I hate Windows XP!

TPerry · Dec 24, 2014

After spending most of the night and this morning trying to trouble shoot a style with a user that was having problems, we went through disabling his add-ons in his browser, using a different browser, etc.

Turns out he's using Windows XP and Chrome... pay special attention to the Windows XP aspect. I run SSL on my site(s) and use the "best practice" recommended SSL ciphers. Turns out, they don't play well with Windows XP.

What is the recommended ssl ciphers to use with nginx 1.7.9 to fully support Windows XP (which I'm only going to do for about another 6 months or so).

rainmotorsports · Dec 24, 2014

Oh dear. I'm surprised chrome is the one throwing the fit. I know with current best practice ie8 on xp isn't compatible. If I was home I'd throw you my cipher list to see. I have a few written down somewhere because I went through each one to do a minimal backwards compatible list. Ended up using someone else's recommendations in the end.

TPerry · Dec 24, 2014

rainmotorsports said:
Oh dear. I'm surprised chrome is the one throwing the fit. I know with current best practice ie8 on xp isn't compatible. If I was home I'd throw you my cipher list to see. I have a few written down somewhere because I went through each one to do a minimal backwards compatible list. Ended up using someone else's recommendations in the end.

Yeah, it surprised me to. IE actually gave him an error message. All Chrome was doing was screwing up his display of the visitor tabs and sometimes the post/upload/more options buttons.

What I'm using now (until I totally drop support for anything Windows XP related) is this

Code:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

It won't support IE6, but if they are on IE6 they have no business on the internet.

rainmotorsports · Dec 24, 2014

I'm using this right now which is a simplified but broadly compatible set. It doesn't support ie6 or ie8 on xp nor java6 but still scores beautifully on Qualys.

Code:

ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

https://www.ssllabs.com/ssltest/analyze.html?d=raindd.com

However I'd look at this. Which was my personal balance of security and compatibility. If I was on a desktop I'd try testing it but I also don't have any xp VM up right now.

Code:

ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

TPerry · Dec 24, 2014

The one that I am using results in an A+ for me, and also supports Windows XP on IE8. That's as low as I'm willing to go.
https://www.ssllabs.com/ssltest/analyze.html?d=twowheeldemon.com

Sheratan · Dec 25, 2014

Tracy Perry said:
The one that I am using results in an A+ for me, and also supports Windows XP on IE8. That's as low as I'm willing to go.
https://www.ssllabs.com/ssltest/analyze.html?d=twowheeldemon.com

SHA384?

TPerry · Dec 25, 2014

Sheratan said:
SHA384?

I guess you are asking what it is?
http://csrc.nist.gov/groups/STM/cavp/documents/shs/sha256-384-512.pdf

4. SHA-384
SHA-384 is dened in the exact same manner as SHA-512 with the following two
exceptions:
(1) the initial hash value H(0) is based on the fractional parts of the square
roots of the ninth through sixteenth primes:
(2) The nal 384-bit hash is obtained by truncating the SHA-512-based hash
output to its left-most 384 bits.

rdn · Dec 26, 2014

I'm using this: https://support.cloudflare.com/hc/e...at-cipher-suites-does-CloudFlare-use-for-SSL-
With this patch applied also: https://github.com/cloudflare/sslconfig

rafass · Dec 29, 2014

My score is B: https://www.ssllabs.com/ssltest/analyze.html?d=foro.io
And this is the recommendation of my hosting provider:

We can improve this score by removing the RC4 cipher but I do not recommend this as it may make you vulnerable to other attacks. Please see: http://security.stackexchange.com/questions/32497/tls-rc4-or-not-rc4 for more information.

this forum also have B score:

I hate Windows XP!

TPerry

Well-known member

rainmotorsports

Well-known member

TPerry

Well-known member

rainmotorsports

Well-known member

TPerry

Well-known member

Sheratan

Well-known member

TPerry

Well-known member

rdn

Well-known member

rafass

Well-known member

Similar threads

We value your privacy