Support for TLS 1.2 on Windows XP (Obsolete)

The information in this article is no longer applicable. Although the patch adds support for TLS 1.2 on Windows XP, it does not update the cipher suites and secure websites will still reject the connection. SocketTools no longer supports secure connections on Windows XP or Windows Vista.

More Information

SocketTools uses the Windows CryptoAPI and Schannel security provider to provide support for Transport Security Layer (TLS), which is used with secure connections. The latest version of TLS that is supported on the Windows XP platform is TLS 1.0. However, an update that was released for Windows Embedded POSReady 2009 can be used to provide support for TLS 1.2.

Microsoft has released an update for Windows Embedded POSReady 2009 that provides support for TLS 1.2. This platform is a specialized version of Windows XP designed for point-of-service systems. If you are already developing for this platform, you can download update KB4019276 from Microsoft’s Update Catalog.

If you are using Windows XP and your application requires support for TLS 1.2, it is possible to apply this update. You must be running Windows XP SP3 and you must make a change to the registry. It is strongly recommended that you upgrade to Windows 10 to ensure that you have the latest security updates and the strongest cipher suites available. However, if that is not a possibility, then you can follow these steps to install the update.

If you decide to make these changes, you acknowledge that you are doing this entirely at your own risk. Make sure that you have a full backup of the system.

  1. Verify that you are running Windows XP SP3 with all of the available updates installed. If you have automatic updates enabled, it is recommended that you disable them at this time. After this change, Windows Update will now see your Windows XP system as Windows Embedded POSReady 2009 and there may be updates that are released for that platform that do no apply to your system. You will need to manually check and verify all updates after this change has been made.
  2. Open the Registry Editor and create HKEY_LOCAL_MACHINE\SYSTEM\WPA\POSReady then select that key and define a DWORD value named Installed as 1. Once you have made this registry change, you will not be able to delete this key from the registry, even as an Administrator. This is effectively a permanent change to the system. To make this change easier, create a registry script by copying the following to a text file, name it “PosReady.reg” and then execute it by double-clicking on the file in Windows Explorer:
    Windows Registry Editor Version 5.00
  3. Download the KB4019276 update for Windows XP Embedded from the Microsoft Update Catalog. [Direct Link (English)] and install the update. You can verify that the update has installed correctly by using Windows Explorer to display the properties of the Schannel.dll and Rsaenh.dll files in \Windows\System32. Both files should be version 5.1.2600.7346 or later.
  4. Reboot the system. Remember to manually check all subsequent updates made available through Windows Update and you should not automatically install updates for the POSReady 2009 platform. Microsoft has stated that these updates are not tested on Windows XP.

After this update has been installed, the system will support TLS 1.1 and TLS 1.2, as well as AES256-SHA256 and a few additional cipher suites. Note that this Microsoft update does not include support for stronger cipher suites that use elliptical curve cryptography (ECC).

If a secure connection cannot be established with the server, attempt the connection using the same application running on a Windows 7 system (or later version of Windows). If the connection succeeds on the Windows 7 system, but fails on the Windows XP system with this update installed, it is likely that the server has been configured to require both TLS 1.2 and cipher suites which are not available on the Windows XP platform.

Internet Explorer 8 does not provide support for TLS 1.2 even after this update has been installed. If you need TLS 1.2 support in a browser, you will need to download an alternate browser such as Chrome or Firefox.

SocketTools 9.3 and later versions will check if this update has been installed, and if available, will support the use of TLS 1.2 on these platforms. Earlier versions of SocketTools only support TLS 1.2 on Windows 7 and later platforms and are not affected by installing the KB4019276 update. To enable support for TLS 1.2 on Windows XP, Windows POSReady 2009 or Windows Server 2008 you must have the Microsoft update installed and you must upgrade to the current version of SocketTools.

External Links

Microsoft Update KB4019276
Microsoft Update Catalog