Unable to install/update plugins on Windows XP

[ivanbuto]

Description of the Issue

I receive an installation error when trying to update an existing plugin or install a new plugin. This happens on my Windows XP computer; it works fine on Windows 7. Does Plugin Manager not support Windows XP?
Screenshot attached.

Debug Information

Notepad++ v7.5.3 (32-bit)
Build time : Dec 5 2017 - 10:45:46
Path : D:\Program Files\Notepad++\notepad++.exe
Admin mode : OFF
Local Conf mode : OFF
OS : Windows XP (32-bit)
Plugins : NppTextFX.dll ComparePlugin.dll NppExport.dll mimeTools.dll NppConverter.dll PluginManager.dll DSpellCheck.dll

nppPluginManager version 1.4.9

[chcg]

@ivanbuto Most probably you are facing issue #40. WinXP doesn't support newer TLS versions any more.

And the link for DspellCheck is:

<download>https://github.com/Predelnik/DSpellCheck/releases/download/v1.3.5/DSpellCheck_x86.zip</download>

also it is still accessible via plain http. So maybe there is another option to add a fallback from https to http to still support winxp. I will have to investigate that.

[nanonyme]

Iirc XP does in fact support TLS1.2 but with a severely reduced cipher set. You have to allow some weak ciphers in order for things to work

[chcg]

@nanonyme Do you have https://cloudblogs.microsoft.com/microsoftsecure/2017/10/05/announcing-support-for-tls-1-1-and-tls-1-2-in-xp-posready-2009/ in mind? Otherwise with a plain WinXP is probably not available, see https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/.

[chcg]

@ivanbuto @nanonyme Could you please test https://ci.appveyor.com/project/chcg/npppluginmanager/build/1.4.9.119/artifacts which contains a fallback to http in case that the https connection is not successfull.

[nanonyme]

I don't have XP, we just had to support this scenario a while back

[nanonyme]

And I do not. WinHTTP in XP supprts TLS1.2 with an unsecure cipher at least in 2016, maybe 2015. I don't remember which one it is and it should only be allowed on XP

[nanonyme]

Iirc it was not visible as supported in IE in this case

[nanonyme]

I'm suddenly not sure anymore whether I'm even remembering correctly and can't check since on vacation. I guess dropping encryption isn't a big thing anyhow. The platform can't be securely supported for other reasons and its users are essentially running honeypots

[ivanbuto]

@chcg I have tested the updated version of PluginManager.dll, but still no success.
What I notice is that the success or failure of plugin installation depends on the source of the files - sourceforge.net and github.com, for example, are failing, but sites.google.com is OK. So for example, I can install the Autosave plugin or Combine plugin. Does that have to do with the different versions of TLS used?
Or should I install the KB4019276 update?

[chcg]

@ivanbuto Sad to here that. You could countercheck at https://github.com/bruderstein/npp-plugins-x64/blob/master/plugins/plugins_template.xml which download source is used:

Combine:
<download>http://www.scout-soft.com/combine/combine.zip</download>
Autosave:
<download>https://sites.google.com/site/fstellari/nppplugins/AutoSave_dll_1v60.zip</download>
Autosave2:
<download>http://www.scout-soft.com/autosave/autosave2.zip</download>

So http should be no problem in any case. Https depends on the server configuration to fallback to older tls/ssl layers which are outdated/unsafe nowadays.

The mechanism I tried to implement is a automatic fallback from e.g.:

<download>https://sourceforge.net/projects/analyseplugin/files/binaries/v01.10-R32.zip</download>
to
<download>http://sourceforge.net/projects/analyseplugin/files/binaries/v01.10-R32.zip</download>
, which seems to work on WIN10, if I simulate a failing download from https. Maybe that is not the case, need to check that at google.

Could you try to reach http://sourceforge.net/projects/analyseplugin/files/binaries/v01.10-R32.zip or http://github.com/bruderstein/nppPluginManager/releases/download/v1.4.9/PluginManager_v1.4.9_UNI.zip from WinXP IE, which uses the same windows infrastructure as PluginManager..

[nanonyme]

Any chance of only enabling the fallback on XP or adding a switch? Fallback to HTTP makes you vulnerable to repeat attacks

[chcg]

Available cipher at github.com found by https://www.digicert.com/help/:

Protocol Support

TLS 1.2, TLS 1.1, TLS 1.0

SSL ciphers supported by the server
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

and sourceforge.net

Protocol Support 
TLS 1.2, TLS 1.1, TLS 1.0
SSL ciphers supported by the server
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA

Vs. winxp schannel https://msdn.microsoft.com/de-de/library/windows/desktop/aa380512(v=vs.85).aspx:

Schannel supports the following cipher suites for TLS 1.0 in Windows Server 2003 and Windows XP. The suites are listed in the default order in which they are chosen. For cipher suites for Windows Server 2008 and Windows Vista, see Cipher Suites in Schannel.

    TLS_RSA_WITH_RC4_128_MD5
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_DES_CBC_SHA
    TLS_DHE_DSS_WITH_DES_CBC_SHA
    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
    TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
    TLS_RSA_EXPORT_WITH_RC4_40_MD5
    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    TLS_RSA_WITH_NULL_MD5
    TLS_RSA_WITH_NULL_SHA

[bruderstein]

The fallback doesn't really help much, only for the actual plugin list (and there's already a switch to use HTTP for that). The plugins hosted on the various platforms that remove the insecure ciphers that XP supports don't have an HTTP fallback (AFAIK), so it doesn't really help. When I tested it a while ago I couldn't open github on IE under XP. But, as has been said here already, XP is no longer supported, it's 15 or so years old and supporting the XP only ciphers reduces the security for everyone, so it's pretty reasonable that these sites don't do it.

[ivanbuto]

@chcg Tried the links from IE8 - Internet Explorer cannot display the webpage in both cases.

[chcg]

@bruderstein Hi, see chcg@97a1436. I added a fallback for the download step of a plugin. currently unconditionally (if it would work, I would either create a special version or try to do a restriction to XP programmatically)

[bruderstein]

@chcg sounds good. There's a call or something from N++ that gives a friendly windows version somwhere. Seems like restricting this to just XP is pretty safe (they're insecure anyway!)

[chcg]

@bruderstein Did you read my mail about npptidy2, etc?

[chcg]

@ivanbuto If you like risks you may try https://www.catalog.update.microsoft.com/Search.aspx?q=KB4019276, the relevant one is probably Update für WES09 und POSReady 2009 (KB4019276) , afterwards TLS1.1 and TLS 1.2 have to be enabled via registry, see https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows. But what is not described is if there are the supported cipher suites contained, because if TLS_RSA_WITH_AES_256_CBC_SHA is not added TLS 1.2 will also not help.

[ivanbuto]

Just installed the KB4019276 update for Windows Embedded POSReady 2009 on my Windows XP Professional machine. I can now install and update plugins with the Plugin Manager.
This is the first out of the POSready 2009 updates that I have installed, and seems like quite a useful one, since it adds new functionality to Windows.
Thanks for the tip!
I could always uninstall the update and do more testing if needed.

[chcg]

@ivanbuto Thanks for the evaluation. My felling is that this is the most meaningful way to go. Raising the security level of the connection instead of falling back to plain http.

[ivanbuto]

Interesting, an update to the SpellCheck plugin is available, and the Plugin Manager is again failing on my Windows XP machine. I don't get why, since I have not made any changes that I would be aware of.

[Eagle3386]

For the sake of security, please close this issue as WONTFIX or even better WONTFIXSUCHAMESSYOSEVER.
XP was abandoned by its creators on April, 8th 2014 - if that's not good enough, the embedded version's extended support died on January, 12th 2016 - more than 2 (read: T-W-O) years ago!

IMHO, fixing bugs on dead platforms offers nothing but a time-consuming activity. So, instead of wasting it for pretty much nothing, I suggest putting all such effort into improving all the other bugs to get fixed and features to get implemented.

[fedor4ever]

@chcg, I think curl is good as fallback. It supports modern cryptography and various protocols.
I have XPx64sp2 and got same error too.

[Eagle3386]

Won't happen as stated in the other various issues. Get an updated OS and deal with the fact that XP is dead - for good.

[fedor4ever]

@Eagle3386, how many times you will repeat that thing? And why you waste peoples' time to read it?

[nanonyme]

Curl also has regular security vulns leading to high maintenance cost

[fedor4ever]

@nanonyme, replace widespreaded executable with update so untrivial task.
If plugin can't open by https it call curl.exe and visa versa. Then report job result to user.
Alternative - open download link in browser. Browser download that stuff and nppPluginManager install from local dowloads folder(open file via file manager). Firefox still support windows.

[Eagle3386]

@fedor4ever up to that very last moment when even stubborn people like you accept the irreversible reality: XP is dead. Period. Get over it already!
Regarding your 2nd question: why do you presume, annoying us subscribers is acceptable, especially since this issue was last commented almost 1.5 months ago?
Regarding your (probably intentionally wrong) statement about Firefox' XP support:

1. Only the ESR build still supports XP.
2. That build is unsupported starting August, 21st this year - i. e. in 113 days.
3. An implementation for <4 months of support? Seriously? Get the source and built it yourself, if you're that resistant to IT security advices. TIA & GL!

@nanonyme agreed. Yet another good point against those XP clingers.

@bruderstein can you close this issue as WONTFIX, please?

[fedor4ever]

@bruderstein, will you fix this isue?
@ivanbuto, say something...

[ivanbuto]

@Eagle3386 I also don't understand the unfriendly tone in your messages. I simply reported an error that I encountered using Plugin Manager on my Windows XP machine, where Notepad++ up to the latest version otherwise runs fine. I did not demand in any way that the issue must be solved and I understand the reasons for not addressing it.

@fedor4ever I was able to update plugins after installing the KB4019276 update (which is otherwise intended for Windows XP Embedded). Even did not have to make any registry changes described in the KB article. However, after some time, I again began getting errors. I am trying to figure out why, but I don't suppose it could be due to newer versions of Notepad++ or the Plugin Manager? I have in the meantime uninstalled the update; will try installing it again.

[nanonyme]

I don't believe there are any good maintainable solutions. The KB was a good workaround, sad to hear it stopped working already. I did expect it eventually would considering cipher suites have their own lifespans and it's not as if Microsoft was maintaining XP outside special deployments under special contracts

[fedor4ever]

@ivanbuto, I have xp64sp2. I can't install any updates from win embedded.
@nanonyme, I propose 2 solutions. I vote for curl or similar app.

[bruderstein]

Much older versions of plugin manager used libcurl. The problem was that that doesn't support NTLM authenticated proxies. When switching to use the native Win32 calls, we get all the proxy support and it's automatically configured from the same configuration as IE/Edge and Chrome.

Supporting all the users behind corporate proxies is unfortunately a greater need than supporting the few users on a 15 year old unsupported operating system.

The only way I see would be for someone to fork this project and bring back the libcurl support, releasing a custom "XP" version.

[nanonyme]

I propose not allowing any curl code anywhere near Windows 7 versions of the plugin for security reasons. As long as that is held, I don't really care if there's XP-specific hacks. Do keep in mind though that any binaries that are supposed to work in XP get special compilation treatment which makes the binaries bigger for decreasing amount of benefits. I strongly recommend a migration plan to move to a newer OS

[chcg]

@fedor4ever There will be no development of a version with curl from my side.

[fedor4ever]

@chcg, what about downloads via browser?
@nanonyme, okay.