PCbanter

PCbanter (http://www.pcbanter.net/index.php)
-   General XP issues or comments (http://www.pcbanter.net/forumdisplay.php?f=18)
-   -   Windows XP Update (http://www.pcbanter.net/showthread.php?t=1109599)

Bert[_4_] January 3rd 20 09:04 PM

Windows XP Update
 
Has anyone successfully updated their Win XP PCs with the latest MS update?
This update was made available but not part of the standard update process.

MS still supports the Point Of Sale and kiosks etc with security updates.
So I believe that this update can be used on any Win XP PC.

KB4316682

Someone provide steps to do updates please !

😉 Good Guy 😉 January 3rd 20 09:34 PM

Windows XP Update
 
On 03/01/2020 20:04, Bert wrote:
Has anyone successfully updated their Win XP PCs with the latest MS
update?
This update was made available but not part of the standard update
process.

MS still supports the Point Of Sale and kiosks etc with security updates.
So I believe that this update can be used on any Win XP PC.

KB4316682

Someone provide steps to do updates please !

Why do you need updates for your already unsecured crap? Just move on
without the updates and keep using it until 2032 after which there is no
guarantee that XP will bootup or you might be dead.

If you want updates then you'll need that junk called Linux with its
various alternatives. they give you updates every week because that
junk is in perpetual beta version. Ask your question on their newsgroup
as they would like to help people like you. Windows XP, Windows Vista
and Windows 7 are now considered dead. Even the people who were using
them are dead. Haven't you noticed that the newsgroups for Xp, Vista
and 7 are completely dead because nobody is using those legacy operating
systems. Get hold of a brand new DELL machine on which you'll get a
working copy of Windows 10 that still does everything an XP, Vista or 7
used to do.

--
With over 1.2 billion devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.


MikeS[_3_] January 3rd 20 09:43 PM

Windows XP Update
 

"Bert" wrote in message
...
Has anyone successfully updated their Win XP PCs with the latest MS
update?
This update was made available but not part of the standard update
process.

MS still supports the Point Of Sale and kiosks etc with security updates.
So I believe that this update can be used on any Win XP PC.

KB4316682

Someone provide steps to do updates please !


Google the KB number and download the .exe file from Update Catalog.
But I just tried it on WinXP SP3 and it will not run.

Are you aware that IE8 no longer works properly on Win XP?
Most websites now use https and XP no longer meets current minimum SSL/TLS
levels.



Mayayana January 3rd 20 11:50 PM

Windows XP Update
 
"Bert" wrote

| Has anyone successfully updated their Win XP PCs with the latest MS
update?
| This update was made available but not part of the standard update
process.
|
| MS still supports the Point Of Sale and kiosks etc with security updates.
| So I believe that this update can be used on any Win XP PC.
|
| KB4316682
|

How did you find out about that? I just discovered it
a few days ago.

If you have IE8 you can run this update. It's simple.
No special steps. I installed it but then removed it
after I remembered why I don't use IE8: It makes OE6
crash. But other than that it seemed fine. Once done
you'll get options for TLS 1.1 and 1.2 in Advanced
settings. There were some Registry settings specced
but as far as I could see the update took care of all that.

Presumably you're not actually using IE8 online. But
this update may still be worth it if you don't use OE.
It's a 2018 version of IE8, with security updates so that
POS machines can be stable despite not being eligible
for IE9-11.
Why would you update if you don't use IE? Because
many of the Windows networking APIs are actually just
IE functions. A lot of software uses those functions,
which come from urlmon.dll or wininet.dll.

But there's also another issue: You can get the update
but XP doesn't have the certs. I also just found out how
to update the certs:

https://msfn.org/board/topic/175170-...or-windows-xp/

Arcane, but not too involved. You download the two
updates and unpack them. I used my own SFX CAB
extractor but the page says WinRAR might work. Once
you have them unpacked to 2 folders, use the other
links to download updated versions of the SST files.
Having done that, run the two INF files to complete
the update of certs to the latest version.

Another update you might want is winhttp.
KB4019276. Winhttp is used by a lot of programmers.
Wininet has historically been used by people who
didn't really know what they were doing but wanted
to do something like download a webpage through their
software. The methods are just IE wrapper functions.
People who did know what they were doing would use
winsock. But that's complicated. At some point MS
saw the problem and came out with a 3rd option:
winhttp.dll. Winhttp mimics the wininet functions but
does them cleanly, with no IE dependency.

To update winhttp you'll want these Registry
settings on XP:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001

Also run the update:

http://download.windowsupdate.com/c/...5e1240ce3d.exe

Win7 can also get this update. (WinXP/Vista/7 do
not have native TLS1.2 support.) Win7 can get it in
wininet by installing IE11. This is the fix for winhttp:

Win7-64-bit:

http://www.download.windowsupdate.co...8e52a0dec0.msu

Win7-32-bit:

http://www.download.windowsupdate.co...74a0654f18.msu

I'm providing the direct links because MS have become obnoxious
about their updates, trying to force people to enable script so they
can snoop on you.

This is a lot of info. Feel free to post back if you don't
figure it all out. The gist of it is that TLS1.2 has become
standard. Each version of online encryption (SSL, TLS1,
TLS1.1) has gradually been cracked and a more secure
version needed. So it's not a critical issue, but it's nice to
get it updated.

Anyone who cares about such security won't be using
IE, anyway, but as I explained above, any software that's
going online may be using the wininet or winhttp functions
and if they want to use secure https they'll need these
updates.



Lu Wei January 4th 20 01:43 PM

Windows XP Update
 
On 2020-1-4 4:04, Bert wrote:
Has anyone successfully updated their Win XP PCs with the latest MS update?
This update was made available but not part of the standard update process.

MS still supports the Point Of Sale and kiosks etc with security updates.
So I believe that this update can be used on any Win XP PC.

KB4316682

Someone provide steps to do updates please !


You need not that one; this is a cumulative update, which means you only
need to install the last one:
2019-04 Cumulative Security Update for Internet Explorer 8 for POSReady
2009 for x86-based systems (KB4493435)
The enu version download link:
http://download.windowsupdate.com/d/...6f1a2ae37f.exe

--
Regards,
Lu Wei
IM:
PGP: 0xA12FEF7592CCE1EA

Lu Wei January 4th 20 02:10 PM

Windows XP Update
 
On 2020-1-4 6:50, Mayayana wrote:
"Bert" wrote
...

To enable WindowsXP TLS 1.1 & 1.2 support, I have edited a reg file,
feel free to use it (prerequisite KBs are in comment):
-----------------------------------------------------------------
Windows Registry Editor Version 5.00
;Enable TLS1.1|1.2 support in WindowsXP. Install KB4019276 (which needs
POSReady registry hack to install) first, then import this reg file.
;Insecure ciphers|hashes|protocols are disabled.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\DES
56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC2
128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC2
40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC2
56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC4
128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC4
40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC4
56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\Triple
DES 168/168]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol
Unified Hello\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol
Unified Hello\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\PCT
1.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\PCT
1.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\SSL
2.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\SSL
2.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\SSL
3.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\SSL
3.0\Server]
"Enabled"=dword:00000000

;Enabled TLS1.0 for better windows update compatibility and connecting
to remote desktop of a Win7 host
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.0\Client]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.0\Server]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Client]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Server]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server]
"Enabled"=dword:00000001

;Enable TLS1.1|1.2 options of IE8 in WindowsXP. Need to install
KB4019276 and the latest IE8 cumulative patch to function.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet
Settings]
"SecureProtocols"=dword:00000a80

;Enable TLS 1.1 and TLS 1.2 as secure protocols in WinHTTP, need KB4467770
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet
Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000a80
-------------------------------------------------------------------------------------------

But some TLS 1.1|1.2 sites will still not function in IE8, because the
ciphers they use is still not supported by it, and never will. So
regard KB4019276 and this only as a system patch, use other browsers
instead.

--
Regards,
Lu Wei
IM:
PGP: 0xA12FEF7592CCE1EA

Mark Lloyd[_2_] January 4th 20 07:08 PM

Windows XP Update
 
On 1/3/20 2:43 PM, MikeS wrote:

[snip]

Are you aware that IE8 no longer works properly on Win XP?
Most websites now use https and XP no longer meets current minimum SSL/TLS
levels.


Yes, IE8 is definitely NOT a modern version. There's a lot of things it
doesn't support. On XP, Firefox or Chrome would be much better choice.

--
Mark Lloyd
http://notstupid.us/

"Few people can be happy unless they hate some other person, nation or
creed." [Bertrand Russell]

Paul[_32_] January 5th 20 06:56 AM

Windows XP Update
 
Bert wrote:
Has anyone successfully updated their Win XP PCs with the latest MS update?
This update was made available but not part of the standard update process.

MS still supports the Point Of Sale and kiosks etc with security updates.
So I believe that this update can be used on any Win XP PC.

KB4316682

Someone provide steps to do updates please !


Lu Wei seems to have found the magic ingredient.

1) IE8 Cumulative of some sort (there have been a bunch).

The PosReady one won't install until the OS is "branded".

HKLM\SYSTEM\WPA\PosReady === New key
Installed DWORD 1 === New DWORD value

Now, try and remove that later. I'll have to find
another Kaspersky registry editor to get rid of that.
The KAV disc wouldn't boot in the VM, so I could do surgery.

2) SChannel update. SChannel provides encryption entries
and uses named pipes. Savvy software developers keep their
own "cryptlib", so they can never be held hostage by SChannel
missing features.

3) Slight registry adjustments to enable it.

So what did I learn ? Did IE8 suddenly become as
flexible as Chrome or Firefox. No.

a) Sure, it supports TLS 1.2 or TLS 1.3. Great.
It would be nice to verify this, but the "ssllabs"
site refused to work with the adulterated browser.

b) A crypto algorithm has to go with the overall protocol.
Microsoft liked their 40 bit and 128 bit methods a bit
too much. 3DES is no longer recommended. You need stronger stuff.
The SChannel update, it's Microsoft policy to "not improve things".
They can't be adding CHACHA20 or the elliptic curve
exxxxx item to the Schannel. Leaving the crusty old RSA
entries and the like, is more their speed.

I've tested one web site, which insisted on a high value of
TLS and only allowed the two named items in the previous paragraph.
That virtually guarantees a bad experience for the vast majority
of web browser users.

Things that could be missing (in no particular order)

"https everywhere": Just because the browser got TLS 1.2 or TLS 1.3,
doesn't mean the browser is going to connect to anything.
Only https to www.mozilla.org worked. I couldn't
connect to ssllabs and verify this stuff.

https://www.ssllabs.com/ssltest/viewMyClient.html FAIL

Normally, a site like that would "allow" weak
crypto, so it can "yell at you" to fix it :-)

Schannel weak crypto: At least on WinXP, they're not going to "give away"
this stuff. Browsers like Firefox, might be keeping
their cross-platform crypto inside the executable,
so there can't be any "Schannel hostage dramas".
WinXP is never going to get a patch for CHACHA20.

javascript: No idea what level of Javascript development IE8 is
stuck with. panopticlick.eff.org didn't work with IE8
when I tried, and that might have been a script problem.

HTML5: IE11 might have that, but did IE8 get any ? Since the
browser test results were so poor, I can't really say.

So, yeah, I tried to patch up a Windows XP Mode virtual machine
for the test, and the results were "weak to non-existent". It
still can't display an MSN page or the like. Nothing is worse
off than before I started, so there is that. I got to discover
some of the holes on Windows XP Mode along the way (*don't*
merge the differencing disk and make a single dynamic VHD of it, it
doesn't like that). The Microsoft Windows XP Mode was so poor,
the software threw a hissy fit and *erased* the control file.
I discovered how to do (limited) backups to stop that.

The surgery was a success but the patient died.

Paul

MikeS[_5_] January 5th 20 12:49 PM

Windows XP Update
 
On 05/01/2020 05:56, Paul wrote:
Bert wrote:
Has anyone successfully updated their Win XP PCs with the latest MS
update?
This update was made available but not part of the standard update
process.

MS still supports the Point Of Sale and kiosks etc with security updates.
So I believe that this update can be used on any Win XP PC.

KB4316682

Someone provide steps to do updates please !


Lu Wei seems to have found the magic ingredient.

1) IE8 Cumulative of some sort (there have been a bunch).

Â*Â* The PosReady one won't install until the OS is "branded".

Â*Â* HKLM\SYSTEM\WPA\PosReady === New key
Â*Â*Â*Â*Â* Installed DWORD 1Â*Â*Â*Â* === New DWORD value

Â*Â* Now, try and remove that later. I'll have to find
Â*Â* another Kaspersky registry editor to get rid of that.
Â*Â* The KAV disc wouldn't boot in the VM, so I could do surgery.

2) SChannel update. SChannel provides encryption entries
Â*Â* and uses named pipes. Savvy software developers keep their
Â*Â* own "cryptlib", so they can never be held hostage by SChannel
Â*Â* missing features.

3) Slight registry adjustments to enable it.

So what did I learn ? Did IE8 suddenly become as
flexible as Chrome or Firefox. No.

a) Sure, it supports TLS 1.2 or TLS 1.3. Great.
Â*Â* It would be nice to verify this, but the "ssllabs"
Â*Â* site refused to work with the adulterated browser.

b) A crypto algorithm has to go with the overall protocol.
Â*Â* Microsoft liked their 40 bit and 128 bit methods a bit
Â*Â* too much. 3DES is no longer recommended. You need stronger stuff.
Â*Â* The SChannel update, it's Microsoft policy to "not improve things".
Â*Â* They can't be adding CHACHA20 or the elliptic curve
Â*Â* exxxxx item to the Schannel. Leaving the crusty old RSA
Â*Â* entries and the like, is more their speed.

Â*Â* I've tested one web site, which insisted on a high value of
Â*Â* TLS and only allowed the two named items in the previous paragraph.
Â*Â* That virtually guarantees a bad experience for the vast majority
Â*Â* of web browser users.

Things that could be missing (in no particular order)

Â*Â* "https everywhere": Just because the browser got TLS 1.2 or TLS 1.3,
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* doesn't mean the browser is going to connect to
anything.
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Only https to www.mozilla.org worked. I couldn't
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* connect to ssllabs and verify this stuff.


https://www.ssllabs.com/ssltest/viewMyClient.htmlÂ*Â* FAIL

Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Normally, a site like that would "allow" weak
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* crypto, so it can "yell at you" to fix it :-)

Â*Â* Schannel weak crypto: At least on WinXP, they're not going to "give
away"
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* this stuff. Browsers like Firefox, might be
keeping
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* their cross-platform crypto inside the
executable,
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* so there can't be any "Schannel hostage dramas".
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* WinXP is never going to get a patch for CHACHA20.

Â*Â* javascript: No idea what level of Javascript development IE8 is
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* stuck with. panopticlick.eff.org didn't work with IE8
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* when I tried, and that might have been a script problem.

Â*Â* HTML5:Â* IE11 might have that, but did IE8 get any ? Since the
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* browser test results were so poor, I can't really say.

So, yeah, I tried to patch up a Windows XP Mode virtual machine
for the test, and the results were "weak to non-existent". It
still can't display an MSN page or the like. Nothing is worse
off than before I started, so there is that. I got to discover
some of the holes on Windows XP Mode along the way (*don't*
merge the differencing disk and make a single dynamic VHD of it, it
doesn't like that). The Microsoft Windows XP Mode was so poor,
the software threw a hissy fit and *erased* the control file.
I discovered how to do (limited) backups to stop that.

The surgery was a success but the patient died.

Â*Â* Paul


I tried this on a VM and tested IE8 with a bunch of my regular websites.
As expected results ranged from normal to will not open, with various
displays in between. Will continue to use Palemoon which opens all of
them correctly.

Guess the main benefit of this thread for those not already aware of the
POSReady fix is the extended security updates. My VM installed 173! As
far as I can see it is booting and running as before so the patient is
alive and well.


MikeS[_3_] January 5th 20 01:50 PM

Windows XP Update
 
"Paul" wrote in message
...

The PosReady one won't install until the OS is "branded".

HKLM\SYSTEM\WPA\PosReady === New key
Installed DWORD 1 === New DWORD value

Now, try and remove that later. I'll have to find
another Kaspersky registry editor to get rid of that.
The KAV disc wouldn't boot in the VM, so I could do surgery.

Is there a particular need to remove the key?
Also is there a reason why you cannot use regedit to remove it or change the
value of the DWORD?



Mayayana January 5th 20 03:06 PM

Windows XP Update
 
"Paul" wrote

| a) Sure, it supports TLS 1.2 or TLS 1.3. Great.
| It would be nice to verify this, but the "ssllabs"
| site refused to work with the adulterated browser.
|
| b) A crypto algorithm has to go with the overall protocol.
| Microsoft liked their 40 bit and 128 bit methods a bit
| too much. 3DES is no longer recommended. You need stronger stuff.
| The SChannel update, it's Microsoft policy to "not improve things".
| They can't be adding CHACHA20 or the elliptic curve
| exxxxx item to the Schannel. Leaving the crusty old RSA
| entries and the like, is more their speed.
|

I don't know which is which with these, but are the
things you're talking about really necessary? The patch
is for support for TLS 1.1 and 1.2 on XP embedded. Why
would they offer that to businesses but not make it worth
having?

My own software that uses winhttp.dll couldn't use
TLS1.2 but does seem to use it fine with the patch
and Registry settings. (I haven't added the settings
LuWei is using. As far as I can tell those are designed
to allow one to disable a protocol.
As far as I can tell, only these are needed, and actually
the server settings shouldn't be:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001

Interestingly, with my own software it was working fine to call
the Bing maps server but then I started getting certificate errors.
Assuming MS, like so many people, had let their cert lapse, I disabled
cert checks by default. Then it worked fine. But in my explorations
related to Unbound I came across a way to update certs. That
seems to work. I no longer have cert errors calling Bing maps
server over https, using TLS 1.2, through winhttp.dll.

I can't speak for IE8. I don't see any reason to do any of
this except to support better security in software (that wants
to use it) that depends on wininet.dll or winhttp.dll. What
kind of nut would use IE8 online when they can have FF,
New Moon, Pale Moon, etc?
I did try Acrylic with DoH after jumping through all the IE8
hoops because Acrylic is using wininet.dll. It didn't work. But
I can't tell why it didn't work. Acrylic? The update? My Acrylic
config? I gave up on that for now.

Certs update:
https://msfn.org/board/topic/175170-...or-windows-xp/

(The rundll business shouldn't be necessary. Just download
the two packages, update the SST files, and then run the
INF files.)



Paul[_32_] January 5th 20 05:09 PM

Windows XP Update
 
Mayayana wrote:
"Paul" wrote

| a) Sure, it supports TLS 1.2 or TLS 1.3. Great.
| It would be nice to verify this, but the "ssllabs"
| site refused to work with the adulterated browser.
|
| b) A crypto algorithm has to go with the overall protocol.
| Microsoft liked their 40 bit and 128 bit methods a bit
| too much. 3DES is no longer recommended. You need stronger stuff.
| The SChannel update, it's Microsoft policy to "not improve things".
| They can't be adding CHACHA20 or the elliptic curve
| exxxxx item to the Schannel. Leaving the crusty old RSA
| entries and the like, is more their speed.
|

I don't know which is which with these, but are the
things you're talking about really necessary? The patch
is for support for TLS 1.1 and 1.2 on XP embedded. Why
would they offer that to businesses but not make it worth
having?

My own software that uses winhttp.dll couldn't use
TLS1.2 but does seem to use it fine with the patch
and Registry settings. (I haven't added the settings
LuWei is using. As far as I can tell those are designed
to allow one to disable a protocol.
As far as I can tell, only these are needed, and actually
the server settings shouldn't be:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001

Interestingly, with my own software it was working fine to call
the Bing maps server but then I started getting certificate errors.
Assuming MS, like so many people, had let their cert lapse, I disabled
cert checks by default. Then it worked fine. But in my explorations
related to Unbound I came across a way to update certs. That
seems to work. I no longer have cert errors calling Bing maps
server over https, using TLS 1.2, through winhttp.dll.

I can't speak for IE8. I don't see any reason to do any of
this except to support better security in software (that wants
to use it) that depends on wininet.dll or winhttp.dll. What
kind of nut would use IE8 online when they can have FF,
New Moon, Pale Moon, etc?
I did try Acrylic with DoH after jumping through all the IE8
hoops because Acrylic is using wininet.dll. It didn't work. But
I can't tell why it didn't work. Acrylic? The update? My Acrylic
config? I gave up on that for now.

Certs update:
https://msfn.org/board/topic/175170-...or-windows-xp/

(The rundll business shouldn't be necessary. Just download
the two packages, update the SST files, and then run the
INF files.)


This is what I used, merging this in after the rest
of the updating was done.

IE8_TLS.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"OSVersion"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"OSVersion"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings]
"SecureProtocols"=dword:00000a80
"ShowPunycode"=dword:00000000
"EnablePunycode"=dword:00000001
"DisableIDNPrompt"=dword:00000000
"CertificateRevocation"=dword:00000000
"WarnOnPostRedirect"=dword:00000001
"WarnonBadCertRecving"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\Protocols\Mailto]
"UTF8Encoding"=dword:00000000

I would have blended in more crap, except without
feedback as to how much this improves things, I lack
the motivation to try yet more random things.

If the project felt like it was going places,
I'd have given it more of a chance.

*******

I put this in, to make the particular catalog.update.microsoft.com
download execute and install. Without this, the particular IE8 cumulative
wouldn't run (blocked by "OS check").

HKLM\SYSTEM\WPA\PosReady === New key
Installed DWORD 1 === New DWORD value

Putting that in, as far as I know, I was part of the
administrator group. But when I tried to remove it,
the XPMUser account could not remove it, I elevated
to SYSTEM using psexec and that didn't work either.
The only level left in my collection is TrustedInstaller,
and I wasn't going to bother with testing that.

Using the Kaspersky rescue CD (offline AV scanner),
it has a registry editor written for Linux that
edits some but not all registry files. But that
wasn't booting within Windows Virtual PC for some
reason. All I could see is the checksum error when
the SB16 virtual soundcard is probed, and there
were no further messages before it reset. While Kaspersky
claims that registry editor is open source, I haven't
located source for it elsewhere (to put it on some
other Linux disk or environment).

The Registry is a file system, and the entries have
permissions, and doing it from Linux, the expectation
is the permissions will be ignored.

If you leave the PosReady key, it just means that
Windows Update lists a lot of stuff that may or may
not be appropriate as a patch. Just as some newer
OS versions list patches intended for the Server
version, but matching on the consumer OS.

Paul

Mayayana January 5th 20 06:05 PM

Windows XP Update
 
"Paul" wrote


| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\AdvancedOptions\CRYPTO\TLS1.2]
| "OSVersion"=-
|
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\AdvancedOptions\CRYPTO\TLS1.1]
| "OSVersion"=-
|

I think those actually need to be the version, though I'm
not certain. Something like 3.5.0.0.1. There are websites
that provide the exact number. (5 for XP. 6 for Vista/7.)

I decided to back out all of that stuff after it didn't help
with wininet.dll. But I do have the schannel update, for
use with winhttp.dll. I don't see any reason for people
who are just browsing with FF to care about this stuff.
At this point it's only relevant for some 3rd-party software.

| If you leave the PosReady key, it just means that
| Windows Update lists a lot of stuff that may or may
| not be appropriate as a patch.

Yes. But I never enable Windows Update on any
machine. So I don't care. Though it's not clear to
me that people with IE8 haven't got the SCHANNEL
update. It's all very confusing and I just don't
understand enough of encryption and protocols to
understand exactly what the implications of the different
updates are.
MS says KB4019276 provides TLS1.2 support. That
seems to work for me on XP, through winhttp, having
added the POS and DisabledByDefault settings. That's
all I know for sure.
(I also had to adjust winhttp calls in my software. In
other words, getting an update to TLS1.2 for winhttp.dll
and/or wininet.dll won't make software use TLS1.2 if
that software is not expecting support and is specifically
targetting SSL or TLS1.0.)



Apd January 5th 20 07:09 PM

Windows XP Update
 
"Paul" wrote:
HKLM\SYSTEM\WPA\PosReady === New key
Installed DWORD 1 === New DWORD value

Putting that in, as far as I know, I was part of the
administrator group. But when I tried to remove it,
the XPMUser account could not remove it, I elevated
to SYSTEM using psexec and that didn't work either.


I think the reason is that the system process has a handle open on
that key (as it does for all others under WPA). You could try closing
the handle first but then the OS might panic.

The only level left in my collection is TrustedInstaller,
and I wasn't going to bother with testing that.


AFAIK, XP doesn't have TrustedInstaller.

The Registry is a file system, and the entries have
permissions, and doing it from Linux, the expectation
is the permissions will be ignored.


It's not a permissions issue. I own the PosReady key as an admin and
have full control. I also have full control of the parent.

If you leave the PosReady key, it just means that
Windows Update lists a lot of stuff that may or may
not be appropriate as a patch.


I've not noticed any unsuitable patches or updates and no new ones are
being offered. There have been a couple of problems so they may be
exceptions. One update was repeatedly offered despite failing to
install. It was a multi-processor kernel update not relevant to my
system. I had to block it in the end. The other was something that
changed ownership and/or permissions on the registry hives for the
local system and network service accounts which prevented them being
used. The OS still booted but had to create temporary directories and
files for those accounts with a bunch of errors in the event log. Of
course, being originally an XP Home edition, I didn't have access to a
file permissions dialog in explorer to correct things. I had to mess
about with Powershell to sort it out.



MikeS[_5_] January 5th 20 08:12 PM

Windows XP Update
 
On 05/01/2020 14:06, Mayayana wrote:

Certs update:
https://msfn.org/board/topic/175170-...or-windows-xp/

(The rundll business shouldn't be necessary. Just download
the two packages, update the SST files, and then run the
INF files.)

For anyone interested in the certs update, I noticed in the extensive
comments that the originator subsequently produced a small program to
automate the process:

https://msfn.org/board/topic/175170-...omment-1110568

It avoids confusion over entering versions for the inf files and seems
to work OK although tbh I did not actually check what it did!



All times are GMT +1. The time now is 04:30 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2004 - 2006 PCbanter
Comments are property of their posters