Welcome to Centmin Mod Community
Register Now

Letsencrypt Letsencrypt SSL certificates and Windows XP workarounds

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Dec 12, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    As outlined, Letsencrypt SSL certificates do not support WinXP clients. So was looking at a way to deal with this if you allow both http and https versions of your site, you could try only force redirecting non-WinXP user agents to https and leave WinXP user agents (MSIE 6/7/8) to http version of your site.

    Limited testing so if there's any mistakes or technical matters I overlooked, please let me know :)

    Letsencrypt WinXP Client Workaround



    Redirect for winxp and letsencrypt ssl

    nginx.conf in http{} server context. This only identifies IE 6-8 but not Chrome WinXP. We can use platform tokens outlined at Understanding user-agent strings (Internet Explorer) to identify WinXP ?
    Code:
    Platform token    Description
    Windows NT 6.3    Windows 8.1
    Windows NT 6.2    Windows 8
    Windows NT 6.1    Windows 7
    Windows NT 6.0    Windows Vista
    Windows NT 5.2    Windows Server 2003; Windows XP x64 Edition
    Windows NT 5.1    Windows XP
    Windows NT 5.01    Windows 2000, Service Pack 1 (SP1)
    Windows NT 5.0    Windows 2000
    Windows NT 4.0    Microsoft Windows NT 4.0
    Windows 98; Win 9x 4.90    Windows Millennium Edition (Windows Me)
    Windows 98    Windows 98
    Windows 95    Windows 95
    Windows CE    Windows CE
    Code:
    map $http_user_agent $no_ie {
        default 0;
        "~MSIE 6" 1;
        "~MSIE 7" 1;
        "~MSIE 8" 1;
        "~Windows NT 5.1" 1;
        "~Trident/4.0" 1;
    }
    
    in nginx non-ssl vhost conf file
    Code:
    server {
       server_name le12.http2ssl.xyz www.le12.http2ssl.xyz;
       if ($no_ie = 0) {
          return 302 https://$server_name$request_uri;
       }
    }
    
    in nginx ssl based vhost server{} context
    Code:
    if ($no_ie = 1) {
        return 302 http://$host$request_uri;
    }
    
    or
    Code:
    if ($no_ie = 1) {
        return 302 http://$server_name$request_uri;
    }
    
    Testing in SSH via curl with custom user agent = MSIE 8.0 specific
    Code:
    curl -I -A "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" https://le12.http2ssl.xyz
    
    test run using WinXP user agent to visit https version of domain redirects to http version
    Code:
    curl -I -A "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" https://le12.http2ssl.xyz
    HTTP/1.1 302 Moved Temporarily
    Server: nginx centminmod
    Date: Sat, 12 Dec 2015 05:31:18 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: keep-alive
    Location: http://le12.http2ssl.xyz/
    
    test run using WinXP user agent to visit http version of domain stays with http version without https redirect
    Code:
    curl -I -A "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" http://le12.http2ssl.xyz
    HTTP/1.1 200 OK
    Server: nginx centminmod
    Date: Sat, 12 Dec 2015 05:45:29 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 1832
    Last-Modified: Sun, 06 Dec 2015 23:40:18 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
    ETag: "5664c762-728"
    Expires: Sun, 13 Dec 2015 05:45:29 GMT
    Cache-Control: max-age=86400
    Accept-Ranges: bytes
    test run using non-WinXP user agent to visit http version of domain redirects to https version of site
    Code:
    curl -I http://le12.http2ssl.xyz
    HTTP/1.1 302 Moved Temporarily
    Server: nginx centminmod
    Date: Sat, 12 Dec 2015 05:45:45 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: keep-alive
    Location: https://le12.http2ssl.xyz/
    You can find MSIE and Chrome user agent strings to test with at:

    Initial thoughts
    • won't help if you have 3rd party remote resources being used on web pages i.e. CDNs as you'd be at the mercy of the SSL configuration used on a CDNs https web server configuration. So you may end up with broken web pages if css and/or js is served over CDNs on https protocol the CDN's https web server ssl ciphers and protocols are not supporting WinXP i.e. if you use Letsencrypt obtained SSL certificate for your CDN. Or suppose you could use Nginx sub filter to rewrite CDN requests for WinXP / IE6/7/8 user agents ? FAQ 33
      Code:
      location ~ /css {
          if ($no_ie = 1) {
            sub_filter 'https://cdn.domain.com/css/'  'http://domain.com/css/';
            sub_filter_last_modified on;
            sub_filter_once off;
          }
      }

    Accounting for WinXP + Firefox



    Just had a thought winxp firefox would still be caught in the workaround redirect from https to http
    Code:
    map $http_user_agent $no_ie {
        default 0;
        "~MSIE 6" 1;
        "~MSIE 7" 1;
        "~MSIE 8" 1;
        "~Windows NT 5.1" 1;
        "~Trident/4.0" 1;
    }
    due to the Windows NT 5.1 matching on winxp firefox session
    Code:
    "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0"
    so maybe need a second mapping to exclude winxp + firefox
    Code:
    map $http_user_agent $no_ie {
        default 0;
        "~MSIE 6" 1;
        "~MSIE 7" 1;
        "~MSIE 8" 1;
        "~Windows NT 5.1" 1;
        "~Trident/4.0" 1;
    }
    
    map $http_user_agent $whitelist_browser {
        default 0;
        "~Firefox" 1;
    }
    
    map $no_ie$whitelist_browser $no_winxp {
        default 0;
        "10" 1;
    }
    
    so
    • if winxp + firefox, $no_ie$whitelist_browser becomes 11 and $no_winxp = 0
    • if winxp + non-firefox, $no_ie$whitelist_browser becomes 10 and $no_winxp = 1

    so it becomes

    in nginx non-ssl vhost conf file
    Code:
    server {
       server_name le12.http2ssl.xyz www.le12.http2ssl.xyz;
       if ($no_winxp = 0) {
          return 302 https://$server_name$request_uri;
       }
    }
    
    in nginx ssl based vhost server{} context
    Code:
    if ($no_winxp = 1) {
        return 302 http://$server_name$request_uri;
    }
    
    Testing WinXP + Firefox user agent access to https version of a site works for http to https redirect
    Code:
    curl -I -A "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0" http://le12.http2ssl.xyz
    HTTP/1.1 302 Moved Temporarily
    Server: nginx centminmod
    Date: Mon, 14 Dec 2015 13:00:24 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: keep-alive
    Location: https://le12.http2ssl.xyz/
    and for https access
    Code:
    curl -I -A "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0" https://le12.http2ssl.xyz
    HTTP/1.1 200 OK
    Server: nginx centminmod
    Date: Mon, 14 Dec 2015 12:59:31 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 1832
    Last-Modified: Sun, 06 Dec 2015 23:40:18 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
    ETag: "5664c762-728"
    Expires: Tue, 15 Dec 2015 12:59:31 GMT
    Cache-Control: max-age=86400
    Accept-Ranges: bytes
     
    Last edited: Dec 30, 2015
    • Informative Informative x 1
  2. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    12:59 PM
    latest
    10
    If they haven't updated from Windows XP then something is wrong lol!
     
  3. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah unfortunately alot of Asian countries still are on WinXP for various reasons. Just look at HTTP/2 adoption rates and Asian is lowest percentage of users Can I use... Support tables for HTML5, CSS3, etc
     
    • Agree Agree x 1
  4. Eduardo

    Eduardo New Member

    27
    3
    3
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    1:59 PM
    1.7.9
    same problem in Brazil. Alot of winxp still running.
     
  5. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    yeah maybe my above workaround can be changed to redirect to a version of site with message to update their web browsers to firefox on WinXP as that has it's own internal SSL implementation so not restricted like Chrome and IE on WinXP.
     
  6. Eduardo

    Eduardo New Member

    27
    3
    3
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    1:59 PM
    1.7.9
    i found probly a bug of ie6 on winxp. When I open subdomain.domain.com its uses cert from domain.com and show warning about certificate not match with domain name, or its nginx

    my subdomain uses le cert and main domain uses comodo cert with xp support.
     
    Last edited: Dec 14, 2015
  7. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    Did you have on domain.com ssl vhost HSTS header enabled with include subdomains ? if so you are telling browsers to force HTTPS on subsequent visits to domain.com and any subdomain *.domain.com. But I believe that shouldn't cause mismatched names unless you're trying my above workaround for winxp and have something setup incorrectly ?
     
  8. Eduardo

    Eduardo New Member

    27
    3
    3
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    1:59 PM
    1.7.9
    your workaround works very well, but only if the user type the adress or click on a link without httpS. In chrome/xp no way, "connection not private"
     
  9. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    what do you get when you visit https://le12.http2ssl.xyz/
     
  10. Eduardo

    Eduardo New Member

    27
    3
    3
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    1:59 PM
    1.7.9
    on ie: page cannot be displayed
    chrome: connection not private

    almost everything dont work on IE.. HOW xp still have around 10% usage?!? unreal.
     
  11. Eduardo

    Eduardo New Member

    27
    3
    3
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    1:59 PM
    1.7.9
    curious finding: :445/caddy works on firefox and :443/nginx dont.
     
  12. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    interesting winxp should redirect https to http version

    should work for firefox on both 443 nginx and 445 caddy

    Code:
    tail -15 /home/nginx/domains/le12.http2ssl.xyz/log/access.log
    IP - - [14/Dec/2015:10:26:44 +0000] "GET / HTTP/2.0" 302 249 "http://le12.http2ssl.xyz/" "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0"
    IP - - [14/Dec/2015:10:27:17 +0000] "GET / HTTP/2.0" 302 249 "https://le12.http2ssl.xyz:445/" "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0"
    I see firefox in my logs for a 302 redirect
     
  13. Eduardo

    Eduardo New Member

    27
    3
    3
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    1:59 PM
    1.7.9
    firefox on winxp should be 0.0001%
    it opens with errors using nginx and green lock with :445/caddy
    maybe its related to ciphers
     
  14. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    yeah different ssl cipher preferences are used on nginx 443 and caddy 445

    might try changing

    from
    Code:
    if ($no_ie = 1) {
        return 302 http://$host$request_uri;
    }
    to
    Code:
    if ($no_ie = 1) {
        return 302 http://$server_name$request_uri;
    }
     
  15. Eduardo

    Eduardo New Member

    27
    3
    3
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    1:59 PM
    1.7.9
    no SSLv3 and xp breaks before any nginx rule works?


    I tested your workaround with paid ssl, v3 enabled and this ciphers

    Its redirect, but the setup works on ie6, so no point to redirect.
     
  16. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    ah yes SSLv3 is disabled in Nginx but should be in Caddy too so maybe it's chacha20 ciphers in Nginx causing problems

    try the nginx 443 again as i disabled chacha20 ciphers
     
  17. Eduardo

    Eduardo New Member

    27
    3
    3
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    1:59 PM
    1.7.9
    same thing with firefox, it open but no green lock.
    what do you think about the config i've posted before? ssl labs show warnings about rc4 and sslv3, but no problem with poodle/etc.
     
  18. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    yes you will get warnings if rc4 and sslv3 are enabled given the problems they have

    for firefox you can get more detailed into for the site

    i.e.

    upload_2015-12-14_21-44-17.png
     
  19. Eduardo

    Eduardo New Member

    27
    3
    3
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    1:59 PM
    1.7.9
    do you tested firefox on winxp? download the vms templates from modern.ie :)
     
  20. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    not really worth my time.. if winxp is important, then you can test and give me feedback heh