CreateCerts Directory missing

Discussion to talk about software related topics only.
SeeCwriter
Posts: 606
Joined: Mon May 12, 2008 10:55 am

CreateCerts Directory missing

Post by SeeCwriter »

In my v2.9.3 installation there is no CreateCerts directory, but there is one in the v2.9.2 installation. Can I just copy the 2.9.2 dir to 2.9.3?
User avatar
Jon
Posts: 79
Joined: Mon Feb 05, 2018 10:54 am

Re: CreateCerts Directory missing

Post by Jon »

Hi SeeCwriter,

You can feel free to copy the folder over from 2.9.2. We discovered that folder was missing shortly after the release and have since added back in. If you run into any questions with it, please feel free to let us know.

Kind Regards,
Jon
SeeCwriter
Posts: 606
Joined: Mon May 12, 2008 10:55 am

Re: CreateCerts Directory missing

Post by SeeCwriter »

Ok, I copied the directory and tried to run makeca.bat. First I received an error about libssl-1_1-x64.dll missing. A search of all nburn subdirectories came up empty. A search of my PC turned up copies in a couple places, such as MS Visual Studio. So I copied it to nburn\pcbin. Then I get an error libcrypto-1_1-x64.dll missing. Copy that file to pcbin. Now I get error "The procedure entry point IDEA_options could not be located in the dynamic link library c:\nburn\pcbin\openssl.exe"
User avatar
Jon
Posts: 79
Joined: Mon Feb 05, 2018 10:54 am

Re: CreateCerts Directory missing

Post by Jon »

It seems like it might be worthwhile to install OpenSSL on your machine, though the .exe file that we supply should work out of the box. Just out of curiosity, did you run this .bat file when you were using 2.9.2?

I've used the installers at https://slproweb.com/products/Win32OpenSSL.html, but that's just me personally. As a company, we don't endorse them specifically or anything like that. There are several options out there, since it's an open source project.
SeeCwriter
Posts: 606
Joined: Mon May 12, 2008 10:55 am

Re: CreateCerts Directory missing

Post by SeeCwriter »

I've never used any SSL/SSH features before, so I never tried any of the createcerts executables, until now. I tried it with v2.9.2 and it fails with the same errors. I didn't see any documentation that indicated I needed to install third party software to get this to work. I don't understand why you think it would work out of the box since the installation doesn't include the dlls. Or is it the assumption that every PC comes with openssl? Interestingly, my did, and copying the dlls to the pcbin directory removed the missing dll errors, only to introduce a new error. I looked around the openssl website and I only found downloads for the source code so I could compile my own executable. Not something I'm interested in doing. I'll keep looking.
User avatar
TomNB
Posts: 538
Joined: Tue May 10, 2016 8:22 am

Re: CreateCerts Directory missing

Post by TomNB »

Hello SeeCwriter, There have been many issues with the pc you are using with respect to dll's, and its not something we have ever seen before. We have a number of test machines here that are used for installation testing in which the OS is wiped and a clean install is done. So in this case I reformatted the drive and installed a clean version of windows 10 (as well as the many updates). I then installed java, followed by our 2.9.3 tools. Everything worked correctly without any modifications or installing any other software. I reviewed all the dll tickets you had posted, and could not reproduce any of those issues.

I'm certainly not saying its your fault, just trying to give you some insight as to how we are trying to diagnose what is going on so we can help you. The problems are not occurring on our normal work machines, nor the installation test machines. We are continuing to try and figure out why this is happening to your specific computer. Is there anything beyond a standard windows 10 install that might make that computer unique, such as additional IT controls or restrictions? Do you have any other computers that you could use as another data point, such as a laptop, lab computer, home computer, etc?
User avatar
Jon
Posts: 79
Joined: Mon Feb 05, 2018 10:54 am

Re: CreateCerts Directory missing

Post by Jon »

Hi SeeCwriter,

The link that I sent previously has the compiled OpenSSL libraries available via an installer for Windows. I don't blame you for not wanting to do that on your end. I wouldn't want to either. =)

The version of the executable that we distribute shouldn't require any 3rd party software to work, and the executable should be able to run without any additional dependencies (and without generating any additional errors). I had only mentioned the other site since there are conflicts with the one that we're currently distributing.

If you do use one of the installers from the link posted previously, it will give you a new openssl.exe that you can use to run the batch files. You'll just want to make sure that one is available on your path before c:\nburn\pcbin.

I hope that makes more sense, and I apologize for any confusion I may have caused with my previous response.

Kind Regards,
Jon
SeeCwriter
Posts: 606
Joined: Mon May 12, 2008 10:55 am

Re: CreateCerts Directory missing

Post by SeeCwriter »

I installed openssl from the link above and it seems to be working.

When creating a certificate, can something other than a DNS or ip address be used for the common name? Our equipment doesn't use DNS and the ip address is always changing.
User avatar
TomNB
Posts: 538
Joined: Tue May 10, 2016 8:22 am

Re: CreateCerts Directory missing

Post by TomNB »

I think there are others here that may be able to explain this better than me, but I think this comes down to an issue everyone new to ssl/tls faces. The purpose of ssl/tls is to guarantee that the device/server/host you are communicating with is who they say they are, exchange secure keys, then send encrypted data. When you get an official cert from a certificate authority, the verification process requires you prove this with your Common Name (CN). Self signed certs can also use their IP address as the CN, rather than a DNS name.

If you say that a CN can change at any time, or the IP address can change at any time, the certificate is no longer valid and it breaks the fundamental security. If someone makes the claim they have ssl/tls security, and a customer makes the reasonable assumption that it would be the same as what they see all over the Internet, they may not understand it is not really secure to that standard.

For example, the man in the middle attack happens when one host connects to another that is not the intended target. That host then sends a cert, which cannot be verified as the destination. So sure, ssl/tls is used, but the host in the middle now decrypts all your data and has full access. It can even send/receive to your intended destination so you don't know its happening. The purpose of a valid CN is to prevent this.
SeeCwriter
Posts: 606
Joined: Mon May 12, 2008 10:55 am

Re: CreateCerts Directory missing

Post by SeeCwriter »

Never mind, I found the answer. I just needed to read a little more.
Post Reply