Welcome to Centmin Mod Community
Become a Member

Letsencrypt Letsencrypt SSL certificates and Windows XP workarounds

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Dec 12, 2015.

  1. Eduardo

    Eduardo Member

    38
    3
    8
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    1:47 AM
    1.7.9
    I cant ignore almost 10% of audience... :(
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,804
    10,216
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,834
    Local Time:
    2:47 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    just had a thought winxp firefox would still be caught in the workaround redirect from https to http
    Code:
    map $http_user_agent $no_ie {
        default 0;
        "~MSIE 6" 1;
        "~MSIE 7" 1;
        "~MSIE 8" 1;
        "~Windows NT 5.1" 1;
        "~Trident/4.0" 1;
    }
    due to the Windows NT 5.1 match on your winxp firefox session
    Code:
    "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0"
    so maybe need a second mapping to exclude winxp + firefox
    Code:
    map $http_user_agent $no_ie {
        default 0;
        "~MSIE 6" 1;
        "~MSIE 7" 1;
        "~MSIE 8" 1;
        "~Windows NT 5.1" 1;
        "~Trident/4.0" 1;
    }
    
    map $http_user_agent $whitelist_browser {
        default 0;
        "~Firefox" 1;
    }
    
    map $no_ie$whitelist_browser $no_winxp {
        default 0;
        "10" 1;
    }
    
    so
    • if winxp + firefox, $no_ie$whitelist_browser becomes 11 and $no_winxp = 0
    • if winxp + non-firefox, $no_ie$whitelist_browser becomes 10 and $no_winxp = 1

    so it becomes

    in nginx non-ssl vhost conf file
    Code:
    server {
       server_name le12.http2ssl.xyz www.le12.http2ssl.xyz;
       if ($no_winxp = 0) {
          return 302 https://$server_name$request_uri;
       }
    }
    
    in nginx ssl based vhost server{} context
    Code:
    if ($no_winxp = 1) {
        return 302 http://$server_name$request_uri;
    }
    
    Testing WinXP + Firefox user agent access to https version of a site works for http to https redirect
    Code:
    curl -I -A "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0" http://le12.http2ssl.xyz
    HTTP/1.1 302 Moved Temporarily
    Server: nginx centminmod
    Date: Mon, 14 Dec 2015 13:00:24 GMT
    Content-Type: text/html
    Content-Length: 154
    Connection: keep-alive
    Location: https://le12.http2ssl.xyz/
    and for https access
    Code:
    curl -I -A "Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 Firefox/42.0" https://le12.http2ssl.xyz  
    HTTP/1.1 200 OK
    Server: nginx centminmod
    Date: Mon, 14 Dec 2015 12:59:31 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 1832
    Last-Modified: Sun, 06 Dec 2015 23:40:18 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
    ETag: "5664c762-728"
    Expires: Tue, 15 Dec 2015 12:59:31 GMT
    Cache-Control: max-age=86400
    Accept-Ranges: bytes
     
    Last edited: Dec 14, 2015
  3. Eduardo

    Eduardo Member

    38
    3
    8
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    1:47 AM
    1.7.9
  4. eva2000

    eva2000 Administrator Staff Member

    44,804
    10,216
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,834
    Local Time:
    2:47 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  5. Eduardo

    Eduardo Member

    38
    3
    8
    Feb 7, 2015
    Ratings:
    +5
    Local Time:
    1:47 AM
    1.7.9
    do you have any good cipher? i'm tested with mozilla "old profile" and its vulnerable to poodle.
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,804
    10,216
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,834
    Local Time:
    2:47 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Centmin Mod defaults to Mozilla's modern cipher list + chacha20
     
  7. rdan

    rdan Well-Known Member

    4,963
    1,184
    113
    May 25, 2014
    Ratings:
    +1,798
    Local Time:
    12:47 PM
    Mainline
    10.2
  8. eva2000

    eva2000 Administrator Staff Member

    44,804
    10,216
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,834
    Local Time:
    2:47 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  9. Revenge

    Revenge Active Member

    454
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +343
    Local Time:
    5:47 AM
    1.9.x
    10.1.x
    Upcoming Features - Let's Encrypt - Free SSL/TLS Certificates
     
  10. eva2000

    eva2000 Administrator Staff Member

    44,804
    10,216
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,834
    Local Time:
    2:47 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  11. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    6:47 AM
    1.9.12
    10.0.23
    Thank you @Revenge - for bringing this to my attention.. Its clearing a needed fix.
     
  12. Revenge

    Revenge Active Member

    454
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +343
    Local Time:
    5:47 AM
    1.9.x
    10.1.x
  13. eva2000

    eva2000 Administrator Staff Member

    44,804
    10,216
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,834
    Local Time:
    2:47 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    nice (y)