What happens when legacy browser or OS attempts to acces https site with SHA-2 certificate

I'm researching the impact of changing a site's SSL certificates to SHA-2 hash in order to avoid the "obsolete cryptography" from Chrome.

I found this page, which contains a table of OSs and browsers that are compatible with SHA-2 certificates:

https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility

The one i'm mostly concerned about is Windows XP pre-SP3.

Does anyone have a screen shot or the wording of the error that happens when a pre-SP3 XP system with, say, Chrome, Opera or IE, tries to access a https page in a site that has a SHA-2 cert?

thanks

glauber ribeiro

Solution 1:

You may still have some XP traffic, but pre-sp3 traffic should be quite minimal. In any case, here are screenshots of Chrome 1.0 and IE6 on Windows Server 2003 with SP2 without MS13-095 applied, which would add SHA-256 browser compatibility. The error on an XP SP2 machine should be identical.

Chrome 1.0 on Server 2k3 SP2:

IE 6 on Server 2k3 SP2:

As noted on the compatibility page, Chrome 1-37 rely on the OS for compatibility. Chrome 38+ will support SHA-2 on its own regardless of OS support.

You won't see a "certificate error" because it can't establish a secure connection in the first place.

Solution 2:

I don't have a screen shot but shortly after we switched to SHA-2 we had a customer call in complaining that she was getting an "Invalid Certificate" screen in IE8. I never got the impression that the error was anything different from trying to access any other invalid certificate. Here's what the generic message looks like

_{(source: technet.com)}