Why can't Windows XP handle newer SSL certificate versions?

Question

As I understand, as Windows XP support was officially dropped, the newest versions of SSL certificates used in certain websites cannot be accessed by Chrome and IE on WinXP due to incompatibility. However, Firefox apparently still does support Windows XP and can access those websites freely.

I don't quite understand how the SSL certificates compatibility works, how is it possible that on Chrome and IE it requires you to switch to a new OS altogether but that's not needed when just using a different browser? Why can't a simple community developer just create a "patch" for Chrome and IE if Firefox can support them? What's the connection between the browser and the OS? Where do I draw the line?

Answer 1

Solution for this problem in XP is installing KB3055973-v3 that adds support for TLS 128-bit & 256-bit Advanced Encryption Standard (AES) cipher suites. Google for this solution and beware it is natively for English OS version, otherwise you need to modify the installation files.

Note that I installed "Windows Embedded POSReady 2009" before.

Answer 2

OK, so looking at the example of mpql.net, we start with the SSL Labs analysis.

The problem appears to be that the server only supports elliptic curve cryptography (the various TLS_ECDHE_xxx suites) and, according to the MSDN articles Secure Sockets Layer Protocol and TLS Cipher Suites, Windows XP doesn't include any of the elliptic curve protocols. This is not related to the certificates per se, but to the way the web server is configured.

Firefox still works because it uses its own cryptographic library rather than using the SSL support built into Windows. Of course, if you were using a version of Firefox as old as Windows XP is, it probably wouldn't work either. :-)

Answer 3

certain websites cannot be accessed by Chrome and IE on WinXP due to incompatibility. However, Firefox apparently still does support Windows XP and can access those websites freely.

Chrome and IE use the CA store of windows while Firefox uses it's own independent store.

Why can't a simple community developer just create a "patch" for Chrome and IE if Firefox can support them?

It might be that some developer can do it, but why should somebody invest its time to support an OS which is dead and insecure just to support browsers which are no longer supported (Chrome will drop support end of 2015). If you feel this needs to be done anyway just do it. Otherwise, drop XP or at least use Firefox with it.

Answer 4

Although I cant say im 100% correct I believe ssl has everything to do with the browser and not much to do with the actual operating system. So I ran into an issue where the very opposite from what you are asking. A client was on a windows 7 machine and needed to access time warner business email through chrome but couldn't because of a SSL issue. The problem was that Chrome dropped support for the older version of SSL and so her options where use IE or Firefox or downgrade and hope chrome doesn't force its self to update. Microsoft is wanting users to upgrade so of course they are not going to keep IE up to date and google isn't going to support an outdated operating system. Firefox is open source so it makes sense that people would keep the browser compatible with as many devices as possible. Hope this helps.