Join Log in
Score:8
avatar Server

What minimum versions of operating systems and browsers are compatible with Google-managed SSL certificates?

in flag
Greg Dubicki

Issuers of SSL certificates usually provide documentation of what minimum versions of OSes and browsers are supported by their solutions.

Examples:

However, I was not able to find such documentation for the Google-managed SSL certificates.

I understand that it partially depends on the SSL policy but it must also depend on whether the root certificate that Google uses is in the given OS or browser root certificate store, right?

So what are the exact minimum versions of OSes and browsers that are supported by Google's certificates?

Update 1: maybe I was not specific enough at first, but I meant the minimum versions of these OSes and browsers. Sorry, but answers like "Windows, MacOS, Linux and majors browsers" do not cut it - this is obvious.

1002
3 + 4
cn flag
TomTom
What about "Stuff that is end of life". The reason Cloudflare and Let's encrypt publish it is because in the past they had problems being accepted - large SSL providers that follow the traditional route (of not handing out certificates to everyone asking, which at least WAS an issue, as SSL acceptance implies trust) never had that problem to start with for a LOOOONG time.
1
Reply
9072997 avatar
ng flag
9072997
Google's answer is about as generic as the answers here, but they do have an [FAQ](https://pki.goog/faq/#faq-21) about it
2
Reply
John Hanley avatar
cn flag
John Hanley
1/2) There are two issues: The type of certificate, for example RSA versus ECDSA), and the Root CA. If the Root CA is not trusted, none of the leaf server certificates will be trusted. If the software running on the system does not support the type of certificate then even if the Root CA certificate is trusted, the software applications will not support the certificate. Given that most operating systems have mechanism to update the trusted root list, the minimum OS version and browser versions is not the deciding factor anymore.
0
Reply
John Hanley avatar
cn flag
John Hanley
2/2) The answer referencing SSLabs is interesting, but does not cover the two key items. It does not provide details on Trusted Root CA list, nor does it provide details on supported SSL certificate types. As important as your question is, I do not think there is a definitive answer due to how the real world now functions with system updates. Windows, for example, will promptly download security updates on first boot.
0
Reply
Score:4
hesoyam avatar Server
cn flag
hesoyam

Google-managed SSL certificates are usually made to work smoothly with modern browsers and operating systems so that they're recognized and trusted. As long as the root certificate of Google Trust Services is in the root certificate store of your browser or operating system, you should be good to go with the SSL certificates issued by Google.

+ 0
Score:1
James S avatar Server
it flag
James S

Google Managed certificates works with most operating systems and browsers such as Windows, Linux, Chrome, Mozilla, Edge and other chromium based browsers just to name a few. These certificates are issued by Google's own Certificate Authority, that is trusted by major operating systems and browsers, so they should generally work without a problem.

+ 1
9072997 avatar
ng flag
9072997
Knowing a computer runs Linux does not tell you anything about which CAs or types of certificates are supported. With very few exceptions, Linux applications do TLS in user space.
0
Reply
Score:1
avatar Server
cn flag
chutz

As there is no authoritative published information, one way to get the answer you need is to simply test it. SSL Labs have a very good SSL Server Test which you can use to scan a site backed by a Google Managed SSL certificate. You can scan something you host or probably is acceptable to also pick any of the Google-issued sites from a transparency report.

With respect to interoperability, the "Certification Paths" section lists the compatibility with the popular CA stores, and the "Handshake Simulation", sample below, would demonstrate the interoperability with a wide range of systems and libraries. Sample (from a Google-managed SSL-backed certificate site below):

Android 2.3.7   No SNI 2               Server sent fatal alert: handshake_failure
Android 4.0.4                          RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Android 4.1.1                          RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Android 4.2.2                          RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Android 4.3                            RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Android 4.4.2                          RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 5.0.0                          RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 6.0                            RSA 2048 (SHA256)  TLS 1.2 > http/1.1    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 7.0                            RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
Android 8.0                            RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
Android 8.1                            -                  TLS 1.3               TLS_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
Android 9.0                            -                  TLS 1.3               TLS_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
Baidu Jan 2015                         RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
BingPreview Jan 2015                   RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 49 / XP SP3                     RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 69 / Win 7  R                   RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Chrome 70 / Win 10                     -                  TLS 1.3               TLS_AES_128_GCM_SHA256   ECDH x25519  FS
Chrome 80 / Win 10  R                  -                  TLS 1.3               TLS_AES_128_GCM_SHA256   ECDH x25519  FS
Firefox 31.3.0 ESR / Win 7             RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 47 / Win 7  R                  RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 49 / XP SP3                    RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 62 / Win 7  R                  RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Firefox 73 / Win 10  R                 -                  TLS 1.3               TLS_AES_128_GCM_SHA256   ECDH x25519  FS
Googlebot Feb 2018                     RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
IE 7 / Vista                           RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 8 / XP   No FS 1   No SNI 2         Server sent fatal alert: handshake_failure
IE 8-10 / Win 7  R                     RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win 7  R                       RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win 8.1  R                     RSA 2048 (SHA256)  TLS 1.2 > http/1.1    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 10 / Win Phone 8.0                  RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win Phone 8.1  R               RSA 2048 (SHA256)  TLS 1.2 > http/1.1    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win Phone 8.1 Update  R        RSA 2048 (SHA256)  TLS 1.2 > http/1.1    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win 10  R                      RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Edge 15 / Win 10  R                    RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Edge 16 / Win 10  R                    RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Edge 18 / Win 10  R                    RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Edge 13 / Win Phone 10  R              RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 6u45   No SNI 2                   Server sent fatal alert: handshake_failure
Java 7u25                              RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Java 8u161                             RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 11.0.3                            -                  TLS 1.3               TLS_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 12.0.1                            -                  TLS 1.3               TLS_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 0.9.8y                         RSA 2048 (SHA256)  TLS 1.0               TLS_RSA_WITH_AES_128_CBC_SHA  No FS
OpenSSL 1.0.1l  R                      RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.0.2s  R                      RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.1.0k  R                      RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
OpenSSL 1.1.1c  R                      -                  TLS 1.3               TLS_AES_256_GCM_SHA384   ECDH x25519  FS
Safari 5.1.9 / OS X 10.6.8             RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 6 / iOS 6.0.1                   RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 6.0.4 / OS X 10.8.4  R          RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 7 / iOS 7.1  R                  RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 7 / OS X 10.9  R                RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 8 / iOS 8.4  R                  RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 8 / OS X 10.10  R               RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 9 / iOS 9  R                    RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 9 / OS X 10.11  R               RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 10 / iOS 10  R                  RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 10 / OS X 10.12  R              RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 12.1.2 / MacOS 10.14.6 Beta  R  -                  TLS 1.3               TLS_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
Safari 12.1.1 / iOS 12.3.1  R          -                  TLS 1.3               TLS_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
Apple ATS 9 / iOS 9  R                 RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Yahoo Slurp Jan 2015                   RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
YandexBot Jan 2015                     RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS

# Not simulated clients (Protocol mismatch)
IE 6 / XP   No FS 1   No SNI 2  Protocol mismatch (not simulated)
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers sometimes retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).
(All) Certificate trust is not checked in handshake simulation, we only perform TLS handshake.
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.