Yes, I know that SHA-2 signature validation is typically done by the operating system (with Mozilla Firefox/NSS and Chrome as of v39 being the exception).
Asked
Active
Viewed 442 times
0
-
3Can you add more explanation to your question? I can't quite figure out what you're asking. – Neil Smithline Nov 10 '15 at 06:39
-
Browsers that don't support SNI are: msie on winxp, java6, android2.3. https://www.ssllabs.com/ssltest/clients.html – Z.T. Nov 10 '15 at 12:52
-
Minimum OS to support SHA256: WinXP SP3, Android 2.3, iOS 3, Mac OS X 10.5, Java 1.4.2. https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility Basically, if a client can reach the non-default vhost on an IP, they can handle a sha256 cert. I don't know which clients CloudFlare has in mind that need sha1 certs. – Z.T. Nov 10 '15 at 13:01
1 Answers
2
Chrome on XP SP2?
(Disclaimer: Conjecture follows.)
XP SP2 lacks the SHA2 capabilities that XP SP3 added.
- IE8 can't SNI. -> so it's out of the candidate list.
- IE9 can SNI. IE9 uses the OS-cert-mangement. But IE9 doesn't run on XP.
- Firefox does it's own cert-management. And it has supported SHA-2 for a long time.. And it has also supported SNI for a long time.
- Chrome uses the OS-level-cert-management. So it can only accept certs that the OS says are good. And if you run Win XP SP2 (no SP3), as many Chinese supposedly do, then this might mean you're out of luck. (Note: Google's support for Chrome on XP ends 2016-04.)
(Disclaimer: I haven't actually tested this.)
StackzOfZtuff
- 17,783
- 1
- 50
- 86