Kyle_Katarn 1 Posted April 17, 2019 Hello, After upgrading to 8.59 + OpenSSL 1.1.1b, my users under Windows XP (and only XP) are now getting a message at startup "missing bcrypt.dll". This was not the case with earlier versions (of ICS and OpenSSL) Is this intentionnal ? Share this post Link to post
Ugochukwu Mmaduekwe 42 Posted April 17, 2019 This might have something to do with newer OpenSSL Dlls switching from using the Legacy CryptoAPI to using BCryptGenRandom for generating OS Random numbers. Share this post Link to post
Angus Robertson 574 Posted April 18, 2019 bcrypt.dll is only used if OpenSSL is compiled for Windows 7 or later, but I'm afraid that is how our binaries are built, since Windows XP is long out of support. You will need to keep using an older version of OpenSSL for Windows XP, or perhaps find binaries built by someone else for Windows XP. ICS will cease supporting OpenSSL older than 1.1.1 from the end of the year, when support ceases, allowing us to remove old redundant code. Angus Share this post Link to post
Kyle_Katarn 1 Posted April 20, 2019 Is it possible not to use BCryptGenRandom by a selection made at run time ? Does this mean that we'll loose XP compatibility with ICS & OpenSSL 1.1.1 and onward ? May I distribute bcrypt.dll ? (which licence ?) Share this post Link to post
Angus Robertson 574 Posted April 20, 2019 The choice of using BCryptGenRandom is made at compile time by OpenSSL, so you need to build the binaries yourself for XP or find someone to do it. Windows XP is long out of support, ICS no longer supports it, although it probably still works, we certainly don't test it or care about it. Nor does Microsoft. No idea if bcrypt.dll works on XP, it is probably dependent on other new DLLs. Angus Share this post Link to post
Kyle_Katarn31 0 Posted August 21, 2019 Ok, so I'll disable SSL when used on XP. Thanks. Share this post Link to post
Sherlock 663 Posted August 21, 2019 In my opinion dumming down the security should not be the solution. I would rather say adios to those XP users, and the same to Win7 folks. It makes development so much easier, when you don't have to deal with outdated, discontinued and unsupported OSes. Share this post Link to post
Kyle_Katarn31 0 Posted August 21, 2019 20 minutes ago, Sherlock said: In my opinion dumming down the security should not be the solution. I would rather say adios to those XP users, and the same to Win7 folks. It makes development so much easier, when you don't have to deal with outdated, discontinued and unsupported OSes. This will progressively be the consequence, but for the time being we still have many users running XP Share this post Link to post
Sherlock 663 Posted August 21, 2019 3 minutes ago, Kyle_Katarn31 said: but for the time being we still have many users running XP Do you have any numbers on that? Absolute or rough percentages. Share this post Link to post
Angus Robertson 574 Posted August 21, 2019 The short term solution is to use OpenSSL 1.1.0 which should still work on Windows XP. We still provide new binaries for 1.1.0, but support ceases in a few months, so after that there are no more security fixes. At some point, ICS may stop supporting 1.0.2 and 1.1.0 to remove some conditional code, so you may need to then keep an old version of some ICS units as well, but probably not for at least another year. Indy users will also be hit by support for 1.0.2 being stopped, since I don't believe it yet supports 1.1.0 or 1.1.1. Angus Share this post Link to post
Kyle_Katarn31 0 Posted August 21, 2019 3 hours ago, Sherlock said: Do you have any numbers on that? Absolute or rough percentages. Quantitatively, not that much, but qualitatively... Enough getting in touch with our tech support to keep XP until 2020. Then, I'll advise 🙂 Share this post Link to post
Remy Lebeau 1396 Posted August 21, 2019 5 hours ago, Angus Robertson said: Indy users will also be hit by support for 1.0.2 being stopped, since I don't believe it yet supports 1.1.0 or 1.1.1. Correct. Share this post Link to post
Angus Robertson 574 Posted August 22, 2019 Remy, I can probably help whoever does the Indy upgrade to OpenSSL 1.1.1, I kept good notes of the changes required, functions changed, etc. Angus Share this post Link to post
Remy Lebeau 1396 Posted August 23, 2019 (edited) On 8/22/2019 at 12:25 AM, Angus Robertson said: Remy, I can probably help whoever does the Indy upgrade to OpenSSL 1.1.1 The coder who previously worked on Indy's OpenSSL's support has been MIA for a long time. Any new updates will have to go through me, and I just haven't had any time to do it myself. Edited August 23, 2019 by Remy Lebeau Share this post Link to post