Jump to content
Kyle_Katarn

Win XP app fails to start -- missing bcrypt.dll

Recommended Posts

Hello,

 

After upgrading to 8.59 + OpenSSL 1.1.1b, my users under Windows XP (and only XP) are now getting a message at startup "missing bcrypt.dll".

This was not  the case with earlier versions (of ICS and OpenSSL)

 

Is this intentionnal ?

Share this post


Link to post

This might have something to do with newer OpenSSL Dlls switching from using the Legacy CryptoAPI to using BCryptGenRandom for generating OS Random numbers.

 

Share this post


Link to post

bcrypt.dll is only used if OpenSSL is compiled for Windows 7 or later, but I'm afraid that is how our binaries are built, since Windows XP is long out of support.  You will need to keep using an older version of OpenSSL for Windows XP, or perhaps find binaries built by someone else for Windows XP.  ICS will cease supporting OpenSSL older than 1.1.1 from the end of the year, when support ceases, allowing us to remove old redundant code.

 

Angus

 

Share this post


Link to post

Is it possible not to use BCryptGenRandom by a selection made at run time ? Does this mean that we'll loose XP compatibility with ICS & OpenSSL 1.1.1 and onward ? May I distribute bcrypt.dll ? (which licence ?)

Share this post


Link to post

The choice of using BCryptGenRandom is made at compile time by OpenSSL, so you need to build the binaries yourself for XP or find someone to do it.  Windows XP is long out of support, ICS no longer supports it, although it probably still works, we certainly don't test it or care about it.  Nor does Microsoft.

 

No idea  if bcrypt.dll works on XP, it is probably dependent on other new DLLs. 

 

Angus

 

Share this post


Link to post

In my opinion dumming down the security should not be the solution. I would rather say adios to those XP users, and the same to Win7 folks. It makes development so much easier, when you don't have to deal with outdated, discontinued and unsupported OSes.

Share this post


Link to post
20 minutes ago, Sherlock said:

In my opinion dumming down the security should not be the solution. I would rather say adios to those XP users, and the same to Win7 folks. It makes development so much easier, when you don't have to deal with outdated, discontinued and unsupported OSes.

This will progressively be the consequence, but for the time being we still have many users running XP

Share this post


Link to post
3 minutes ago, Kyle_Katarn31 said:

but for the time being we still have many users running XP

Do you have any numbers on that? Absolute or rough percentages.

Share this post


Link to post

The short term solution is to use OpenSSL 1.1.0 which should still work on Windows XP.  We still provide new binaries for 1.1.0, but support ceases in a few months, so after that there are no more security fixes.  At some point, ICS may stop supporting 1.0.2 and 1.1.0 to remove some conditional code, so you may need to then keep an old version of some ICS units as well, but probably not for at least another year.  

 

Indy users will also be hit by support for 1.0.2 being stopped, since I don't believe it yet supports 1.1.0 or 1.1.1. 

 

Angus

 

Share this post


Link to post
3 hours ago, Sherlock said:

Do you have any numbers on that? Absolute or rough percentages.

Quantitatively, not that much, but qualitatively... Enough getting in touch with our tech support to keep XP until 2020. Then, I'll advise 🙂

Share this post


Link to post
5 hours ago, Angus Robertson said:

Indy users will also be hit by support for 1.0.2 being stopped, since I don't believe it yet supports 1.1.0 or 1.1.1. 

Correct.

Share this post


Link to post

Remy, I can probably help whoever does the Indy upgrade to OpenSSL 1.1.1, I kept good notes of the changes required, functions changed, etc.

 

Angus

 

Share this post


Link to post
On 8/22/2019 at 12:25 AM, Angus Robertson said:

Remy, I can probably help whoever does the Indy upgrade to OpenSSL 1.1.1

The coder who previously worked on Indy's OpenSSL's support has been MIA for a long time.  Any new updates will have to go through me, and I just haven't had any time to do it myself.

Edited by Remy Lebeau

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×