Re: Problems with security certificates on web sites

6 views
Skip to first unread message

JJ

unread,
Jul 18, 2022, 9:43:12 AMJul 18
to
On Mon, 18 Jul 2022 07:20:58 +0200, Steve Hayes wrote:
> Some web browsers seem to have problems with security certificates on
> web sites.
>
> Has anyone tried this?
>
> <https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-secure-protocols-in-winhttp-on-windows-embedded-posready-2009-and-windows-embedded-standard-2009-f51ec93b-9988-7ac6-98a1-b8968c40ab7f>
>
> or
>
> https://t.co/AFpRBNTlej
>
> The bits about changing the registry entries look scary.

I don't think that would help much.

The problem with Windows XP is that, its built in cryptography functions
don't support newer ciphers which are used by most current HTTPS websites.
There is no hotfix/update which replace the cryptography DLL with the one
that support newer ciphers.

That update merely changes the Windows setting to enable TLS 1.1 and 1.2.
TLS is the protocol part of the communication. Cipher is the algorithm part
of the data encryption. Enabling TLS 1.1 and 1.2 will only allow accessing
websites which requires them. The chiper part is a separate matter.

The solution is to use network-related softwares which use their own
cryptography functions instead of using Windows'. Some (but not all)
cross-platform softwares use their own. Non cross-platform softwares (i.e.
Windows-only softwares) are likely to use Windows own cryptography
functions.

If one wants to keep using their favorite network-related softwares, the
solution is to use a local proxy server that use its own cryptography
functions. If a software doesn't support proxy, a proxyfier software would
need to be used.

Though, finding the correct software can be quite difficult.

MikeS

unread,
Jul 18, 2022, 12:40:02 PMJul 18
to
On 18/07/2022 06:20, Steve Hayes wrote:
> Some web browsers seem to have problems with security certificates on
> web sites.
>
> Has anyone tried this?
>
> <https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-secure-protocols-in-winhttp-on-windows-embedded-posready-2009-and-windows-embedded-standard-2009-f51ec93b-9988-7ac6-98a1-b8968c40ab7f>
>
> or
>
> https://t.co/AFpRBNTlej
>
> The bits about changing the registry entries look scary.
>
>
Not clear exactly what you need but if it is to update XP certificates
have a look here:
https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/

Grant Taylor

unread,
Jul 18, 2022, 3:19:56 PMJul 18
to
On 7/18/22 12:17 PM, DK wrote:
> "en.wikipedia.org uses an invalid security certificate. The certificate
> is not trusted because the issuer certificate has expired. Error code:
> SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE"

My take on that is the (copy of) the signer's certificate is expired.

I'm not getting any errors when accessing the page so I doubt it's an
actual certificate issue at Wikipedia's end.

> Is it fixable at all in FF 47? Isn't this what's the certificare
> update is supposed to be fixing?

I don't think so. At least not as such.

The link that I saw was for a /Microsoft/ update. Remember that Firefox
uses the Netscape Security Suite (NSS). And that the NSS and
Microsoft's counterpart are two different things. So an update to the
latter, quite likely won't have any influence on the former, or vice versa.



--
Grant. . . .
unix || die

Mayayana

unread,
Jul 18, 2022, 4:51:19 PMJul 18
to
"Steve Hayes" <haye...@telkomsa.net> wrote
I had to figure this out for a program I wrote using winhttp. Not
a big deal. The posready entry is just to tell the updater that
it's an embedded system. It won't install on OEM XP. The rest
is just to enable TLS 1.2:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001


Next, download the KB4019276 patch and install it:

http://download.windowsupdate.com/c/msdownload/update/software/updt/2017/10/windowsxp-kb4019276-x86-embedded-enu_3822fc1692076429a7dc051b00213d5e1240ce3d.exe

However. a browser like Firefox will have it's own code for this.
It's only necessary if you're using Win32 API and want to enable
TLS 1.1/1.2. If you're getting cert problems then look at the
sites. Some are a false alarm because 1) everyone has been pushed to
use https and 2) smaller websites usually don't have their own cert.
So you might get an error that acme.com is not providing its own cert.
Assuming you're not planning to give them a credit card, it's fine. It's
probably the cert of their webhost.


Paul

unread,
Jul 18, 2022, 7:35:49 PMJul 18
to
On 7/18/2022 2:17 PM, DK wrote:
> In article <tb42ct$f2s6$1...@dont-email.me>, MikeS <Mi...@fred.com> wrote:
>
>>>
>> Not clear exactly what you need but if it is to update XP certificates
>> have a look here:
>> https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-
>> for-windows-xp/
>
> Could someone please explain what's going on here:
>
> 1. Used the certificate updater. All went fine.
> 2. Hase TSL enabled in WiinXP
> 3. Still, in Firefox 47 (but not in FF 52 or Mypal 29), there is an error:
>
> "en.wikipedia.org uses an invalid security certificate. The certificate is not trusted because the issuer certificate
> has expired. Error code: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE"
>
> Is it fixable at all in FF 47? Isn't this what's the certificare update is supposed to be fixing?
>
> Thanks,
>
> DK

Firefox has its own certificate store.

Windows has certificates too. Might be used by Internet Explorer or so.

The Firefox plan might be stated as:

"You get our latest Certificate Store and CHACHA20 algo for TLS 1.x,
by updating your Firefox version"

Sucks to be a Windows XP user, who through no fault of their
own, cannot do that.

WinXP is "plenty modern enough" to run software. It has
preemptive multitasking. Same as BSD, Linux, Unix, MacOSX (or later).

Manually editing the Firefox Certificate Store, is a sign of something :-)

Some browsers that might run on WinXP, rely on the OS certificate store,
and they might be worse off than Firefox.

No matter what you do as a user, somebody has to do the work. It can
never be (entirely) a free lunch. Maybe the MyPal developer fixed it.

There is no reason that any of this had to work the way it does.
The certificate store and the schannel internal to Firefox could
have been made modular, such that a version of "certificate server"
minted yesterday, could have been used by an ancient Firefox (with
no engine of its own internally). They could have come up with
better architectures than this. It smacks of the usual "software handcuffs"
approach to design -- make it so the user is perpetually upgrading stuff.
If you modularize components, such that the volatile parts are in a
separate module/solution, then the main part need not change.

Consider for example, a certain USENET newsreader, which has no TLS
of its own, and is used with the application "STUNNEL". That's an
example of a modular approach to transport, where only "STUNNEL"
need be updated to work with LetsEncrypt on the USENET server.
Sure, it's a nuisance, but... it's modular.

Paul

VanguardLH

unread,
Jul 19, 2022, 11:19:31 AMJul 19
to
Wikipedia.org is using a site cert from LetsEncrypt. I remember a while
ago when there was a problem with LE certs, because the root (CA) cert
on the client had expired. Some web clients use the global cert store
in Windows (run certmgr.msc), but Mozilla decided to use a private cert
store in Firefox. You might get a newer cert in the global store, but
Firefox would still fail to validate a site cert because the root cert
in its private store had expired. As I recall, LE provided a .cer file
you could use to add to Firefox's private cert store.

https://letsencrypt.org/certificates/

That has some example sites with expired or revoked site certs that you
can click on to load to see the error you get in your web client.

I believe you can get Firefox to interrogate the global cert store in
Windows by changing the following setting to True:

security.enterprise_roots.enabled

I enabled that setting long ago, probably when it first showed up,
because there were CA/trusted certs in the Windows global cert store
that were newer than what Mozilla pushed in Firefox in its private cert
store.

https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
Section "Using built-in Windows and MacOS support".

The article notes "This setting only imports certificates from the
Windows Trusted Root Certification Authorities store, not corresponding
Intermediate Certification Authorities store." I opened certmgr.msc,
but didn't find LE under the Trusted Root Certification node in the tree
list. I thought I saw it before, but the article shows the hierarchy of
cert issuers of which one of them is ISGR, and that one is listed under
the Trusted Root Certificates node in the global cert store. For me
under Windows 10 Home, details of the ISRG Root X1 cert are:

Valid: 6/4/2015 to 6/4/2035

The OP could look in certmgr.msc to see if there is an LE cert listed
under the Trusted Root Cert group, or if the ISGR Root X1 cert is
listed, and what are the expiration dates for them. If expired, he
could try to use the LE web page to get the CA cert for LE, and install
it into Firefox's private cert store.

about:preferences#privacy
Scroll down to "Certificates", and click "View Certificates ...".
Click "Import ...".
You can import the .dem or .der file you download from the LE site.

I haven't had to do this, but I'm guessing this is how you get LE's root
cert (actually ISGR Root X1) imported into Firefox's private certificate
store. Of course, if you use the about:config setting then Firefox
should be auto-importing the Trusted certs from the Windows global cert
store. If the setting alone doesn't work (because the LE/ISGR cert is
expired in Windows global cert store) then you have to see if importing
the .der or .pem file from LE's site into Firefox's private cert store
will get it working again to visit Wikipedia.

There was a big brouhaha many years ago for sites using LE's free site
certs, and the actual root cert not getting updated in the Windows
global cert store.

If you want to add LE/ISGR root certificate into Windows' global cert
store, you run certmgr.msc, right-click on the Personal -> Certificate
node, and use All Tasks -> Import on the downloaded .der or .pem file.
However, the description of the about:config setting in Firefox says it
auto-imports only certs in the Trusted Root group, not from the Personal
group, so you could end up importing into the Windows global cert store
to get all other web clients to use the new cert, and still have to add
the new LE cert to Firefox's private cert store.

I have never found an official declaration from Mozilla why they feel
compelled to wrest control away from the global cert store (in Windows
and Linux) to use their own private cert store. I've seen inference
that Mozilla's thinks it knows better which root certs to support across
various platforms for consistency, but that's not an official statement
from Mozilla.

The OP said "some web browsers". That does not say WHICH web browsers,
or versions. Hard to supply focused responses on vague details. For
Firefox (and variants), and because Firefox uses its own private cert
store, looks like the security.enterprise_roots.enabled setting became
available if Firefox 49 as per:

https://mike.kaply.com/2016/09/01/upcoming-changes-to-root-certificates-in-firefox-on-windows/

The Edge and Chrome web browsers use the Windows global cert store, so,
for them, you have to update the global cert store in Windows.

Mayayana

unread,
Jul 20, 2022, 8:42:11 AMJul 20
to
"Steve Hayes" <haye...@telkomsa.net> wrote

| But sometimes it will not let me override it, and the site itself
| blocked me. I informed the owner of the site, swho suggested that I
| try this Windows patch, so I asked if anyone else had tried it.

I think that's a red herring. Your Firefox supports TLS 1.2.
If you're getting an https connection then it's working. I'm
surprised that you do as well as you do. I use Firefox and
Pale Moon, but I also generally disable script and have other
privacy controls in place. A growing number of sites won't
work for me, even if I enable script. The only thing close to
social media that I use is Reddit. That works for me, but only
the old version that they've been nice enough to leave up.
My own doctor's website is completely broken no matter
what I do. I have to use Win7 or 10. It's using some kind
of script or JSON code that older browsers don't recognize.

Most of the problem seems to be "cutting edge" pages,
composed almost entirely of script, created by automated
software. There's no one minding the store. They just get
software to write their webpages and if it malfunctions they'll
often tell people to "update your Chrome". That's the other
big problem. Chrome is becoming the default, and I suspect
Google tries to make it unique, just as MS did with IE, 20
years ago. So much of geekdom are now servants of Google,
living in the Googleverse, and very few actually know how to
write webpage code. Take a look at the source code. It's a
bloated mess, spat out by server-side software on-call.

I often can't go to Home Depot or Lowes at all. But the
symptom is interesting. If I try in Pale Moon, which has better
privacy and a Secret Agent extension, I get a denial
webpage. "You don't have permission..." If I try in Firefox
it works, though the page is mostly useless.

Increasingly, there's privacy evasion designed into pages.
Many pages now are designed to break if you're not loading their
ads and allowing spying. Many are actually putting the entire
HTML into script variables, so there's no page until you run the
script! Or they use CSS to hide the page and then script is needed
to unhide it... The commercial aspect has taken over.

I've got a Win7 box and a Win10 laptop, with less privacy and
security, that I use now if I have to access the newer webpages.

| That
| registry patch thing looks scary to me.
|

Nothing scary. It just tells updaters that you're running embedded
XP, so that you can get the patches. And it officially records the
supported level of TLS to allow TLS 1.1 and 1.2. But that only applies
to Windows itself and MS software.

As I mentioned, I updated my XP and Win7 computers
to support TLS 1.2, but that's only because I'm using winhttp.dll in
my own software. Winhttp.dll is a Windows library for simplified
downloading of files. If you make the change it might make some
MS software more secure, but it won't help with your browsers.
Though Maxthon is partly IE, right? It could possibly improve
IE security, but I'm not sure about that.

| if it hits sites with
| security certificate problems, it tells me that Avast has blocked
| access to those sites, and there's no override for that, as there is
| for Firefox and Opera.
|

That's a whole other can of worms. I haven't used AV software
for 20+ years, but I know it's gotten increasingly intrusive. That's
always something to consider when you have problems.


Mayayana

unread,
Jul 21, 2022, 8:21:05 AMJul 21
to
"Steve Hayes" <haye...@telkomsa.net> wrote

| Yes, I have a Win 7 laptop with the latest firefox, but if someone
| posts a link with one of the now-fashionable long URLs, getting it
| across to the laptop to look at it is a schlep. And long URLs are find
| for the software that writes and reads long scripts, but is a pain for
| human readers.
|

Yes. I also hate to boot up other machines. I keep Win10 in
the closet for special cases. I keep Win7 in another room. I
mostly use them by keeping a list of URLs in a TXT file. Then
when I get enough, I boot up 7 or 10 and deal wuith them.

Maybe you know this, but many URLs are actually just spyware.
Typically only the part before ? is the link. The rest is tracking
IDs. In some cases those IDs may contain your personal info,
unencrypted but base64-encoded.


Reply all
Reply to author
Forward
0 new messages