Why can't Windows XP handle newer SSL certificate versions?

As I understand, as Windows XP support was officially dropped, the newest versions of SSL certificates used in certain websites cannot be accessed by Chrome and IE on WinXP due to incompatibility. However, Firefox apparently still does support Windows XP and can access those websites freely.

I don't quite understand how the SSL certificates compatibility works, how is it possible that on Chrome and IE it requires you to switch to a new OS altogether but that's not needed when just using a different browser? Why can't a simple community developer just create a "patch" for Chrome and IE if Firefox can support them? What's the connection between the browser and the OS? Where do I draw the line?

Answers


OK, so looking at the example of mpql.net, we start with the SSL Labs analysis.

The problem appears to be that the server only supports elliptic curve cryptography (the various TLS_ECDHE_xxx suites) and, according to the MSDN articles Secure Sockets Layer Protocol and TLS Cipher Suites, Windows XP doesn't include any of the elliptic curve protocols. This is not related to the certificates per se, but to the way the web server is configured.

Firefox still works because it uses its own cryptographic library rather than using the SSL support built into Windows. Of course, if you were using a version of Firefox as old as Windows XP is, it probably wouldn't work either. :-)


certain websites cannot be accessed by Chrome and IE on WinXP due to incompatibility. However, Firefox apparently still does support Windows XP and can access those websites freely.

Chrome and IE use the CA store of windows while Firefox uses it's own independent store.

Why can't a simple community developer just create a "patch" for Chrome and IE if Firefox can support them?

It might be that some developer can do it, but why should somebody invest its time to support an OS which is dead and insecure just to support browsers which are no longer supported (Chrome will drop support end of 2015). If you feel this needs to be done anyway just do it. Otherwise, drop XP or at least use Firefox with it.


Solution for this problem in XP is installing KB3055973-v3 that adds support for TLS 128-bit & 256-bit Advanced Encryption Standard (AES) cipher suites. Google for this solution and beware it is natively for English OS version, otherwise you need to modify the installation files.


Although I cant say im 100% correct I believe ssl has everything to do with the browser and not much to do with the actual operating system. So I ran into an issue where the very opposite from what you are asking. A client was on a windows 7 machine and needed to access time warner business email through chrome but couldn't because of a SSL issue. The problem was that Chrome dropped support for the older version of SSL and so her options where use IE or Firefox or downgrade and hope chrome doesn't force its self to update. Microsoft is wanting users to upgrade so of course they are not going to keep IE up to date and google isn't going to support an outdated operating system. Firefox is open source so it makes sense that people would keep the browser compatible with as many devices as possible. Hope this helps.


Need Your Help

302 Found error message

.htaccess redirect http-status-code-301 http-status-code-302

I have added a 301 redirect to the .htaccess of my Wordpress site but it's broken my site. It shows the following error message: