Win XP app fails to start -- missing bcrypt.dll

[Kyle_Katarn 1]

Hello,

 

After upgrading to 8.59 + OpenSSL 1.1.1b, my users under Windows XP (and only XP) are now getting a message at startup "missing bcrypt.dll".

This was not  the case with earlier versions (of ICS and OpenSSL)

 

Is this intentionnal ?

[Ugochukwu Mmaduekwe 42]

This might have something to do with newer OpenSSL Dlls switching from using the Legacy CryptoAPI to using BCryptGenRandom for generating OS Random numbers.

 

[Angus Robertson 574]

bcrypt.dll is only used if OpenSSL is compiled for Windows 7 or later, but I'm afraid that is how our binaries are built, since Windows XP is long out of support.  You will need to keep using an older version of OpenSSL for Windows XP, or perhaps find binaries built by someone else for Windows XP.  ICS will cease supporting OpenSSL older than 1.1.1 from the end of the year, when support ceases, allowing us to remove old redundant code.

 

Angus

 

[Kyle_Katarn 1]

Is it possible not to use BCryptGenRandom by a selection made at run time ? Does this mean that we'll loose XP compatibility with ICS & OpenSSL 1.1.1 and onward ? May I distribute bcrypt.dll ? (which licence ?)

[Angus Robertson 574]

The choice of using BCryptGenRandom is made at compile time by OpenSSL, so you need to build the binaries yourself for XP or find someone to do it.  Windows XP is long out of support, ICS no longer supports it, although it probably still works, we certainly don't test it or care about it.  Nor does Microsoft.

 

No idea  if bcrypt.dll works on XP, it is probably dependent on other new DLLs. 

 

Angus

 

[Kyle_Katarn31 0]

Ok, so I'll disable SSL when used on XP. Thanks. 

[Sherlock 663]

In my opinion dumming down the security should not be the solution. I would rather say adios to those XP users, and the same to Win7 folks. It makes development so much easier, when you don't have to deal with outdated, discontinued and unsupported OSes.

[Kyle_Katarn31 0]

20 minutes ago, Sherlock said:

In my opinion dumming down the security should not be the solution. I would rather say adios to those XP users, and the same to Win7 folks. It makes development so much easier, when you don't have to deal with outdated, discontinued and unsupported OSes.

This will progressively be the consequence, but for the time being we still have many users running XP

[Sherlock 663]

3 minutes ago, Kyle_Katarn31 said:

but for the time being we still have many users running XP

Do you have any numbers on that? Absolute or rough percentages.

[Angus Robertson 574]

The short term solution is to use OpenSSL 1.1.0 which should still work on Windows XP.  We still provide new binaries for 1.1.0, but support ceases in a few months, so after that there are no more security fixes.  At some point, ICS may stop supporting 1.0.2 and 1.1.0 to remove some conditional code, so you may need to then keep an old version of some ICS units as well, but probably not for at least another year.  

 

Indy users will also be hit by support for 1.0.2 being stopped, since I don't believe it yet supports 1.1.0 or 1.1.1. 

 

Angus

 

[Kyle_Katarn31 0]

3 hours ago, Sherlock said:

Do you have any numbers on that? Absolute or rough percentages.

Quantitatively, not that much, but qualitatively... Enough getting in touch with our tech support to keep XP until 2020. Then, I'll advise 🙂

[Remy Lebeau 1391]

5 hours ago, Angus Robertson said:

Indy users will also be hit by support for 1.0.2 being stopped, since I don't believe it yet supports 1.1.0 or 1.1.1. 

Correct.

[Angus Robertson 574]

Remy, I can probably help whoever does the Indy upgrade to OpenSSL 1.1.1, I kept good notes of the changes required, functions changed, etc.

 

Angus

 

[Remy Lebeau 1391]

On 8/22/2019 at 12:25 AM, Angus Robertson said:

Remy, I can probably help whoever does the Indy upgrade to OpenSSL 1.1.1

The coder who previously worked on Indy's OpenSSL's support has been MIA for a long time.  Any new updates will have to go through me, and I just haven't had any time to do it myself.

Edited August 23, 2019 by Remy Lebeau

[Kyle_Katarn 1]

OK