Another user is reporting similar behaviour and is using XP. The screen shot images Osvaldo is seeing look the same as those from George. Browser is Google Chrome. XP Pro 2002 Service Pack 3
https://www.diyaudio.com/forums/forum-problems/327403-bad-viewing-diya.html#post5545797
https://www.diyaudio.com/forums/forum-problems/327403-bad-viewing-diya.html#post5545797
Attachments
Ok... have spent an hour researching this now.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH is the key error.
The problem is that Windows XP doesn't support any modern ciphers or SNI. I just looked at our stats, and 1.6% of visits to diyAudio are from WindowsXP.
Windows XP End of Support
It's possible for us to downgrade and open up insecure Ciphers, but this then appears to break many more modern browsers due to some SSL/Cipher incompatibilities. I've been unable to activate SSLv3 with XP compatible Ciphers, while not breaking other things.
I may ask for a SSL expert to assist and see if there is a workaround but I've tried a half dozen recommended ssl_protocols / ssl_ciphers combinations now, then testing with SSLLabs). So, we have a choice between breaking the security of the site for 1.6% of visitors, and having a buggy and insecure end-of-life Microsoft OS work for those computers. It's a tough one, but I think I'm going to pull the plug on WindowsXP. The workarounds to support it are to the detriment of modern browsers.
Average time to infection: 4 minutes - TechBlog
It takes an average of 4 minutes for a fresh WindowsXP computer connected to the internet to become infected by Malware, which is less time than it takes to download the latest security patches. That article was from 2008, I assume it's much quicker now. It's a mess, I suggest we draw a line in the sand. If you can give me any good reason why anyone in 2018 should be using WindowsXP, let me know. The internet has changed, it's much more dangerous than it was a decade ago. Running Windows XP you are literally asking for malware and cryptolockers to ruin your day. If I can find a workaround, I'll implement it though, no problem.
I'm confused about why you can access the site at all, but it's possible that once we switch to true SSL only (next week), diyaudio.com will be completely inaccessible from an incompatible browser.
More information about why we need to block SSLv3: Disable SSLv3
ERR_SSL_VERSION_OR_CIPHER_MISMATCH is the key error.
The problem is that Windows XP doesn't support any modern ciphers or SNI. I just looked at our stats, and 1.6% of visits to diyAudio are from WindowsXP.
Windows XP End of Support
It's possible for us to downgrade and open up insecure Ciphers, but this then appears to break many more modern browsers due to some SSL/Cipher incompatibilities. I've been unable to activate SSLv3 with XP compatible Ciphers, while not breaking other things.
I may ask for a SSL expert to assist and see if there is a workaround but I've tried a half dozen recommended ssl_protocols / ssl_ciphers combinations now, then testing with SSLLabs). So, we have a choice between breaking the security of the site for 1.6% of visitors, and having a buggy and insecure end-of-life Microsoft OS work for those computers. It's a tough one, but I think I'm going to pull the plug on WindowsXP. The workarounds to support it are to the detriment of modern browsers.
Average time to infection: 4 minutes - TechBlog
It takes an average of 4 minutes for a fresh WindowsXP computer connected to the internet to become infected by Malware, which is less time than it takes to download the latest security patches. That article was from 2008, I assume it's much quicker now. It's a mess, I suggest we draw a line in the sand. If you can give me any good reason why anyone in 2018 should be using WindowsXP, let me know. The internet has changed, it's much more dangerous than it was a decade ago. Running Windows XP you are literally asking for malware and cryptolockers to ruin your day. If I can find a workaround, I'll implement it though, no problem.
I'm confused about why you can access the site at all, but it's possible that once we switch to true SSL only (next week), diyaudio.com will be completely inaccessible from an incompatible browser.
More information about why we need to block SSLv3: Disable SSLv3
Last edited:
No. I DO recall those days. Even behind firewalls it was brutal setting-up a machine.
But by the end of XP's life that particular (XP-specific) malware was nearly extinct as 90++% of its hosts got protection or became Vista and Win7 (or linux...).
I an very trailing-edge. But I took all my XP machines off-line 2 years ago.
WinXP browsing seems to have fallen below 2% globally last year. Your 1.6% observation is right along that trend. XP still has large share in a few parts of the world. I could see supporting it if the fix is easy. But if the core is no longer secure against modern malware, and XP's end-time is past, I can't see doing a lot of shoveling to keep it going.
I have done some Googling, and can't seem to find a definitive answer, but it points towards both FireFox and Chrome having a working TLS1.2 version before they ended support for XP. So if the fix is "Use Chrome or Firefox instead of IE on XP", and it means you can still use XP, then I think that's a suitable work around.
FireFox: Important - Firefox has ended support for Windows XP and Vista | Firefox Help, with mention of last version being 52.9.0esr, which is available here: Directory Listing: /pub/firefox/releases/52.9.0esr/
FireFox: Important - Firefox has ended support for Windows XP and Vista | Firefox Help, with mention of last version being 52.9.0esr, which is available here: Directory Listing: /pub/firefox/releases/52.9.0esr/
Last edited:
Good find Donny. That's a great service I didn't know about. We do use Cloudflare for DNS, but don't currently use Cloudflare for our dynamic content. Moving to a paid Cloudflare plan just for this would be no problem (it's not offered on their free plan), but configuring cloudflare to correctly cache (and not cache) our dynamic content is not on the cards currently due to the (perceived, expected) complexities involved in creating rulesets. Might not be that hard, I just haven't had any reason to pursue that to date and we're fine with caching all static content. I'll add investigating this to my todo list. Thanks for the tip.
I've just had a look and the setup process appears to be non-trivial, with some mods required and will probably increase latency for dynamic pages to the 98.4% of people who don't need this. I'll investigate further as time allows.
In the meantime, the recommended fix for XP is to use FireFox: Directory Listing: /pub/firefox/releases/52.9.0esr/
In the meantime, the recommended fix for XP is to use FireFox: Directory Listing: /pub/firefox/releases/52.9.0esr/
Can you try this? I've now enabled TSL1.0 but I can't tell if that's going to work with <IE9+XP.
https://warwick.ac.uk/services/its/servicessupport/web/sign-on/help/enable-tls/
- In Internet Explorer 6, go to Tools > Internet Options.
- Select the Advanced tab.
- Scroll down to the Security section. (It's at the bottom of the list of settings.)
- Select the checkbox Use TLS 1.0
- Click apply, then OK
Again, strongly suggest you switch to Firefox, if nothing else but for your own safety.
Attachments
Last edited:
The wonderful world of Windows XP ssl 
Good to see it is down to 1.6% That means that finally it will be possible to do ssl virtual hosts without wildcard certs!! I ran into that problem about 8 years ago. Worked fine on Windows 7, but not XP (and it was an OS level thing). At that time there was still a staggeringly high percentage of windows XP browsers out there.
Even TLS1.0 is now regarded as unsafe. It won't be long before the recommendation is to turn off all but TLS1.2 The last few years has been a nightmare at work with request after request from the risk team to turn off SSL versions, TLS versions, old cyphers, etc. We had some funny situations where we were told we had to turn off pretty much ALL of the things on the webserver and we said, but if we do that we might as well just shut down the site completely! I think we were running apache 2.0 and it didn't support the only version that risk said we were allowed to run.
The funny thing is, some of the vulnerabilities do not put the server at risk at all. It is really only the client that is at risk, but the recommendation is to disable the stuff to protect those who don't know how (or want to) protect themselves.
So I guess the balance point is if there is no risk to the site enabling something, and only the end user is at risk, do you take the stance of well I won't let them view it because it might force them to fix their end, or do you take the stance, Well I'm not at risk, if they choose to put themselves at risk then that is their business.
It's a brave new world out there!!
Tony.
Good to see it is down to 1.6% That means that finally it will be possible to do ssl virtual hosts without wildcard certs!! I ran into that problem about 8 years ago. Worked fine on Windows 7, but not XP (and it was an OS level thing). At that time there was still a staggeringly high percentage of windows XP browsers out there. Even TLS1.0 is now regarded as unsafe. It won't be long before the recommendation is to turn off all but TLS1.2 The last few years has been a nightmare at work with request after request from the risk team to turn off SSL versions, TLS versions, old cyphers, etc. We had some funny situations where we were told we had to turn off pretty much ALL of the things on the webserver and we said, but if we do that we might as well just shut down the site completely! I think we were running apache 2.0 and it didn't support the only version that risk said we were allowed to run.
The funny thing is, some of the vulnerabilities do not put the server at risk at all. It is really only the client that is at risk, but the recommendation is to disable the stuff to protect those who don't know how (or want to) protect themselves.
So I guess the balance point is if there is no risk to the site enabling something, and only the end user is at risk, do you take the stance of well I won't let them view it because it might force them to fix their end, or do you take the stance, Well I'm not at risk, if they choose to put themselves at risk then that is their business.
It's a brave new world out there!!
Tony.
Another possible option in the meantime, for IE8: https://support.microsoft.com/en-au...onnect-to-secured-web-sites-in-internet-explo
Firefox and Avira were the last resort for WXP. Still work! A couple of months ago I moved to W7 though. I don't feel much safer to be honest... WXP would "show" me if something was running in the backround. I mean, not much could stay hidden, I think. Revisiting Ubuntu after almost a decade it was a big dissapointment to find that it is nowhere close to what I was remembering. But I have to admit that most probably I am the least qualified internet user in this forum
Attachments
Kostas, most probably you are above me in the qualification scale
Now I have to apologise to Jason for making him spend his time chasing the problem I posted.
I am using Win XP SP3 and the browsers that cause problem with the site are Chrome 49.02623.112 and IE6. The IE8 does not open the site at all.
The Firefox 52.90esr and the K-Meleon 1.54 work fine.
I slowly build up on a Win 7 PC which will be the PC for communication.
The XP engine will move down to the lab where it will work of-line.
I use the XP due to compatibility with drivers of various aged hardware I use (soundcards, data aquisition units, digitisers, scanners, printer ect).
George
Now I have to apologise to Jason for making him spend his time chasing the problem I posted.
I am using Win XP SP3 and the browsers that cause problem with the site are Chrome 49.02623.112 and IE6. The IE8 does not open the site at all.
The Firefox 52.90esr and the K-Meleon 1.54 work fine.
I slowly build up on a Win 7 PC which will be the PC for communication.
The XP engine will move down to the lab where it will work of-line.
I use the XP due to compatibility with drivers of various aged hardware I use (soundcards, data aquisition units, digitisers, scanners, printer ect).
George
George, my first impression is that Win XP runs offline applications at least equally fast and stable as Win 7. The problem is that gradually gets disabled on the internet. For example, I already cannot watch HTML5 videos. As for safety, I can't tell. It's a fact though that I got away using Win XP to access my bank account as well as EOPYY system (national health care system) until the end of July 2018.
XP is very robust as was the last version of NT
One thing I certainly hate is building brick by brick the software of a computer.
I do it again now due to the “banning” of XP on the internet.
One thing that was advantageous though with the disabling of XP on the internet was that I was not allowed to view Stereophile.com site
George
One thing I certainly hate is building brick by brick the software of a computer.
I do it again now due to the “banning” of XP on the internet.
One thing that was advantageous though with the disabling of XP on the internet was that I was not allowed to view Stereophile.com site
George
I have now implemented a detection page for WindowsXP users that will throw them to http://noxp.diyaudio.com which gives them a direct download link for the FireFox version that they can use to browse diyAudio and other websites that do not support SSLv3 and require SNI.
It's hard for me to test (I've faked the user agent and it works for me) but if anyone with XP can tell me that is working for them (successfully redirecting to http://noxp.diyaudio.com) that would be good to know.
It's hard for me to test (I've faked the user agent and it works for me) but if anyone with XP can tell me that is working for them (successfully redirecting to http://noxp.diyaudio.com) that would be good to know.
Thank you Jason.
The detection page works for Win XP SP3.
If you would like to change the mozilla download link to the following which is more user friendly, the less IT capables (like me) will be eased
Mozilla Firefox Web Browser — Download Firefox in your language — Mozilla
>Edit: In that link, the proper download for current XP users is under the "Windows 32-bit" column heading
George
The detection page works for Win XP SP3.
If you would like to change the mozilla download link to the following which is more user friendly, the less IT capables (like me) will be eased
Mozilla Firefox Web Browser — Download Firefox in your language — Mozilla
>Edit: In that link, the proper download for current XP users is under the "Windows 32-bit" column heading
George
Thank you Jason.
The detection page works for Win XP SP3.
If you would like to change the mozilla download link to the following which is more user friendly, the less IT capables (like me) will be eased
Mozilla Firefox Web Browser — Download Firefox in your language — Mozilla
>Edit: In that link, the proper download for current XP users is under the "Windows 32-bit" column heading
George
I believe Osvaldo is running a 64bit XP, so I'm pretty sure he'll need the 64 bit download of Firefox.
I also got the impression that version (52.9ESR) of Firefox was the last that would work with XP. But it looks like it works up until Firefox 62, though hard to tell if they make the break at 62 or 62 will be the last to work with XP.
Firefox finally casts Windows XP users adrift – Naked Security
The End of Firefox Windows XP Support – chuttenblog
Important - Firefox has ended support for Windows XP and Vista | Firefox Help
I'm a little confused, but definitely looks like we can't send people to the main Firefox download page. I am still of the belief that 52.9ESR is the last version of FireFox that will run on XP.
Last edited:
Hi Jason
My XP SP3 is a 32bit version. I downloaded the English (US)Windows 32-bit mozilla from the link below. It works flawlessly
Mozilla Firefox Web Browser — Download Firefox in your language — Mozilla
George
My XP SP3 is a 32bit version. I downloaded the English (US)Windows 32-bit mozilla from the link below. It works flawlessly
Mozilla Firefox Web Browser — Download Firefox in your language — Mozilla
George
- Status
- This old topic is closed. If you want to reopen this topic, contact a moderator using the "Report Post" button.