Windows XP, Chrome 48 and RC4

google-chromewindows-xp

I have recently updated to https. Not supporting RC4.

We have one or two customers that cannot access our site, and are getting the error 'A secure connection cannot be established because this site uses an unsupported protocol or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.'

They are all on XP, but running the latest Chrome.

How can I get around this? Bearing in mind we don't support RC4, the Chrome error message isn't very helpful.

I'm assuming there is a problem with Windows XP and any new browser trying to access any HTTPS site that does not support RC4 – surely there is a workaround, as a large chunk of people are still running XP?

Best Answer

Your site needs to support a cipher that is available in Windows XP, which is why you are getting the cipher suite mismatch. Your SSL Labs test report lists the following ciphers:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH secp256r1 (eq. 3072 bits RSA)   FS  128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   ECDH secp256r1 (eq. 3072 bits RSA)   FS  128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH secp256r1 (eq. 3072 bits RSA)   FS  256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   ECDH secp256r1 (eq. 3072 bits RSA)   FS  256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)   ECDH secp256r1 (eq. 3072 bits RSA)   FS    112
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)   ECDH secp256r1 (eq. 3072 bits RSA)   FS    256P
(P) This server prefers ChaCha20 suites with clients that don't have AES-NI (e.g., Android devices)

Here are the supported TLS cipher suites in Windows XP/Server 2003.

TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA

https://msdn.microsoft.com/en-us/library/windows/desktop/aa380512(v=vs.85).aspx

Your site won't work from Windows XP at all. You need to add one of the supported suites if you want to support Windows XP. The one most commonly used seems to be the aforementioned TLS_RSA_WITH_3DES_EDE_CBC_SHA.

Edit to add: I just noticed you're using CloudFlare. Make sure you read the SSL FAQ and the Legacy Browser support articles.

https://support.cloudflare.com/hc/en-us/articles/214770928-Legacy-Browser-Support

I know Chrome is a modern browser but as I said before it uses the Windows libraries for whatever OS it is running on and TLS/SNI support wasn't introduced until Windows Vista. So if you disable legacy browser support in CloudFlare, you will break Chrome on XP as well because your site will only be accessible from browsers that support SNI.

Related Topic