Letsencrypt Letsencrypt SSL certificates and Windows XP workarounds

As outlined, Letsencrypt SSL certificates do not support WinXP clients. So was looking at a way to deal with this if you allow both http and https versions of your site, you could try only force redirecting non-WinXP user agents to https and leave WinXP user agents (MSIE 6/7/8) to http version of your site.

Limited testing so if there's any mistakes or technical matters I overlooked, please let me know

Letsencrypt WinXP Client Workaround

Redirect for winxp and letsencrypt ssl

---

nginx.conf in http{} server context. This only identifies IE 6-8 but not Chrome WinXP. We can use platform tokens outlined at Understanding user-agent strings (Internet Explorer) to identify WinXP ?

Code:

Platform token    Description
Windows NT 6.3    Windows 8.1
Windows NT 6.2    Windows 8
Windows NT 6.1    Windows 7
Windows NT 6.0    Windows Vista
Windows NT 5.2    Windows Server 2003; Windows XP x64 Edition
Windows NT 5.1    Windows XP
Windows NT 5.01    Windows 2000, Service Pack 1 (SP1)
Windows NT 5.0    Windows 2000
Windows NT 4.0    Microsoft Windows NT 4.0
Windows 98; Win 9x 4.90    Windows Millennium Edition (Windows Me)
Windows 98    Windows 98
Windows 95    Windows 95
Windows CE    Windows CE

Code:

map $http_user_agent $no_ie {
    default 0;
    "~MSIE 6" 1;
    "~MSIE 7" 1;
    "~MSIE 8" 1;
    "~Windows NT 5.1" 1;
    "~Trident/4.0" 1;
}

in nginx non-ssl vhost conf file

Code:

server {
   server_name le12.http2ssl.xyz www.le12.http2ssl.xyz;
   if ($no_ie = 0) {
      return 302 https://$server_name$request_uri;
   }
}

in nginx ssl based vhost server{} context

Code:

if ($no_ie = 1) {
    return 302 http://$host$request_uri;
}

or

Code:

if ($no_ie = 1) {
    return 302 http://$server_name$request_uri;
}

Testing in SSH via curl with custom user agent = MSIE 8.0 specific

Code:

curl -I -A "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" https://le12.http2ssl.xyz

test run using WinXP user agent to visit https version of domain redirects to http version

Code:

curl -I -A "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" https://le12.http2ssl.xyz
HTTP/1.1 302 Moved Temporarily
Server: nginx centminmod
Date: Sat, 12 Dec 2015 05:31:18 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://le12.http2ssl.xyz/

test run using WinXP user agent to visit http version of domain stays with http version without https redirect

Code:

curl -I -A "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" http://le12.http2ssl.xyz
HTTP/1.1 200 OK
Server: nginx centminmod
Date: Sat, 12 Dec 2015 05:45:29 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1832
Last-Modified: Sun, 06 Dec 2015 23:40:18 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5664c762-728"
Expires: Sun, 13 Dec 2015 05:45:29 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes

test run using non-WinXP user agent to visit http version of domain redirects to https version of site

Code:

curl -I http://le12.http2ssl.xyz
HTTP/1.1 302 Moved Temporarily
Server: nginx centminmod
Date: Sat, 12 Dec 2015 05:45:45 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: https://le12.http2ssl.xyz/

You can find MSIE and Chrome user agent strings to test with at:

• UserAgentString.com - List of Internet Explorer User Agent Strings
• UserAgentString.com - List of Chrome User Agent Strings

Initial thoughts

• won't help if you have 3rd party remote resources being used on web pages i.e. CDNs as you'd be at the mercy of the SSL configuration used on a CDNs https web server configuration. So you may end up with broken web pages if css and/or js is served over CDNs on https protocol the CDN's https web server ssl ciphers and protocols are not supporting WinXP i.e. if you use Letsencrypt obtained SSL certificate for your CDN. Or suppose you could use Nginx sub filter to rewrite CDN requests for WinXP / IE6/7/8 user agents ? FAQ 33
  
  Code:

  location ~ /css {
      if ($no_ie = 1) {
        sub_filter 'https://cdn.domain.com/css/'  'http://domain.com/css/';
        sub_filter_last_modified on;
        sub_filter_once off;
      }
  }

Accounting for WinXP + Firefox

Just had a thought winxp firefox would still be caught in the workaround redirect from https to http

Code:

map $http_user_agent $no_ie {
    default 0;
    "~MSIE 6" 1;
    "~MSIE 7" 1;
    "~MSIE 8" 1;
    "~Windows NT 5.1" 1;
    "~Trident/4.0" 1;
}

due to the Windows NT 5.1 matching on winxp firefox session

Code:

"Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0"

so maybe need a second mapping to exclude winxp + firefox

Code:

map $http_user_agent $no_ie {
    default 0;
    "~MSIE 6" 1;
    "~MSIE 7" 1;
    "~MSIE 8" 1;
    "~Windows NT 5.1" 1;
    "~Trident/4.0" 1;
}

map $http_user_agent $whitelist_browser {
    default 0;
    "~Firefox" 1;
}

map $no_ie$whitelist_browser $no_winxp {
    default 0;
    "10" 1;
}

so

• if winxp + firefox, $no_ie$whitelist_browser becomes 11 and $no_winxp = 0
• if winxp + non-firefox, $no_ie$whitelist_browser becomes 10 and $no_winxp = 1

so it becomes

in nginx non-ssl vhost conf file

Code:

server {
   server_name le12.http2ssl.xyz www.le12.http2ssl.xyz;
   if ($no_winxp = 0) {
      return 302 https://$server_name$request_uri;
   }
}

in nginx ssl based vhost server{} context

Code:

if ($no_winxp = 1) {
    return 302 http://$server_name$request_uri;
}

Testing WinXP + Firefox user agent access to https version of a site works for http to https redirect

Code:

curl -I -A "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0" http://le12.http2ssl.xyz
HTTP/1.1 302 Moved Temporarily
Server: nginx centminmod
Date: Mon, 14 Dec 2015 13:00:24 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: https://le12.http2ssl.xyz/

and for https access

Code:

curl -I -A "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0" https://le12.http2ssl.xyz
HTTP/1.1 200 OK
Server: nginx centminmod
Date: Mon, 14 Dec 2015 12:59:31 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1832
Last-Modified: Sun, 06 Dec 2015 23:40:18 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5664c762-728"
Expires: Tue, 15 Dec 2015 12:59:31 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes

 

Yeah unfortunately alot of Asian countries still are on WinXP for various reasons. Just look at HTTP/2 adoption rates and Asian is lowest percentage of users Can I use... Support tables for HTML5, CSS3, etc

 

yeah maybe my above workaround can be changed to redirect to a version of site with message to update their web browsers to firefox on WinXP as that has it's own internal SSL implementation so not restricted like Chrome and IE on WinXP.

 

Did you have on domain.com ssl vhost HSTS header enabled with include subdomains ? if so you are telling browsers to force HTTPS on subsequent visits to domain.com and any subdomain *.domain.com. But I believe that shouldn't cause mismatched names unless you're trying my above workaround for winxp and have something setup incorrectly ?

 

what do you get when you visit https://le12.http2ssl.xyz/

 

interesting winxp should redirect https to http version

should work for firefox on both 443 nginx and 445 caddy

Code:

tail -15 /home/nginx/domains/le12.http2ssl.xyz/log/access.log
IP - - [14/Dec/2015:10:26:44 +0000] "GET / HTTP/2.0" 302 249 "http://le12.http2ssl.xyz/" "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0"
IP - - [14/Dec/2015:10:27:17 +0000] "GET / HTTP/2.0" 302 249 "https://le12.http2ssl.xyz:445/" "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0"

I see firefox in my logs for a 302 redirect

 

yeah different ssl cipher preferences are used on nginx 443 and caddy 445

might try changing

from

Code:

if ($no_ie = 1) {
    return 302 http://$host$request_uri;
}

to

Code:

if ($no_ie = 1) {
    return 302 http://$server_name$request_uri;
}

 

ah yes SSLv3 is disabled in Nginx but should be in Caddy too so maybe it's chacha20 ciphers in Nginx causing problems

try the nginx 443 again as i disabled chacha20 ciphers

 

yes you will get warnings if rc4 and sslv3 are enabled given the problems they have

for firefox you can get more detailed into for the site

i.e.

 

not really worth my time.. if winxp is important, then you can test and give me feedback heh