Get the most out of your Centmin Mod LEMP stack
Become a Member

Cloudflare SSL Cloudflare Universal SSL incompatible with WinXP Internet Explorer <=8 browsers

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Oct 7, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:28 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Seems Cloudflare Free Universal SSL certificates will be incompatible with older browsers such as WinXP IE <=8 as the Universal SSL certificates are using ECC 256 bit SSL certificates which are using ECDHE_ECDSA key exchange mechanism with ECDSA signatures according to their blog article.

    About 2 months ago, I started testing ECC 256 bit SSL certificates and ECDSA signatures for Centmin Mod Nginx's improved Nginx vhost generator on a test site at sslspdy.com and the problem is ECDSA doesn't work with older browsers - particularly WinXP + IE <=8 and needs a high source entropy (randomness) for the the ECDSA signing process.

    Update: March 28, 2015 @Orvid King adds more info regarding CloudFlare compatibility on their free universal SSL plans.

    Windows XP & IE8 ECC SSL support



    From Free SNI SSL and affordable one-click SSL to get WinXP <=IE8 compatibility (more specifically Windows XP SP2 and Android <3.0), you need to pay for their Pro or Business plans. The Free Universal SSL does not support older browser compatibility.

    Windows XP & Chrome ECC SSL support



    According to Symantec's ECC PDF written on May 2013, WinXP IE as well as Chrome do not support ECC 256 bit. For WinXP only Firefox 19+ work with ECC 256 bit SSL certificates. Which would explain why, WinXP SP3 + Chrome 37 didn't work with Cloudflare Universal SSL with ECC 256 bit ECDSA.

    symantec_ecc_ssl_browser_support_00.png

    From Universal SSL: How It Scales
    According to CA Security Council | Benefits of Elliptic Curve Cryptography

    Cloudflare Universal SSL SSLLab's Test Report



    From working Cloudflare Universal SSL site showing ECC 256 bit SSL certificate with ECDHE_ECDSA key exchange mechanism which will be incompatible with WinXP IE <=8 users.

    cloudflare_echde_ecdsa_used_00.png
    cloudflare_echde_ecdsa_used_01.png


    Cloudflare Universal SSL prefered SSL ciphers for ECC 256 bit SSL certificates with ECHDE_ECDSA key exchange

    cloudflare_echde_ecdsa_used_02.png

    cloudflare_echde_ecdsa_used_03.png
     
    Last edited: Mar 28, 2015
  2. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:28 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Using Google Analytics for WinXP Browser Stats



    You can use Google Analytics to check before implementing Cloudflare Universal SSL certificates whether the ECDSA signing would affect your web site.

    Below are 2 examples from my sites and their relative WinXP only browser make ups.

    Example 1:

    For example, below Google Analytics stats show 507 total WinXP Internet Explorer browser sessions for IE <=8 were recorded out of 164,995 sessions. That's just 0.3073% of browser sessions would be negatively impacted by deploying ECC 256 bit SSL certificates with ECDSA signatures. A small number, I can personally live with :)

    Update: according to Symantec, WinXP Chrome also doesn't support ECC 256 bit SSL with ECDSA. That would raise the negative impact quite a bit with WinXP Chrome sessions amounting to 4,025 out of 164,995 sessions = 2.439%

    ecdsa_browser_compatibility_00.png

    Example 2

    Another of my sites shows 253,393 total WinXP Internet Explorer browser sessions for IE <=8 were recorded out of 1,182,721 sessions. That's a much higher percentage at 21.42% of browser sessions would be negatively impacted by deploying ECC 256 bit SSL certificates with ECDSA signatures. So for that web site, I'd probably be better off with the standard RSA 2048 bit or RSA 4096 bit SSL certificates instead of ECC 256 bit SSL certificates.

    Update: according to Symantec, WinXP Chrome also doesn't support ECC 256 bit SSL with ECDSA. That would slightly raise the negative impact quite a bit with WinXP Chrome sessions amounting to 32,946 out of 1,182,721 sessions = 2.786%

    ecdsa_browser_compatibility_01.png
     
    Last edited: Oct 7, 2014
  3. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:28 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Testing your browser SSL compatibility



    You can also test your browser's SSL compatibility at Qualys SSL Labs - Projects / SSL Client Test

    For example this is from Win 7 64bit with Opera 24.0.1558.64 browser. You'd definitely want to check that you have SNI support in your browser (Server Name Indication) and ECDSA signature algorithm support in order for your web browser to be compatible with Cloudflare's Universal SSL certificate offering.

    ssllabs_opera24_0.png
     
    Last edited: Oct 7, 2014
  4. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    1:28 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, was checking this forum's WinXP browser stats for the past 30 days for WinXP IE and WinXP Chrome and they account for 0.228% and 0.811% total WinXP browser sessions respectively. Looking good for trying out ECC 256 bit SSL certificates :D