Topic: cannot access server https with ie6 on windows 2000 os

[CharlieBrady]

I would search for 'letsencrypt' on the wiki and bugzilla.

The procedure purvis has found is a *much* simpler and more reliable way to generate a new self-signed certificate.

[guest22]

I am sorry that I overlooked 2 computers running window xp with ie6 where not having issues on my workstations that i use to control the sme server.

It seems to me that it is SME Server that is controlling your old machines

[DanB35]

I would search for 'letsencrypt' on the wiki and bugzilla.

We don't yet have a working method of using letsencrypt with SME 8.

[purvis]

I tried many things and spent a lot of time.
I needed to upgrade the 2000 machines to XP.
It just takes a lot of work but needed anyways to get a few things running like USB 3 and SATA SSD drives working on newer drive interfaces.
But I do try to work out problems. You never know what knowledge of a problem you will need later.

As far as other browsers go.
There is a portable version of firefox that should work and i have finally found ways of locking it down to selected sites.
Once again, on Windows XP, the version of internet explorer version 6 does work. For Now.

I looked at the letsencrypt and maybe it is the problem. I do not understand all things on web server software when the encryption comes to play.
As far as I can tell. I think it might be user agent being received by SME or that windows 2000 does not support the encryption method.
But i am going to give it up and upgrade my backup machines.

Thank you all for the help
paul

[DanB35]

Is 2000 -> XP an upgrade?

[Stefano]

But i am going to give it up and upgrade my backup machines

so you're using an old machine with an old os just as target for your backups? and you need a browser?
well.. install any small linux distro with a minimal DE and you're done

[janet]

Stefano & all

I see many comments over the years advising, suggesting, & even "gently" castigating users for continuing to use old operating systems & old versions of software, some of which are considered to, and do, have security vulnerabilities.

There are many situations where old equipment needs to be kept operational.
ie
Personal preference
Personnel & staff familiarity & a resulting heavy financial & time cost to retrain users
Operating system compatibility with motherboards & chipsets (meaning newer OSes will not run on older equipment, particularly re Windows, thus requiring expensive purchase of new workstation hardware to run a new version of Windows to allow the use of a new & expensive  software application
High cost of purchasing specialised purpose specific commercial software for which there are no "free or GNU" versions, which leads to retaining such old software where it is still capable of performing the basic functions (albeit without newer whistles & bells or interfaces).
Use on protected or secure networks (or even internal LAN use only), where software is considered "relatively safe" to use, despite having vulnerabilities & no available bug or security updates eg the browsr scenario mentioned recently. Of course the way users use the old browser or OS is also a consideration eg wise or unwise usage patterns.
Desired continued use of old expensive ancillary hardware eg various types of scanners where the "world famous" & "filthy rich" brand name manufacturers refuse to release driver software updates, thus requiring users to keep old hardware & OSes functional to avoid trashing perfectly good hardware peripherals. I think Microsoft & Intel & Hewlett Packard & various other big name manufacturers have a lot to answer for when they get to heaven (for those who believe in that concept).

I realise virtualisation could often be used but that is simply not always practical in many caes.

The list can probably go on & on, but there are many reasons & factors why old stuff is kept in service beyond its normally accepted lifespan. Everybodies situations are different and what works or does not work for one, cannot always be considered as appropriate for another person & their situation.

I should probably just add that some people only want & really do need the latest & greatest & are quite happy to upgrade & pay for it. Others are quite happy to keep older devices & equipment & are perfectly happy with functional limitations & do not really need the latest & greatest.
I'm still using everything from & to iPhone 3G, iPhone 5 & Samsung S5, & Windows 2000, XP, Vista, 7 & 8.1 on old Celeron 500 to Surface Pro,  because I need to & because they still work/do what I want & need.

[purvis]

hi all
yes I hate go give up and I did find out what seemed to happen.
I might be a little off on my explanation but I will hope what I write can be understood even if I am off with some terminology.

There has been change to the security by using SHA256 algorithm for certificate signing by many websites(https).

I am running a self signing certificate and I do not use any other SSL certificate and will not talk about anything but the self signing certificate built into SME server 8.2.

Somewhere within the last year.
There was a change in SME 8.x(the version of server I am running is 8.2) that creates self signing certificate.
The latest SME software that I have creates a certificate using SHA2/SHA256 algorithm.
The server was creating a certificate with SHA1 algorithm at some point when SME 8.0 or SME 8.1 came out.
So on windows 2000, IE6 does not support SHA2/SHA256.
Starting with windows xp sp3, IE6 does support SHA2/SHA256.
At some point in time, the server will create a new certificate when the current certificate expires.
The new certificate will be using SHA256 and not SHA1.
I found out a file that has something to do with creating the certificate.
/etc/e-smith/templates/home/e-smith/ssl.crt
inside of the ssl.crt file there is a line that reads like this:
  qw(-sha256 -x509 -days), KEYLIFEINDAYS,

but use to be as:
  qw(-sha1 -x509 -days), KEYLIFEINDAYS,
creating self ssl signed certificates to SHA1

TO CREATE SHA1 SSL SIGNED CERTIFICATES READ A FEW POST FOLLOWING.

In the wiki pages for SME 8.0
http://wiki.contribs.org/SME_Server:8.0
There reads a line of "Improve security by using SHA1 algorithm for certificate signing."

In the wiki pages for SME 9.1 in the section of other fixes and updates
http://wiki.contribs.org/SME_Server:9.1
There reads a line of "Use sha256 algorithm for signature of SSL cert."

Somehow sha256 got changed in the sme 8.x server whether on purpose or accident.
But I did learn a few things about all this.
I did not discover this until trying to use the server-manager webpage from my backup computer which was using windows 2000.

Here is another web page that may help out with ssl certificates using sha256
https://luxsci.com/blog/new-ssl-certificates-sha256-and-backwards-incompatibility-what-to-do.html

I was also able to use this webpage to look at my servers using Firefox web browser.
https://www.ssllabs.com/ssltest/

I am hoping that someone who knows more about all the effects of the changing from sha1 to sha256 will make an explanation of some sort.
So until i can get my computers over to windows xp sp3. I have made the change back to sha1.
I have my workstation computers restricted to certain internet web site usage and on the windows 2000 machines, I am the only one who uses those computers.
Oh well, changes come in life, but I would rather they happen to other people.

[purvis]

to DanB35
I never do a upgrade on windows computers.
I always install a fresh windows os when changing windows os.
I might test doing upgrades but I have never liked them because things seem to break.

[DanB35]

There's some discussion on the letsencrypt.org forums about WinXP compatibility (which I'm not following very closely, as I don't use XP), and it seems to suggest that you might have better compatibility with Firefox than with IE.

[CharlieBrady]

you can edit the ssl.crt file using this command line.
nano  /etc/e-smith/templates/home/e-smith/ssl.crt

No, you shouldn't do that. You should create a custom template, and edit that. [You've been around long enough you should know this already.]

mkdir -p  /etc/e-smith/templates-custom/home/e-smith/
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/
nano /etc/e-smith/templates-custom/home/e-smith/ssl.crt

[purvis]

Thank you Charlie.
Thank you for chiming in.
Yes I have been around a long time.
But still understanding and creating custom templates gives me the heebie jeebies!
I will try your fine knowledge and clean up some written comments to not lead others astray.
But the method I used did work and I am glad your method should stick from allowing future updates changing the ssl certificate from sha1 to sha256.

Thanks again Charlie.
Have a good weekend.

[purvis]

Following Charlie Brady's suggestion on how to change the SSL Signed Certificate to SHA1 rather than SHA256 using a custom template for SME 8.

This worked for me.

create and make the change from SHA256 to SHA1 to allow for older browsers to access https on the sme server
change -sha256 to -sha1 in the ssl.crt file in the custom templates
make the change in the ssl.crt file line
from:
        qw(-sha256 -x509 -days), KEYLIFEINDAYS,
to:
        qw(-sha1 -x509 -days), KEYLIFEINDAYS,
basically just editing -sha256 to -sha1
 

Code: [Select]

mkdir -p  /etc/e-smith/templates-custom/home/e-smith/
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/
nano /etc/e-smith/templates-custom/home/e-smith/ssl.crt


erase current signed certificates prior to rebooting
not sure if this is needed but I erased previous ssl certificate files.

Code: [Select]

rm /home/e-smith/ssl.*/*

to rebuild SSL signed certificates during a reboot of the server

Code: [Select]

signal-event post-upgrade;signal-event reboot