• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

I hate Windows XP!

Tracy Perry

Well-known member
#1
After spending most of the night and this morning trying to trouble shoot a style with a user that was having problems, we went through disabling his add-ons in his browser, using a different browser, etc.

Turns out he's using Windows XP and Chrome... pay special attention to the Windows XP aspect. I run SSL on my site(s) and use the "best practice" recommended SSL ciphers. Turns out, they don't play well with Windows XP. :mad:


What is the recommended ssl ciphers to use with nginx 1.7.9 to fully support Windows XP (which I'm only going to do for about another 6 months or so).
 

rainmotorsports

Well-known member
#2
Oh dear. I'm surprised chrome is the one throwing the fit. I know with current best practice ie8 on xp isn't compatible. If I was home I'd throw you my cipher list to see. I have a few written down somewhere because I went through each one to do a minimal backwards compatible list. Ended up using someone else's recommendations in the end.
 

Tracy Perry

Well-known member
#3
Oh dear. I'm surprised chrome is the one throwing the fit. I know with current best practice ie8 on xp isn't compatible. If I was home I'd throw you my cipher list to see. I have a few written down somewhere because I went through each one to do a minimal backwards compatible list. Ended up using someone else's recommendations in the end.
Yeah, it surprised me to. IE actually gave him an error message. All Chrome was doing was screwing up his display of the visitor tabs and sometimes the post/upload/more options buttons.

What I'm using now (until I totally drop support for anything Windows XP related) is this
Code:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
It won't support IE6, but if they are on IE6 they have no business on the internet.
 

rainmotorsports

Well-known member
#4
I'm using this right now which is a simplified but broadly compatible set. It doesn't support ie6 or ie8 on xp nor java6 but still scores beautifully on Qualys.
Code:
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
https://www.ssllabs.com/ssltest/analyze.html?d=raindd.com

However I'd look at this. Which was my personal balance of security and compatibility. If I was on a desktop I'd try testing it but I also don't have any xp VM up right now.
Code:
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 

Tracy Perry

Well-known member
#7
I guess you are asking what it is?
http://csrc.nist.gov/groups/STM/cavp/documents/shs/sha256-384-512.pdf
4. SHA-384
SHA-384 is dened in the exact same manner as SHA-512 with the following two
exceptions:
(1) the initial hash value H(0) is based on the fractional parts of the square
roots of the ninth through sixteenth primes:
(2) The nal 384-bit hash is obtained by truncating the SHA-512-based hash
output to its left-most 384 bits.
 

rafass

Well-known member
#9
Last edited: