Windows XP natively supports only broken (or weak, if you want to be optimistic), for starters it only supports Sslv2, Sslv3 and TLS 1.0, i.e., TLS 1.1 and 1.2 are not supported.
The Cipher Suite lists natively available in Windows XP are:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA
It only supports things that are already considered not recommended, such as RC4, DES and 3DES. Of course, SHA-1 and MD5, which do not even need to comment. Chrome no longer supports SHA-1 and MD5 in newer versions, Chrome 54 and later, unless mistaken.
For comparison, Windows 10 supports AES-GCM, SHA384, SHA256, and supports elliptic curve encryption, allowing you to use ECDHE and ECDSA.
Cloudflare’s basic/free plan uses elliptical curve certificate, so not supported by Windows XP. They say so themselves:
Our SSL Certificates on paid plans (Pro, Business and Enterprise) will work with all desktop browsers, so if you are worried about Compatibility or have Many users with old browsers upgrading to one of our paid plans is Recommended
Source
This is a set below is compatible, but it’s not so safe. There is no "be compatible with Windows XP" and at the same time "be safe", just see the test using google.com, they use it themselves TLS_RSA_WITH_3DES_EDE_CBC_SHA (XP compatible) and SSL Labs reports "WEAK".
The RSA_WITH_3DES_EDE_CBC_SHA is compatible with Windows XP, but is weak, to use it set in EDH-RSA-DES-CBC3-SHA:
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!aNULL:!MD5
I believe that’s enough.
If you want a more comprehensive use:
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
If you want something really safe, forget Windows XP and Windows Vista. Simply only support for TLS 1.2 (and TLS 1.3). Only allow use of ECDHE as exchange and support only AES-GCM and CHACHA20-POLY1305:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
This will support AES128-GCM, AES256-GCM and CHACHA20-POLY1305. The reason of repetition is that you can use ECC or RSA, which will define the use of ECDSA or RSA as signature.
Another important point is performance, the ECDHE-ECDSA-CHACHA20-POLY1305 I believe it’s the fastest.
Are you using Cloudflare’s paid or free plan? If this is the first case, this is the reason. Using the standard Cloudflare certificate or a custom one (using the Business plan)?
– Inkeliz
I’m using the free plan, but I removed the Cloudflare and re-ran the tests and got the same problem. When I removed the Cipher Suites line from Apache2 it worked, but SSL Labs now indicated that it used a weak encryption. So I wanted to keep this line, and allow at least 1 Cipher suite compatible with XP.
– Renan Cavalieri