1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I hate Windows XP!

Discussion in 'Server Configuration and Hosting' started by Tracy Perry, Dec 24, 2014.

  1. Tracy Perry

    Tracy Perry Well-Known Member

    After spending most of the night and this morning trying to trouble shoot a style with a user that was having problems, we went through disabling his add-ons in his browser, using a different browser, etc.

    Turns out he's using Windows XP and Chrome... pay special attention to the Windows XP aspect. I run SSL on my site(s) and use the "best practice" recommended SSL ciphers. Turns out, they don't play well with Windows XP. :mad:


    What is the recommended ssl ciphers to use with nginx 1.7.9 to fully support Windows XP (which I'm only going to do for about another 6 months or so).
     
  2. rainmotorsports

    rainmotorsports Well-Known Member

    Oh dear. I'm surprised chrome is the one throwing the fit. I know with current best practice ie8 on xp isn't compatible. If I was home I'd throw you my cipher list to see. I have a few written down somewhere because I went through each one to do a minimal backwards compatible list. Ended up using someone else's recommendations in the end.
     
  3. Tracy Perry

    Tracy Perry Well-Known Member

    Yeah, it surprised me to. IE actually gave him an error message. All Chrome was doing was screwing up his display of the visitor tabs and sometimes the post/upload/more options buttons.

    What I'm using now (until I totally drop support for anything Windows XP related) is this
    Code:
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    It won't support IE6, but if they are on IE6 they have no business on the internet.
     
  4. rainmotorsports

    rainmotorsports Well-Known Member

    I'm using this right now which is a simplified but broadly compatible set. It doesn't support ie6 or ie8 on xp nor java6 but still scores beautifully on Qualys.
    Code:
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; 
    https://www.ssllabs.com/ssltest/analyze.html?d=raindd.com

    However I'd look at this. Which was my personal balance of security and compatibility. If I was on a desktop I'd try testing it but I also don't have any xp VM up right now.
    Code:
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
     
  5. Tracy Perry

    Tracy Perry Well-Known Member

  6. Sheratan

    Sheratan Well-Known Member

  7. Tracy Perry

    Tracy Perry Well-Known Member

    I guess you are asking what it is?
    http://csrc.nist.gov/groups/STM/cavp/documents/shs/sha256-384-512.pdf
     
  8. RoldanLT

    RoldanLT Well-Known Member

  9. rafass

    rafass Well-Known Member

    Last edited: Dec 29, 2014

Share This Page