Syspeace upgrade required for Windows Server 2003 customers using Syspeace 2.5.2 or older

If you are using Syspeace 2.5.2 or older, you will need to upgrade to Syspeace 2.6 to be able to keep running Syspeace. Please visit the download page to upgrade or read on for more information.

Syspeace Windows Server 2003 Support Policy

2.x and 3.x releases of Syspeace running on Windows Server 2003

All 2.x and 3.x releases of Syspeace will continue to be supported on Windows Server 2003.

Future releases of Syspeace

We may introduce major new releases of Syspeace that will not run or be supported on Windows Server 2003.

Our recommendation

If possible, run a Windows Server version currently supported by Microsoft and install all critical security fixes.

About the special “Syspeace for Windows Server 2003” variant

Syspeace is available for all currently supported versions of Windows Server. Windows Server 2003 has been supported since Syspeace 2.0 was released in 2013, but since Syspeace 2.6, Syspeace comes in a special variant for Windows Server 2003. This page explains the technical reasons why the ordinary Syspeace variant does not run on Windows Server 2003 and why Syspeace 2.5.2 and earlier will stop working when running on Windows Server 2003.

To download Syspeace for Windows Server 2003, please visit the download page.

(For the purposes of this document, consider Windows Server 2003 and Windows Server 2003 R2 equivalent.)

SHA-1 certificates, encryption and the need for a special Syspeace variant for Windows Server 2003

Syspeace communicates with a backend server to maintain its licensing system and collect and provide data for the global blacklist feature. This communication happens encrypted over SSL/TLS via an “https” address. This requires a web server certificate. Syspeace is also delivered “code signed” with an Authenticode signature, so that its integrity can be verified and bound to our code signing certificate and our identity. Both of these certificates are issued to be valid for only a limited period of time, and need to be swapped out with newer certificates every few years when the older certificates expire.

Both of these certificates use the encryption hashing method “SHA-1“. State of the art at the time of adoption, it has now been sufficiently degraded to no longer be considered secure, and is being phased out by all Certificate Authorities and web browser vendors, following a decision in the CA/Browser Forum in October 2014. SHA-1-based certificates may not be issued by Certificate Authorities starting in January 2016. All newer certificates must use a newer family of hashing methods called “SHA-2“.

Since SHA-1 is the most current hashing method supported in Windows Server 2003 and SHA-2 is not supported, this is what forces us to maintain a special variant of Syspeace for Windows Server 2003.

Not using this new variant by the time our backend server’s certificate expires and a new SHA-2 certificate is put in place would mean that Syspeace would stop running when validating its license or contacting our server, because Windows Server 2003 cannot make sense of certificates based on newer standards. Update on September 2, 2016: The new SHA-2 certificate has now been put in place due to the imminent expiration of the old SHA-1 certificate.

Microsoft provides hotfixes for Windows Server 2003 to enable basic support for SHA-2. They have to be specially requested and the right version has to be determined based on architecture, language and some other server duties, and their installation might incur a server reboot. In addition, this support does not extend to code signing. For these reasons, we decided that the right thing was to introduce a special Syspeace variant where you would not need to worry about this and where customers not using Windows Server 2003 would not need to worry about concessions in the name of backwards compatibility.

All changes between Syspeace for Windows Server 2003 and the ordinary Syspeace variant

This version differs from the ordinary Syspeace variant in these ways:

• It talks to a Syspeace backend server that, instead of our current syspeace.com web site certificate, uses a “self-signed” certificate – a certificate issued by us instead of by a trusted Certificate Authority. No Certificate Authority is allowed to issue a new compatible certificate for us, so this is our only option aside from forgoing the use of encryption. Our issuing this certificate does not degrade the strength of the resulting encryption, it just means the certificate does not have a “trust chain” leading back to a well-known Certificate Authority.
• It is not code signed. SHA-1-based Authenticode certificates have also stopped being issued. There is no way for us to provide a code signature that will be recognized as valid. In addition, some security filters have started filtering programs and installers signed with these certificates. We will be providing checksums and cryptographic hash values of Syspeace downloads so that their integrity can be validated.
• When a link to a secure (https, SSL/TLS) web site is clicked within Syspeace, such as to open the Syspeace site or some reference documentation, Syspeace asks if you want to copy the link address instead. This is because the version of Internet Explorer compatible with Windows Server 2003 is unable to go to many secure web sites, once again due to the inability of Windows Server 2003 to understand SHA-2 certificates without a hotfix.
• It refuses to install and exits immediately if run on Windows Server 2008 or later.