need the the POSREADY 2009 registry hack to install:

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WindowsEmbedded\ProductVersion]
"FeaturePackVersion"="SP3"

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\WEPOS]
"Installed"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\WES]
"Installed"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001

Copy and paste into a text editor and save with .reg file ending. Execute to add new values to registry.

To add TLS 1.1 and TLS 1.2 support to XP obtain kb4019276 from the Microsoft Update Catalogue and install and reboot. To activate make the following modifications to the registry:

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

TLS 1.1 and TLS 1.2 support to Internet Explorer 8 was introduced with the Cumulative Security Update for Internet Explorer 8 for WES09 and POSReady 2009 (KB4316682) and all subsequent cumulative security updates including KB4230450, KB4339093, KB4343205, and KB4457426. To display tick boxes for TLS 1.1 and TLS 1.2 in advanced options in IE8 make the following registry modifications:

Code: Select all

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"="3.5.1.0.0"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"="3.5.1.0.0" 

It may be necessary to uncheck uncheck both "Check for publisher's certificate revocation", and "Check for server certificate revocation" in Tools>Options>Advanced. In the unlikely event that you intend to use IE8 for browsing remember to restore these settings to their default.

[dencorso]

Warning! For the POSReady2009 hack, delete from that .reg file the following lines:

Code: Select all

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WindowsEmbedded\ProductVersion]
"FeaturePackVersion"="SP3"

They don't work anymore, and actually nowadays prevent MU/WU from working. Except for that, I second the suggestions in the post above this.

[5eraph]

Thank you, Zephyr. I have verified that the "OSVersion" registry entries work in IE8 when added at T-13 in an unattended XP install.

dencorso is correct. In fact, the only necessary entry for the POSReady2009 hack to work with MU and update package installers is the last one.