If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Windows XP Update
Has anyone successfully updated their Win XP PCs with the latest MS update?
This update was made available but not part of the standard update process. MS still supports the Point Of Sale and kiosks etc with security updates. So I believe that this update can be used on any Win XP PC. KB4316682 Someone provide steps to do updates please ! |
Ads |
#2
|
|||
|
|||
Windows XP Update
On 03/01/2020 20:04, Bert wrote:
Has anyone successfully updated their Win XP PCs with the latest MS update? This update was made available but not part of the standard update process. MS still supports the Point Of Sale and kiosks etc with security updates. So I believe that this update can be used on any Win XP PC. KB4316682 Someone provide steps to do updates please ! Why do you need updates for your already unsecured crap? Just move on without the updates and keep using it until 2032 after which there is no guarantee that XP will bootup or you might be dead. If you want updates then you'll need that junk called Linux with its various alternatives. they give you updates every week because that junk is in perpetual beta version. Ask your question on their newsgroup as they would like to help people like you. Windows XP, Windows Vista and Windows 7 are now considered dead. Even the people who were using them are dead. Haven't you noticed that the newsgroups for Xp, Vista and 7 are completely dead because nobody is using those legacy operating systems. Get hold of a brand new DELL machine on which you'll get a working copy of Windows 10 that still does everything an XP, Vista or 7 used to do. -- With over 1.2 billion devices now running Windows 10, customer satisfaction is higher than any previous version of windows. |
#3
|
|||
|
|||
Windows XP Update
"Bert" wrote in message ... Has anyone successfully updated their Win XP PCs with the latest MS update? This update was made available but not part of the standard update process. MS still supports the Point Of Sale and kiosks etc with security updates. So I believe that this update can be used on any Win XP PC. KB4316682 Someone provide steps to do updates please ! Google the KB number and download the .exe file from Update Catalog. But I just tried it on WinXP SP3 and it will not run. Are you aware that IE8 no longer works properly on Win XP? Most websites now use https and XP no longer meets current minimum SSL/TLS levels. |
#4
|
|||
|
|||
Windows XP Update
"Bert" wrote
| Has anyone successfully updated their Win XP PCs with the latest MS update? | This update was made available but not part of the standard update process. | | MS still supports the Point Of Sale and kiosks etc with security updates. | So I believe that this update can be used on any Win XP PC. | | KB4316682 | How did you find out about that? I just discovered it a few days ago. If you have IE8 you can run this update. It's simple. No special steps. I installed it but then removed it after I remembered why I don't use IE8: It makes OE6 crash. But other than that it seemed fine. Once done you'll get options for TLS 1.1 and 1.2 in Advanced settings. There were some Registry settings specced but as far as I could see the update took care of all that. Presumably you're not actually using IE8 online. But this update may still be worth it if you don't use OE. It's a 2018 version of IE8, with security updates so that POS machines can be stable despite not being eligible for IE9-11. Why would you update if you don't use IE? Because many of the Windows networking APIs are actually just IE functions. A lot of software uses those functions, which come from urlmon.dll or wininet.dll. But there's also another issue: You can get the update but XP doesn't have the certs. I also just found out how to update the certs: https://msfn.org/board/topic/175170-...or-windows-xp/ Arcane, but not too involved. You download the two updates and unpack them. I used my own SFX CAB extractor but the page says WinRAR might work. Once you have them unpacked to 2 folders, use the other links to download updated versions of the SST files. Having done that, run the two INF files to complete the update of certs to the latest version. Another update you might want is winhttp. KB4019276. Winhttp is used by a lot of programmers. Wininet has historically been used by people who didn't really know what they were doing but wanted to do something like download a webpage through their software. The methods are just IE wrapper functions. People who did know what they were doing would use winsock. But that's complicated. At some point MS saw the problem and came out with a 3rd option: winhttp.dll. Winhttp mimics the wininet functions but does them cleanly, with no IE dependency. To update winhttp you'll want these Registry settings on XP: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady] "Installed"=dword:00000001 Also run the update: http://download.windowsupdate.com/c/...5e1240ce3d.exe Win7 can also get this update. (WinXP/Vista/7 do not have native TLS1.2 support.) Win7 can get it in wininet by installing IE11. This is the fix for winhttp: Win7-64-bit: http://www.download.windowsupdate.co...8e52a0dec0.msu Win7-32-bit: http://www.download.windowsupdate.co...74a0654f18.msu I'm providing the direct links because MS have become obnoxious about their updates, trying to force people to enable script so they can snoop on you. This is a lot of info. Feel free to post back if you don't figure it all out. The gist of it is that TLS1.2 has become standard. Each version of online encryption (SSL, TLS1, TLS1.1) has gradually been cracked and a more secure version needed. So it's not a critical issue, but it's nice to get it updated. Anyone who cares about such security won't be using IE, anyway, but as I explained above, any software that's going online may be using the wininet or winhttp functions and if they want to use secure https they'll need these updates. |
#5
|
|||
|
|||
Windows XP Update
On 2020-1-4 4:04, Bert wrote:
Has anyone successfully updated their Win XP PCs with the latest MS update? This update was made available but not part of the standard update process. MS still supports the Point Of Sale and kiosks etc with security updates. So I believe that this update can be used on any Win XP PC. KB4316682 Someone provide steps to do updates please ! You need not that one; this is a cumulative update, which means you only need to install the last one: 2019-04 Cumulative Security Update for Internet Explorer 8 for POSReady 2009 for x86-based systems (KB4493435) The enu version download link: http://download.windowsupdate.com/d/...6f1a2ae37f.exe -- Regards, Lu Wei IM: PGP: 0xA12FEF7592CCE1EA |
#6
|
|||
|
|||
Windows XP Update
On 2020-1-4 6:50, Mayayana wrote:
"Bert" wrote ... To enable WindowsXP TLS 1.1 & 1.2 support, I have edited a reg file, feel free to use it (prerequisite KBs are in comment): ----------------------------------------------------------------- Windows Registry Editor Version 5.00 ;Enable TLS1.1|1.2 support in WindowsXP. Install KB4019276 (which needs POSReady registry hack to install) first, then import this reg file. ;Insecure ciphers|hashes|protocols are disabled. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL] "EventLogging"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\NULL] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Hashes\MD5] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000 ;Enabled TLS1.0 for better windows update compatibility and connecting to remote desktop of a Win7 host [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001 ;Enable TLS1.1|1.2 options of IE8 in WindowsXP. Need to install KB4019276 and the latest IE8 cumulative patch to function. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2] "OSVersion"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1] "OSVersion"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings] "SecureProtocols"=dword:00000a80 ;Enable TLS 1.1 and TLS 1.2 as secure protocols in WinHTTP, need KB4467770 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\WinHttp] "DefaultSecureProtocols"=dword:00000a80 ------------------------------------------------------------------------------------------- But some TLS 1.1|1.2 sites will still not function in IE8, because the ciphers they use is still not supported by it, and never will. So regard KB4019276 and this only as a system patch, use other browsers instead. -- Regards, Lu Wei IM: PGP: 0xA12FEF7592CCE1EA |
#7
|
|||
|
|||
Windows XP Update
On 1/3/20 2:43 PM, MikeS wrote:
[snip] Are you aware that IE8 no longer works properly on Win XP? Most websites now use https and XP no longer meets current minimum SSL/TLS levels. Yes, IE8 is definitely NOT a modern version. There's a lot of things it doesn't support. On XP, Firefox or Chrome would be much better choice. -- Mark Lloyd http://notstupid.us/ "Few people can be happy unless they hate some other person, nation or creed." [Bertrand Russell] |
#8
|
|||
|
|||
Windows XP Update
Bert wrote:
Has anyone successfully updated their Win XP PCs with the latest MS update? This update was made available but not part of the standard update process. MS still supports the Point Of Sale and kiosks etc with security updates. So I believe that this update can be used on any Win XP PC. KB4316682 Someone provide steps to do updates please ! Lu Wei seems to have found the magic ingredient. 1) IE8 Cumulative of some sort (there have been a bunch). The PosReady one won't install until the OS is "branded". HKLM\SYSTEM\WPA\PosReady === New key Installed DWORD 1 === New DWORD value Now, try and remove that later. I'll have to find another Kaspersky registry editor to get rid of that. The KAV disc wouldn't boot in the VM, so I could do surgery. 2) SChannel update. SChannel provides encryption entries and uses named pipes. Savvy software developers keep their own "cryptlib", so they can never be held hostage by SChannel missing features. 3) Slight registry adjustments to enable it. So what did I learn ? Did IE8 suddenly become as flexible as Chrome or Firefox. No. a) Sure, it supports TLS 1.2 or TLS 1.3. Great. It would be nice to verify this, but the "ssllabs" site refused to work with the adulterated browser. b) A crypto algorithm has to go with the overall protocol. Microsoft liked their 40 bit and 128 bit methods a bit too much. 3DES is no longer recommended. You need stronger stuff. The SChannel update, it's Microsoft policy to "not improve things". They can't be adding CHACHA20 or the elliptic curve exxxxx item to the Schannel. Leaving the crusty old RSA entries and the like, is more their speed. I've tested one web site, which insisted on a high value of TLS and only allowed the two named items in the previous paragraph. That virtually guarantees a bad experience for the vast majority of web browser users. Things that could be missing (in no particular order) "https everywhere": Just because the browser got TLS 1.2 or TLS 1.3, doesn't mean the browser is going to connect to anything. Only https to www.mozilla.org worked. I couldn't connect to ssllabs and verify this stuff. https://www.ssllabs.com/ssltest/viewMyClient.html FAIL Normally, a site like that would "allow" weak crypto, so it can "yell at you" to fix it :-) Schannel weak crypto: At least on WinXP, they're not going to "give away" this stuff. Browsers like Firefox, might be keeping their cross-platform crypto inside the executable, so there can't be any "Schannel hostage dramas". WinXP is never going to get a patch for CHACHA20. javascript: No idea what level of Javascript development IE8 is stuck with. panopticlick.eff.org didn't work with IE8 when I tried, and that might have been a script problem. HTML5: IE11 might have that, but did IE8 get any ? Since the browser test results were so poor, I can't really say. So, yeah, I tried to patch up a Windows XP Mode virtual machine for the test, and the results were "weak to non-existent". It still can't display an MSN page or the like. Nothing is worse off than before I started, so there is that. I got to discover some of the holes on Windows XP Mode along the way (*don't* merge the differencing disk and make a single dynamic VHD of it, it doesn't like that). The Microsoft Windows XP Mode was so poor, the software threw a hissy fit and *erased* the control file. I discovered how to do (limited) backups to stop that. The surgery was a success but the patient died. Paul |
#9
|
|||
|
|||
Windows XP Update
On 05/01/2020 05:56, Paul wrote:
Bert wrote: Has anyone successfully updated their Win XP PCs with the latest MS update? This update was made available but not part of the standard update process. MS still supports the Point Of Sale and kiosks etc with security updates. So I believe that this update can be used on any Win XP PC. KB4316682 Someone provide steps to do updates please ! Lu Wei seems to have found the magic ingredient. 1) IE8 Cumulative of some sort (there have been a bunch). Â*Â* The PosReady one won't install until the OS is "branded". Â*Â* HKLM\SYSTEM\WPA\PosReady === New key Â*Â*Â*Â*Â* Installed DWORD 1Â*Â*Â*Â* === New DWORD value Â*Â* Now, try and remove that later. I'll have to find Â*Â* another Kaspersky registry editor to get rid of that. Â*Â* The KAV disc wouldn't boot in the VM, so I could do surgery. 2) SChannel update. SChannel provides encryption entries Â*Â* and uses named pipes. Savvy software developers keep their Â*Â* own "cryptlib", so they can never be held hostage by SChannel Â*Â* missing features. 3) Slight registry adjustments to enable it. So what did I learn ? Did IE8 suddenly become as flexible as Chrome or Firefox. No. a) Sure, it supports TLS 1.2 or TLS 1.3. Great. Â*Â* It would be nice to verify this, but the "ssllabs" Â*Â* site refused to work with the adulterated browser. b) A crypto algorithm has to go with the overall protocol. Â*Â* Microsoft liked their 40 bit and 128 bit methods a bit Â*Â* too much. 3DES is no longer recommended. You need stronger stuff. Â*Â* The SChannel update, it's Microsoft policy to "not improve things". Â*Â* They can't be adding CHACHA20 or the elliptic curve Â*Â* exxxxx item to the Schannel. Leaving the crusty old RSA Â*Â* entries and the like, is more their speed. Â*Â* I've tested one web site, which insisted on a high value of Â*Â* TLS and only allowed the two named items in the previous paragraph. Â*Â* That virtually guarantees a bad experience for the vast majority Â*Â* of web browser users. Things that could be missing (in no particular order) Â*Â* "https everywhere": Just because the browser got TLS 1.2 or TLS 1.3, Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* doesn't mean the browser is going to connect to anything. Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Only https to www.mozilla.org worked. I couldn't Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* connect to ssllabs and verify this stuff. https://www.ssllabs.com/ssltest/viewMyClient.htmlÂ*Â* FAIL Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Normally, a site like that would "allow" weak Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* crypto, so it can "yell at you" to fix it :-) Â*Â* Schannel weak crypto: At least on WinXP, they're not going to "give away" Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* this stuff. Browsers like Firefox, might be keeping Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* their cross-platform crypto inside the executable, Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* so there can't be any "Schannel hostage dramas". Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* WinXP is never going to get a patch for CHACHA20. Â*Â* javascript: No idea what level of Javascript development IE8 is Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* stuck with. panopticlick.eff.org didn't work with IE8 Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* when I tried, and that might have been a script problem. Â*Â* HTML5:Â* IE11 might have that, but did IE8 get any ? Since the Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* browser test results were so poor, I can't really say. So, yeah, I tried to patch up a Windows XP Mode virtual machine for the test, and the results were "weak to non-existent". It still can't display an MSN page or the like. Nothing is worse off than before I started, so there is that. I got to discover some of the holes on Windows XP Mode along the way (*don't* merge the differencing disk and make a single dynamic VHD of it, it doesn't like that). The Microsoft Windows XP Mode was so poor, the software threw a hissy fit and *erased* the control file. I discovered how to do (limited) backups to stop that. The surgery was a success but the patient died. Â*Â* Paul I tried this on a VM and tested IE8 with a bunch of my regular websites. As expected results ranged from normal to will not open, with various displays in between. Will continue to use Palemoon which opens all of them correctly. Guess the main benefit of this thread for those not already aware of the POSReady fix is the extended security updates. My VM installed 173! As far as I can see it is booting and running as before so the patient is alive and well. |
#10
|
|||
|
|||
Windows XP Update
"Paul" wrote in message
... The PosReady one won't install until the OS is "branded". HKLM\SYSTEM\WPA\PosReady === New key Installed DWORD 1 === New DWORD value Now, try and remove that later. I'll have to find another Kaspersky registry editor to get rid of that. The KAV disc wouldn't boot in the VM, so I could do surgery. Is there a particular need to remove the key? Also is there a reason why you cannot use regedit to remove it or change the value of the DWORD? |
#11
|
|||
|
|||
Windows XP Update
"Paul" wrote
| a) Sure, it supports TLS 1.2 or TLS 1.3. Great. | It would be nice to verify this, but the "ssllabs" | site refused to work with the adulterated browser. | | b) A crypto algorithm has to go with the overall protocol. | Microsoft liked their 40 bit and 128 bit methods a bit | too much. 3DES is no longer recommended. You need stronger stuff. | The SChannel update, it's Microsoft policy to "not improve things". | They can't be adding CHACHA20 or the elliptic curve | exxxxx item to the Schannel. Leaving the crusty old RSA | entries and the like, is more their speed. | I don't know which is which with these, but are the things you're talking about really necessary? The patch is for support for TLS 1.1 and 1.2 on XP embedded. Why would they offer that to businesses but not make it worth having? My own software that uses winhttp.dll couldn't use TLS1.2 but does seem to use it fine with the patch and Registry settings. (I haven't added the settings LuWei is using. As far as I can tell those are designed to allow one to disable a protocol. As far as I can tell, only these are needed, and actually the server settings shouldn't be: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady] "Installed"=dword:00000001 Interestingly, with my own software it was working fine to call the Bing maps server but then I started getting certificate errors. Assuming MS, like so many people, had let their cert lapse, I disabled cert checks by default. Then it worked fine. But in my explorations related to Unbound I came across a way to update certs. That seems to work. I no longer have cert errors calling Bing maps server over https, using TLS 1.2, through winhttp.dll. I can't speak for IE8. I don't see any reason to do any of this except to support better security in software (that wants to use it) that depends on wininet.dll or winhttp.dll. What kind of nut would use IE8 online when they can have FF, New Moon, Pale Moon, etc? I did try Acrylic with DoH after jumping through all the IE8 hoops because Acrylic is using wininet.dll. It didn't work. But I can't tell why it didn't work. Acrylic? The update? My Acrylic config? I gave up on that for now. Certs update: https://msfn.org/board/topic/175170-...or-windows-xp/ (The rundll business shouldn't be necessary. Just download the two packages, update the SST files, and then run the INF files.) |
#12
|
|||
|
|||
Windows XP Update
Mayayana wrote:
"Paul" wrote | a) Sure, it supports TLS 1.2 or TLS 1.3. Great. | It would be nice to verify this, but the "ssllabs" | site refused to work with the adulterated browser. | | b) A crypto algorithm has to go with the overall protocol. | Microsoft liked their 40 bit and 128 bit methods a bit | too much. 3DES is no longer recommended. You need stronger stuff. | The SChannel update, it's Microsoft policy to "not improve things". | They can't be adding CHACHA20 or the elliptic curve | exxxxx item to the Schannel. Leaving the crusty old RSA | entries and the like, is more their speed. | I don't know which is which with these, but are the things you're talking about really necessary? The patch is for support for TLS 1.1 and 1.2 on XP embedded. Why would they offer that to businesses but not make it worth having? My own software that uses winhttp.dll couldn't use TLS1.2 but does seem to use it fine with the patch and Registry settings. (I haven't added the settings LuWei is using. As far as I can tell those are designed to allow one to disable a protocol. As far as I can tell, only these are needed, and actually the server settings shouldn't be: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady] "Installed"=dword:00000001 Interestingly, with my own software it was working fine to call the Bing maps server but then I started getting certificate errors. Assuming MS, like so many people, had let their cert lapse, I disabled cert checks by default. Then it worked fine. But in my explorations related to Unbound I came across a way to update certs. That seems to work. I no longer have cert errors calling Bing maps server over https, using TLS 1.2, through winhttp.dll. I can't speak for IE8. I don't see any reason to do any of this except to support better security in software (that wants to use it) that depends on wininet.dll or winhttp.dll. What kind of nut would use IE8 online when they can have FF, New Moon, Pale Moon, etc? I did try Acrylic with DoH after jumping through all the IE8 hoops because Acrylic is using wininet.dll. It didn't work. But I can't tell why it didn't work. Acrylic? The update? My Acrylic config? I gave up on that for now. Certs update: https://msfn.org/board/topic/175170-...or-windows-xp/ (The rundll business shouldn't be necessary. Just download the two packages, update the SST files, and then run the INF files.) This is what I used, merging this in after the rest of the updating was done. IE8_TLS.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2] "OSVersion"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1] "OSVersion"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings] "SecureProtocols"=dword:00000a80 "ShowPunycode"=dword:00000000 "EnablePunycode"=dword:00000001 "DisableIDNPrompt"=dword:00000000 "CertificateRevocation"=dword:00000000 "WarnOnPostRedirect"=dword:00000001 "WarnonBadCertRecving"=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\Protocols\Mailto] "UTF8Encoding"=dword:00000000 I would have blended in more crap, except without feedback as to how much this improves things, I lack the motivation to try yet more random things. If the project felt like it was going places, I'd have given it more of a chance. ******* I put this in, to make the particular catalog.update.microsoft.com download execute and install. Without this, the particular IE8 cumulative wouldn't run (blocked by "OS check"). HKLM\SYSTEM\WPA\PosReady === New key Installed DWORD 1 === New DWORD value Putting that in, as far as I know, I was part of the administrator group. But when I tried to remove it, the XPMUser account could not remove it, I elevated to SYSTEM using psexec and that didn't work either. The only level left in my collection is TrustedInstaller, and I wasn't going to bother with testing that. Using the Kaspersky rescue CD (offline AV scanner), it has a registry editor written for Linux that edits some but not all registry files. But that wasn't booting within Windows Virtual PC for some reason. All I could see is the checksum error when the SB16 virtual soundcard is probed, and there were no further messages before it reset. While Kaspersky claims that registry editor is open source, I haven't located source for it elsewhere (to put it on some other Linux disk or environment). The Registry is a file system, and the entries have permissions, and doing it from Linux, the expectation is the permissions will be ignored. If you leave the PosReady key, it just means that Windows Update lists a lot of stuff that may or may not be appropriate as a patch. Just as some newer OS versions list patches intended for the Server version, but matching on the consumer OS. Paul |
#13
|
|||
|
|||
Windows XP Update
"Paul" wrote
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2] | "OSVersion"=- | | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1] | "OSVersion"=- | I think those actually need to be the version, though I'm not certain. Something like 3.5.0.0.1. There are websites that provide the exact number. (5 for XP. 6 for Vista/7.) I decided to back out all of that stuff after it didn't help with wininet.dll. But I do have the schannel update, for use with winhttp.dll. I don't see any reason for people who are just browsing with FF to care about this stuff. At this point it's only relevant for some 3rd-party software. | If you leave the PosReady key, it just means that | Windows Update lists a lot of stuff that may or may | not be appropriate as a patch. Yes. But I never enable Windows Update on any machine. So I don't care. Though it's not clear to me that people with IE8 haven't got the SCHANNEL update. It's all very confusing and I just don't understand enough of encryption and protocols to understand exactly what the implications of the different updates are. MS says KB4019276 provides TLS1.2 support. That seems to work for me on XP, through winhttp, having added the POS and DisabledByDefault settings. That's all I know for sure. (I also had to adjust winhttp calls in my software. In other words, getting an update to TLS1.2 for winhttp.dll and/or wininet.dll won't make software use TLS1.2 if that software is not expecting support and is specifically targetting SSL or TLS1.0.) |
#14
|
|||
|
|||
Windows XP Update
"Paul" wrote:
HKLM\SYSTEM\WPA\PosReady === New key Installed DWORD 1 === New DWORD value Putting that in, as far as I know, I was part of the administrator group. But when I tried to remove it, the XPMUser account could not remove it, I elevated to SYSTEM using psexec and that didn't work either. I think the reason is that the system process has a handle open on that key (as it does for all others under WPA). You could try closing the handle first but then the OS might panic. The only level left in my collection is TrustedInstaller, and I wasn't going to bother with testing that. AFAIK, XP doesn't have TrustedInstaller. The Registry is a file system, and the entries have permissions, and doing it from Linux, the expectation is the permissions will be ignored. It's not a permissions issue. I own the PosReady key as an admin and have full control. I also have full control of the parent. If you leave the PosReady key, it just means that Windows Update lists a lot of stuff that may or may not be appropriate as a patch. I've not noticed any unsuitable patches or updates and no new ones are being offered. There have been a couple of problems so they may be exceptions. One update was repeatedly offered despite failing to install. It was a multi-processor kernel update not relevant to my system. I had to block it in the end. The other was something that changed ownership and/or permissions on the registry hives for the local system and network service accounts which prevented them being used. The OS still booted but had to create temporary directories and files for those accounts with a bunch of errors in the event log. Of course, being originally an XP Home edition, I didn't have access to a file permissions dialog in explorer to correct things. I had to mess about with Powershell to sort it out. |
#15
|
|||
|
|||
Windows XP Update
On 05/01/2020 14:06, Mayayana wrote:
Certs update: https://msfn.org/board/topic/175170-...or-windows-xp/ (The rundll business shouldn't be necessary. Just download the two packages, update the SST files, and then run the INF files.) For anyone interested in the certs update, I noticed in the extensive comments that the originator subsequently produced a small program to automate the process: https://msfn.org/board/topic/175170-...omment-1110568 It avoids confusion over entering versions for the inf files and seems to work OK although tbh I did not actually check what it did! |
Thread Tools | |
Display Modes | |
|
|