Letsencrypt Letsencrypt SSL certificates and Windows XP workarounds

just had a thought winxp firefox would still be caught in the workaround redirect from https to http

Code:

map $http_user_agent $no_ie {
    default 0;
    "~MSIE 6" 1;
    "~MSIE 7" 1;
    "~MSIE 8" 1;
    "~Windows NT 5.1" 1;
    "~Trident/4.0" 1;
}

due to the Windows NT 5.1 match on your winxp firefox session

Code:

"Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0"

so maybe need a second mapping to exclude winxp + firefox

Code:

map $http_user_agent $no_ie {
    default 0;
    "~MSIE 6" 1;
    "~MSIE 7" 1;
    "~MSIE 8" 1;
    "~Windows NT 5.1" 1;
    "~Trident/4.0" 1;
}

map $http_user_agent $whitelist_browser {
    default 0;
    "~Firefox" 1;
}

map $no_ie$whitelist_browser $no_winxp {
    default 0;
    "10" 1;
}

so

• if winxp + firefox, $no_ie$whitelist_browser becomes 11 and $no_winxp = 0
• if winxp + non-firefox, $no_ie$whitelist_browser becomes 10 and $no_winxp = 1

so it becomes

in nginx non-ssl vhost conf file

Code:

server {
   server_name le12.http2ssl.xyz www.le12.http2ssl.xyz;
   if ($no_winxp = 0) {
      return 302 https://$server_name$request_uri;
   }
}

in nginx ssl based vhost server{} context

Code:

if ($no_winxp = 1) {
    return 302 http://$server_name$request_uri;
}

Testing WinXP + Firefox user agent access to https version of a site works for http to https redirect

Code:

curl -I -A "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0" http://le12.http2ssl.xyz
HTTP/1.1 302 Moved Temporarily
Server: nginx centminmod
Date: Mon, 14 Dec 2015 13:00:24 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: https://le12.http2ssl.xyz/

and for https access

Code:

curl -I -A "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0" https://le12.http2ssl.xyz  
HTTP/1.1 200 OK
Server: nginx centminmod
Date: Mon, 14 Dec 2015 12:59:31 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1832
Last-Modified: Sun, 06 Dec 2015 23:40:18 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5664c762-728"
Expires: Tue, 15 Dec 2015 12:59:31 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes

 

thanks for confirmation could be due to me removing chacha20 ciphers and proper redirect for winxp + firefox

LOL

 

Centmin Mod defaults to Mozilla's modern cipher list + chacha20

 

More on XP [Help needed] Windows XP support - Let's Encrypt Community Support

 

Great news indeed

 

nice