9/12/2020 google chrome - Why can't Windows XP handle newer SSL certificate versions?

- Stack Overflow

Why can't Windows XP handle newer SSL

certificate versions?
Asked 5 years ago Active 1 year, 10 months ago Viewed 26k times

As I understand, as Windows XP support was officially dropped, the newest versions of SSL
certificates used in certain websites cannot be accessed by Chrome and IE on WinXP due to
8 incompatibility. However, Firefox apparently still does support Windows XP and can access those
websites freely.

I don't quite understand how the SSL certificates compatibility works, how is it possible that on
Chrome and IE it requires you to switch to a new OS altogether but that's not needed when just
using a different browser? Why can't a simple community developer just create a "patch" for
Chrome and IE if Firefox can support them? What's the connection between the browser and the
OS? Where do I draw the line?

google-chrome internet-explorer firefox ssl windows-xp

asked Nov 25 '15 at 16:56

Banderi
575 1 6 24

More information please. What is an example of a web site that doesn't work? – Harry Johnston Nov 25
'15 at 21:03

This website doesn't work on XP but works on Seven. mpql.net/tools/dark-souls – Banderi Nov 25 '15 at
22:34

4 Answers Active Oldest Votes

OK, so looking at the example of mpql.net, we start with the SSL Labs analysis.

10 The problem appears to be that the server only supports elliptic curve cryptography (the various
TLS_ECDHE_xxx suites) and, according to the MSDN articles Secure Sockets Layer
Protocoland TLS Cipher Suites, Windows XP doesn't include any of the elliptic curve protocols.
This is not related to the certificates per se, but to the way the web server is configured.

Firefox still works because it uses its own cryptographic library rather than using the SSL support
built into Windows. Of course, if you were using a version of Firefox as old as Windows XP is, it
probably wouldn't work either. :-)

answered Nov 25 '15 at 22:37

Harry Johnston

https://stackoverflow.com/questions/33922231/why-cant-windows-xp-handle-newer-ssl-certificate-versions 1/3
9/12/2020 google chrome - Why can't Windows XP handle newer SSL certificate versions? - Stack Overflow
32.9k 6 53 137

So.... Basically, the reason Firefox works is because it's handling cryptography on it's own rather than
letting XP do it like Chrome and IE? That makes sense. So to "solve" it you would need to either make the
browser use their own implementation or patch Windows XP, neither of which is doable... that explains why
nobody ever bothered trying. This clears up pretty much everything, thanks! – Banderi Nov 25 '15 at
22:54

Theoretically you could write a shim - a library that you inject into the program and which intercepts and
replaces the API calls. But it would be challenging, and probably not very reliable. – Harry Johnston Nov
25 '15 at 23:04

Hmm, sounds cool. But yeah, probably more convenient to upgrade the OS at this point. – Banderi Nov
25 '15 at 23:06

certain websites cannot be accessed by Chrome and IE on WinXP due to incompatibility.

However, Firefox apparently still does support Windows XP and can access those
2 websites freely.

Chrome and IE use the CA store of windows while Firefox uses it's own independent store.

Why can't a simple community developer just create a "patch" for Chrome and IE if
Firefox can support them?

It might be that some developer can do it, but why should somebody invest its time to support an
OS which is dead and insecure just to support browsers which are no longer supported (Chrome
will drop support end of 2015). If you feel this needs to be done anyway just do it. Otherwise, drop
XP or at least use Firefox with it.

answered Nov 25 '15 at 17:09

Steffen Ullrich
85.1k 6 92 135

What's a "CA store"? What does it have to do with Windows XP incompatibility? – Banderi Nov 25 '15 at
17:49

@Banderi: That's the place were the root certificates are stored which are needed for the validation of the
certificates. Which certificates are stored there depends on the OS. Important is also the ability to deal with
the new certificates signed with SHA-256. Support for these was added with XP SP3. – Steffen Ullrich Nov
25 '15 at 18:24

Hmm... so, the fact that I'm running WinXP changes the certificates the website uses to secure the
connection I'm requesting? This would mean that Chrome and IE simply stopped supporting the
certificates specifically requested by XP while Firefox still support them, and to theoretically patch this it
would require to heavily change the way XP handles/requests certificates, correct? – Banderi Nov 25 '15
at 19:09

I suspect it's that XP can't understand the certificate the site is providing. Chrome and IE delegate the task
of validating the certificate to Windows. Firefox does it itself. But without an example of a site that is failing,
it's hard to be sure. (It might also not be the certificate at all, but the cipher suite.) – Harry Johnston Nov 25
'15 at 21:05

https://stackoverflow.com/questions/33922231/why-cant-windows-xp-handle-newer-ssl-certificate-versions 2/3
9/12/2020 google chrome - Why can't Windows XP handle newer SSL certificate versions? - Stack Overflow

This website, for example, doesn't work on XP but works on Seven: mpql.net/tools/dark-souls The error, at
least on Chrome, is always the same for these
websites, ERR_SSL_VERSION_OR_CIPHER_MISMATCH– Banderi Nov 25 '15 at 21:35

Solution for this problem in XP is installing KB3055973-v3 that adds support for TLS 128-bit &
256-bit Advanced Encryption Standard (AES) cipher suites. Google for this solution and beware it
1 is natively for English OS version, otherwise you need to modify the installation files.

answered Sep 29 '18 at 5:29

ZioBill
11 2

Although I cant say im 100% correct I believe ssl has everything to do with the browser and not
much to do with the actual operating system. So I ran into an issue where the very opposite from
0 what you are asking. A client was on a windows 7 machine and needed to access time warner
business email through chrome but couldn't because of a SSL issue. The problem was that
Chrome dropped support for the older version of SSL and so her options where use IE or Firefox
or downgrade and hope chrome doesn't force its self to update. Microsoft is wanting users to
upgrade so of course they are not going to keep IE up to date and google isn't going to support
an outdated operating system. Firefox is open source so it makes sense that people would keep
the browser compatible with as many devices as possible. Hope this helps.

answered Nov 25 '15 at 17:08

Dallas
36 7

Hmm, it makes sense... But what exactly is that makes Windows XP itself incompatible? Aren't SSL
certificates handled by the browsers? What do they have to do with the OS? – Banderi Nov 25 '15 at
17:51

Because the way it stores Certificates. The computer stores certs so it knows that the site "person" its
talking to is trusted or not trusted and if that site is who that site says they are make sense? Can I ask a
question why you are asking this question? – Dallas Nov 25 '15 at 18:24

But if certificates are tied to the way the OS stores, why does Chrome and IE not work and Firefox does?
I'm asking this just out of personal curiosity. I have an old XP laptop that suddenly stopped working with
some sites and was wondering where in the line between opening regedit and being a Microsoft developer
would one be needing to stand to solve it. – Banderi Nov 25 '15 at 18:58

https://stackoverflow.com/questions/33922231/why-cant-windows-xp-handle-newer-ssl-certificate-versions 3/3