diff --git a/.github/workflows/make-check.yml b/.github/workflows/make-check.yml index 668fa2b3a..bdc8dcd33 100755 --- a/.github/workflows/make-check.yml +++ b/.github/workflows/make-check.yml @@ -11,15 +11,21 @@ on: - xmlsec-1_2_x jobs: + # linux: check against latest versions of everything check-ubuntu: runs-on: ubuntu-latest strategy: fail-fast: false matrix: include: + # default build - config_flags: - - config_flags: --enable-static --enable-static-linking --disable-openssl3-engines --without-nss --without-gcrypt --without-gnutls - - config_flags: --enable-static --enable-static-linking --enable-ftp --enable-md5 --enable-gost --enable-gost2012 --without-openssl --without-nss --without-gcrypt + # default build with all legacy features + - config_flags: --enable-legacy-features --enable-ftp --enable-http + # static openssl build + - config_flags: --enable-static --enable-static-linking --disable-openssl3-engines --without-nss --without-gnutls --without-gcrypt --enable-legacy-features + # static gnutls build with GOST + - config_flags: --enable-static --enable-static-linking --without-openssl --without-nss --without-gcrypt --enable-gost --enable-gost2012 --enable-legacy-features steps: - name: install dependencies run: | @@ -48,14 +54,17 @@ jobs: run: | make install + # linux: check against old versions including openssl 1.1.1 check-ubuntu-openssl-111: runs-on: ubuntu-20.04 strategy: fail-fast: false matrix: include: + # default build - config_flags: - - config_flags: --enable-static-linking=yes --without-nss --without-gcrypt --without-gnutls + # static openssl build + - config_flags: --enable-static --enable-static-linking --without-nss --without-gnutls --without-gcrypt --enable-legacy-features steps: - name: install dependencies run: | @@ -86,13 +95,17 @@ jobs: run: | make install + # macosx check-osx: runs-on: macos-latest strategy: fail-fast: false matrix: include: + # default build - config_flags: + # default build with all legacy features -- not possible because MacOSX disables RIPEMD160 in OpenSSL + # - config_flags: --enable-legacy-features --enable-ftp --enable-http steps: - name: Set up Homebrew id: set-up-homebrew @@ -135,18 +148,25 @@ jobs: run: | make install + # mingw check-mingw: runs-on: windows-latest strategy: fail-fast: false matrix: include: + # default build - msystem: MINGW64 arch: x86_64 - config_flags: --enable-unicode=yes + config_flags: + # default build with all legacy features - msystem: MINGW64 arch: x86_64 - config_flags: --enable-static --enable-static-linking --enable-unicode=no --enable-md5 --enable-ftp + config_flags: --enable-legacy-features --enable-ftp --enable-http + # no unicode static build for mscng + - msystem: MINGW64 + arch: x86_64 + config_flags: --enable-static --enable-static-linking --enable-unicode=no --without-openssl --without-nss --without-gnutls --without-gcrypt --disable-mscrypto defaults: run: shell: msys2 {0} @@ -198,28 +218,35 @@ jobs: run: | make install + # msvc check-msvc: runs-on: windows-latest strategy: fail-fast: false matrix: include: + # mscng: default build - crypto: mscng config_flags: unicode=yes with-dl=yes + # mscng: no unicode, legacy crypto - crypto: mscng - config_flags: unicode=no with-dl=no static=yes legacy-crypto=yes + config_flags: unicode=no with-dl=no static=yes legacy-features=yes + # mscrypto: default build - crypto: mscrypto - config_flags: unicode=yes with-dl=yes + config_flags: + # mscrypto: no unicode, legacy crypto - crypto: mscrypto - config_flags: unicode=no with-dl=no static=yes legacy-crypto=yes + config_flags: unicode=no with-dl=no static=yes legacy-features=yes + # mscng: default build - crypto: openssl-300 - config_flags: unicode=yes with-dl=yes + config_flags: + # mscng: no unicode, legacy crypto - crypto: openssl-300 config_flags: unicode=no with-dl=no static=yes env: VISUAL_STUDIO_ROOT: "C:\\Program Files\\Microsoft Visual Studio\\2022\\Enterprise" INSTALL_FOLDER: c:\install.dir - LIBS_VERSION: 1.3.5 + LIBS_VERSION: 1.3.6 steps: - name: create-dirs run: | diff --git a/apps/xmlsec.c b/apps/xmlsec.c index e22637a16..17b31ff27 100644 --- a/apps/xmlsec.c +++ b/apps/xmlsec.c @@ -945,6 +945,17 @@ static xmlSecAppCmdLineParam verificationGmtTimeParam = { NULL }; +static xmlSecAppCmdLineParam X509SkipTimeChecksParam = { + xmlSecAppCmdLineTopicX509Certs, + "--X509-skip-time-checks", + NULL, + "--X509-skip-time-checks" + "\n\tskip time checking of X509 certificates and CLRs", + xmlSecAppCmdLineParamTypeFlag, + xmlSecAppCmdLineParamFlagNone, + NULL +}; + static xmlSecAppCmdLineParam depthParam = { xmlSecAppCmdLineTopicX509Certs, "--depth", @@ -1065,6 +1076,7 @@ static xmlSecAppCmdLineParamPtr parameters[] = { &crlDerParam, &verificationTimeParam, &verificationGmtTimeParam, + &X509SkipTimeChecksParam, &depthParam, &X509SkipStrictChecksParam, &X509DontVerifyCerts, @@ -2272,6 +2284,9 @@ xmlSecAppPrepareKeyInfoCtx(xmlSecKeyInfoCtxPtr keyInfoCtx) { if(xmlSecAppCmdLineParamIsSet(&verificationGmtTimeParam)) { keyInfoCtx->certsVerificationTime = xmlSecAppCmdLineParamGetTime(&verificationGmtTimeParam, 0); } + if(xmlSecAppCmdLineParamIsSet(&X509SkipTimeChecksParam)) { + keyInfoCtx->flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_TIME_CHECKS; + } if(xmlSecAppCmdLineParamIsSet(&depthParam)) { keyInfoCtx->certsVerificationDepth = xmlSecAppCmdLineParamGetInt(&depthParam, 0); } diff --git a/configure.ac b/configure.ac index 24a0bc7cf..360fecac6 100644 --- a/configure.ac +++ b/configure.ac @@ -1,10 +1,10 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([xmlsec1],[1.3.6],[http://www.aleksey.com/xmlsec]) +AC_INIT([xmlsec1],[1.3.7],[http://www.aleksey.com/xmlsec]) XMLSEC_PACKAGE=xmlsec1 XMLSEC_VERSION_MAJOR=1 XMLSEC_VERSION_MINOR=3 -XMLSEC_VERSION_SUBMINOR=6 +XMLSEC_VERSION_SUBMINOR=7 XMLSEC_VERSION="$XMLSEC_VERSION_MAJOR.$XMLSEC_VERSION_MINOR.$XMLSEC_VERSION_SUBMINOR" XMLSEC_VERSION_INFO=`echo $XMLSEC_VERSION | awk -F. '{ printf "%d:%d:%d", $1+$2, $3, $2 }'` XMLSEC_VERSION_SAFE=`echo $XMLSEC_VERSION | sed 's/\./_/g'` @@ -182,13 +182,30 @@ if test "z$enable_development" = "zyes" ; then enable_manpages_build="no" enable_docs_build="no" enable_crypto_dl="no" + enable_legacy_features="yes" + AC_MSG_RESULT([yes]) +else + AC_MSG_RESULT([no]) +fi - dnl legacy crypto +dnl ========================================================================== +dnl Do we want to with legacy features? +dnl ========================================================================== +AC_MSG_CHECKING(for legacy features support) +AC_ARG_ENABLE([legacy_features], [AS_HELP_STRING([--enable-legacy_features],[legacy features (no)])]) +if test "z$enable_legacy_features" = "zyes" ; then + + dnl legacy crypto engines + enable_mscrypto="yes" + with_gcrypt="yes" + + dnl legacy crypto algos enable_md5="yes" + enable_ripemd160="yes" AC_MSG_RESULT([yes]) else - AC_MSG_RESULT([disabled]) + AC_MSG_RESULT([no]) fi dnl ========================================================================== @@ -1362,7 +1379,6 @@ AC_SUBST(GNUTLS_CRYPTO_LIB) AC_SUBST(GNUTLS_MIN_VERSION) - dnl ========================================================================== dnl See if we can find MSCng dnl ========================================================================== @@ -1377,7 +1393,7 @@ AC_ARG_ENABLE([mscng], [AS_HELP_STRING([--enable-mscng],[enable mscng (no)])]) AC_MSG_CHECKING(for mscng) dnl Priority 0: Check if library is not needed -if test "z$enable_mscng" != "zyes" ; then +if test "z$enable_mscng" = "zno" ; then MSCNG_FOUND="disabled" AC_MSG_RESULT([disabled]) fi @@ -1459,7 +1475,7 @@ esac XMLSEC_NO_MSCRYPTO="1" MSCRYPTO_FOUND="no" -AC_ARG_ENABLE([mscrypto], [AS_HELP_STRING([--enable-mscrypto],[enable mscrypto (no)])]) +AC_ARG_ENABLE([mscrypto], [AS_HELP_STRING([--enable-mscrypto],[enable mscrypto (no,deprecated)])]) AC_MSG_CHECKING(for mscrypto) dnl Priority 0: Check if library is not needed @@ -1538,10 +1554,10 @@ GCRYPT_VERSION= GCRYPT_INCLUDE_PATH= GCRYPT_LIB_PATH= GCRYPT_FOUND="no" -AC_ARG_WITH([gcrypt], [AS_HELP_STRING([--with-gcrypt@<:@=PFX@:>@],[gcrypt location])]) +AC_ARG_WITH([gcrypt], [AS_HELP_STRING([--with-gcrypt@<:@=PFX@:>@],[gcrypt location (no,deprecated)])]) dnl Priority 0: Check if library is not needed -if test "z$with_gcrypt" = "zno" ; then +if test "z$with_gcrypt" = "z" -o "z$with_gcrypt" = "zno" ; then GCRYPT_FOUND="disabled" fi @@ -1913,14 +1929,14 @@ dnl ========================================================================== dnl Check if we need RIPEMD-160 support dnl ========================================================================== AC_MSG_CHECKING(for RIPEMD-160 support) -AC_ARG_ENABLE([ripemd160], [AS_HELP_STRING([--enable-ripemd160],[enable RIPEMD-160 support (yes)])]) -if test "z$enable_ripemd160" = "zno" ; then +AC_ARG_ENABLE([ripemd160], [AS_HELP_STRING([--enable-ripemd160],[enable RIPEMD-160 support (no, deprecated))])]) +if test "z$enable_ripemd160" = "zyes" ; then + XMLSEC_NO_RIPEMD160="0" + AC_MSG_RESULT([yes (deprecated)]) +else XMLSEC_DEFINES="$XMLSEC_DEFINES -DXMLSEC_NO_RIPEMD160=1" XMLSEC_NO_RIPEMD160="1" AC_MSG_RESULT([disabled]) -else - XMLSEC_NO_RIPEMD160="0" - AC_MSG_RESULT([yes]) fi AM_CONDITIONAL(XMLSEC_NO_RIPEMD160, test "z$XMLSEC_NO_RIPEMD160" = "z1") AC_SUBST(XMLSEC_NO_RIPEMD160) @@ -2058,14 +2074,14 @@ dnl ========================================================================== dnl Check if we need DSA support dnl ========================================================================== AC_MSG_CHECKING(for DSA support) -AC_ARG_ENABLE([dsa], [AS_HELP_STRING([--enable-dsa],[enable DSA support (yes)])]) +AC_ARG_ENABLE([dsa], [AS_HELP_STRING([--enable-dsa],[enable DSA support (yes, use discouraged)])]) if test "z$enable_dsa" = "zno" ; then XMLSEC_DEFINES="$XMLSEC_DEFINES -DXMLSEC_NO_DSA=1" XMLSEC_NO_DSA="1" AC_MSG_RESULT([disabled]) else XMLSEC_NO_DSA="0" - AC_MSG_RESULT([yes]) + AC_MSG_RESULT([yes (use discouraged)]) fi AM_CONDITIONAL(XMLSEC_NO_DSA, test "z$XMLSEC_NO_DSA" = "z1") AC_SUBST(XMLSEC_NO_DSA) @@ -2154,14 +2170,14 @@ dnl ========================================================================== dnl Check if we need DES support dnl ========================================================================== AC_MSG_CHECKING(for DES support) -AC_ARG_ENABLE([des], [AS_HELP_STRING([--enable-des],[enable DES support (yes, deprecated)])]) +AC_ARG_ENABLE([des], [AS_HELP_STRING([--enable-des],[enable DES support (yes, use discouraged)])]) if test "z$enable_des" = "zno" ; then XMLSEC_DEFINES="$XMLSEC_DEFINES -DXMLSEC_NO_DES=1" XMLSEC_NO_DES="1" AC_MSG_RESULT([disabled]) else XMLSEC_NO_DES="0" - AC_MSG_RESULT([yes (deprecated)]) + AC_MSG_RESULT([yes (use discouraged)]) fi AM_CONDITIONAL(XMLSEC_NO_DES, test "z$XMLSEC_NO_DES" = "z1") AC_SUBST(XMLSEC_NO_DES) @@ -2385,7 +2401,7 @@ if test "z$LIBLTDL_FOUND" = "zno" -a "z$PKGCONFIG_FOUND" = "zyes" ; then [LIBLTDL_FOUND=no]) fi -dnl Priority 4: on MacOSX libltdl is in the 'libtool' brew package +dnl Priority 4: on MacOSX libltdl is in the 'libtool' brew package if test "z$LIBLTDL_FOUND" = "zno" -a "z$build_on_mac" = "zyes" ; then AC_MSG_CHECKING(for libltdl library installation in 'brew') LIBTOOL_PATH=`brew --prefix libtool` diff --git a/docs/api/xmlsec-version.html b/docs/api/xmlsec-version.html index a1baf8e72..8cc87ac5d 100644 --- a/docs/api/xmlsec-version.html +++ b/docs/api/xmlsec-version.html @@ -78,7 +78,7 @@

version

Types and Values

XMLSEC_VERSION

-
#define XMLSEC_VERSION            "1.3.6"
+
#define XMLSEC_VERSION            "1.3.7"
 

 
The library version string in the format
 "$major_number.$minor_number.$sub_minor_number".

@@ -100,14 +100,14 @@ 
version
 

 

 
XMLSEC_VERSION_SUBMINOR

-
#define XMLSEC_VERSION_SUBMINOR        6
+
#define XMLSEC_VERSION_SUBMINOR        7
 

 
The library sub-minor version number.

 

 

 

 
XMLSEC_VERSION_INFO

-
#define XMLSEC_VERSION_INFO        "4:6:3"
+
#define XMLSEC_VERSION_INFO        "4:7:3"
 

 
The library version info string in the format
 "$major_number+$minor_number:$sub_minor_number:$minor_number".

diff --git a/docs/api/xmlsec-xmlsec.html b/docs/api/xmlsec-xmlsec.html
index 3bb217975..bfc0536b2 100644
--- a/docs/api/xmlsec-xmlsec.html
+++ b/docs/api/xmlsec-xmlsec.html
@@ -110,6 +110,10 @@ 
xmlsec
 
 
+#define
+XMLSEC_DEPRECATED
+
+
 typedef
 xmlSecPtr
 
@@ -138,10 +142,6 @@ 
xmlsecxmlSecByte
 
 
-#define
-XMLSEC_DEPRECATED
-
-
 enum
 xmlSecCheckVersionMode
 
@@ -302,6 +302,13 @@ 
xmlsec
 
Types and Values

 

+
XMLSEC_DEPRECATED

+
#define XMLSEC_DEPRECATED __attribute__((deprecated))
+

+
Marks function as deprecated.

+

+

+

 
xmlSecPtr

 
typedef void*                                   xmlSecPtr;
 

@@ -349,13 +356,6 @@ 
xmlsec
 

 

-
XMLSEC_DEPRECATED

-
#define XMLSEC_DEPRECATED __attribute__((deprecated))
-

-
Marks function as deprecated.

-

-

-

 
enum xmlSecCheckVersionMode

 
The xmlsec library version mode.

 

diff --git a/docs/api/xmlsec.devhelp2 b/docs/api/xmlsec.devhelp2
index 78e56b6fa..e93927606 100644
--- a/docs/api/xmlsec.devhelp2
+++ b/docs/api/xmlsec.devhelp2
@@ -1014,6 +1014,7 @@
     
     
     
+    
     
     
     
@@ -1021,7 +1022,6 @@
     
     
     
-    
     
     
     
diff --git a/docs/download.html b/docs/download.html
index b3b7cd9b2..8b08173a9 100644
--- a/docs/download.html
+++ b/docs/download.html
@@ -48,11 +48,11 @@
 
Download

 

                     
Stable releases

-                    
The latest stable XML Security Library version is 1.3.6:

+                    
The latest stable XML Security Library version is 1.3.7:

                     
    
                         
  • 
-                            Sources
-                            and signature
+                            Sources
+                            and signature
                             for the latest version (Coverity report).
                         
    • 
                         
  • 
diff --git a/docs/index.html b/docs/index.html
index b631eed89..0fa784136 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -68,8 +68,21 @@ 
    XML Security Library
    
 
    News
    
 
      
     
    • TBD
      
+		The XML Security Library 1.3.7 release includes the following changes:
+        
        
+            
      • (xmlsec-core) Disabled old crypto algorithms (MD5, RIPEMD160) and the old crypto engines (MSCrypto, GCrypt) by default (use "--with-legacy-features" option to reenable everything).
        • 
+            
      • (xmlsec-windows) Disabled old crypto algorithms (MD5, RIPEMD160), made "mscng" the default crypto engine on Windows, and added support for "legacy-features" flag for "configure.js".
      • 
+            
      • (xmlsec-openssl, xmlsec-gnutls, xmlsec-mscng) Added an option to skip timestamp checks for certificates and CLRs.
        • 
+            
      • Several other small fixes (see more details).
        • 
+        
      
+	
      • 
+	
      
+
+    
    • October 22, 2024
      
 		The XML Security Library 1.3.6 release includes the following changes:
         
        
+            
      • (xmlsec-openssl) Fixed build if OpenSSL 3.0 doesn't have engines support enabled.
        • 
+            
      • (xmlsec-mscng, xmlsec-mscrypto) Added support for multiple trusted certs with the same subject.
        • 
             
      • (windows) Disabled iconv support by default (use 'iconv=yes' option for 'configure.js' to re-enable it).
        • 
             
      • Several other small fixes (see more details).
        • 
         
      
@@ -355,32 +368,6 @@ 
      XML Security Library
      
         
    
     
    • 
     
    
-    
  • October 25, 2022
    
-        The XML Security Library 1.2.35 release includes the following changes:
-        
      
-            
    • 
-                Migration to OpenSSL 3.0 API (based on PR by @snargit). Note that OpenSSL engines
-                are disabled by default when XMLSec library is compiled against OpenSSL 3.0.
-                To re-enable OpenSSL engines, use "--enable-openssl3-engines" configure flag
-                (there will be a lot of deprecation warnings).
-            
      • 
-            
    • 
-                The OpenSSL before 1.1.0 and LibreSSL before 2.7.0 are now deprecated and
-                will be removed in the future versions of XMLSec Library.
-            
      • 
-            
    • 
-                Refactored all the integer casts to ensure cast-safety. Fixed all warnings
-                and enabled "-Werror" and "-pedantic" flags on CI builds.
-            
      • 
-            
    • 
-                Added configure flag to use size_t for xmlSecSize (currently disabled by default
-                for backward compatibility).
-            
      • 
-            
    • Moved all CI builds to GitHub actions.
      • 
-            
    • Several other small fixes (more details).
      • 
-        
    
-    
    • 
-    
    
 

 

News page
 
diff --git a/docs/news.html b/docs/news.html
index 464e72306..46126c813 100644
--- a/docs/news.html
+++ b/docs/news.html
@@ -49,7 +49,19 @@ 
XML Security Library News

 

 
    
     
  • TBD
    
-		TODO: COPY FROM index.html
+		
+	
    • 
+	
    
+
+
+	
  • October 22, 2024
    
+		The XML Security Library 1.3.6 release includes the following changes:
+        
      
+            
    • (xmlsec-openssl) Fixed build if OpenSSL 3.0 doesn't have engines support enabled.
      • 
+            
    • (xmlsec-mscng, xmlsec-mscrypto) Added support for multiple trusted certs with the same subject.
      • 
+            
    • (windows) Disabled iconv support by default (use 'iconv=yes' option for 'configure.js' to re-enable it).
      • 
+            
    • Several other small fixes (see more details).
      • 
+        
    
 	
    • 
 	
    
 
diff --git a/include/xmlsec/keyinfo.h b/include/xmlsec/keyinfo.h
index c7b6a87b7..55e51b669 100644
--- a/include/xmlsec/keyinfo.h
+++ b/include/xmlsec/keyinfo.h
@@ -165,6 +165,13 @@ typedef enum {
  */
 #define XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH                     0x00008000
 
+/**
+ * XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_TIME_CHECKS:
+ *
+ * If the flag is set then we'll skip time checks of certs and CRLs
+ */
+#define XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_TIME_CHECKS          0x00010000
+
 /**
  * xmlSecKeyInfoCtx:
  * @userData:           the pointer to user data (xmlsec and xmlsec-crypto
diff --git a/man/xmlsec1-config.1 b/man/xmlsec1-config.1
index 46945ed43..60513ffb3 100644
--- a/man/xmlsec1-config.1
+++ b/man/xmlsec1-config.1
@@ -1,5 +1,5 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.49.3.
-.TH XMLSEC1-CONFIG "1" "July 2024" "xmlsec1-config 1.3.6" "User Commands"
+.TH XMLSEC1-CONFIG "1" "October 2024" "xmlsec1-config 1.3.7" "User Commands"
 .SH NAME
 xmlsec1-config \- detail installed version of xmlsec library
 .SH SYNOPSIS
diff --git a/man/xmlsec1.1 b/man/xmlsec1.1
index a639a4a9f..a1b4323b5 100644
--- a/man/xmlsec1.1
+++ b/man/xmlsec1.1
@@ -1,5 +1,5 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.49.3.
-.TH XMLSEC1 "1" "July 2024" "xmlsec1 1.3.6 (openssl)" "User Commands"
+.TH XMLSEC1 "1" "TBD TBD" "xmlsec1 1.3.7 (openssl)" "User Commands"
 .SH NAME
 xmlsec1 \- sign, verify, encrypt and decrypt XML documents
 .SH SYNOPSIS
diff --git a/scripts/README-WINDOWS.md.in b/scripts/README-WINDOWS.md.in
new file mode 100755
index 000000000..34bf93c26
--- /dev/null
+++ b/scripts/README-WINDOWS.md.in
@@ -0,0 +1,39 @@
+# This package contains the LibXML2, LibXSLT, OpenSSL, and XMLSec binaries for Win64 (/MD runtime).
+
+## LibXML2 (@libxml2_version@)
+```
+cd win32
+cscript configure.js iconv=no zlib=no cruntime=/MD prefix=c:\local\distro\libxml2
+nmake
+nmake install
+```
+
+## LibXSLT (@libxslt_version@)
+```
+cd win32
+cscript configure.js iconv=no zlib=no cruntime=/MD prefix=c:\local\distro\libxslt include=c:\local\distro\libxml2\include\libxml2 lib=c:\local\distro\libxml2\lib
+nmake
+nmake install
+```
+
+## OpenSSL (@openssl_version@)
+```
+C:\Strawberry\perl\bin\perl.exe Configure no-unit-test --prefix=c:\local\distro\openssl --release VC-WIN64A
+nmake
+nmake install_sw
+```
+
+## XMLSec (@xmlsec_version@)
+```
+cd win32
+cscript configure.js pedantic=yes werror=yes with-dl=yes cruntime=/MD xslt=yes crypto=openssl,mscng unicode=yes prefix=C:\local\distro\xmlsec include=C:\local\distro\libxml2\include;C:\local\distro\libxml2\include\libxml2;C:\local\distro\libxslt\include;C:\local\distro\openssl\include; lib=C:\local\distro\libxml2\lib;C:\local\distro\libxslt\lib;C:\local\distro\openssl\lib
+nmake
+nmake install
+```
+
+## Archive
+```
+cd c:\local\distro
+find . -name "*.pdb" -exec rm {} \;
+zip -r xmlsec1-@xmlsec_version@-win64.zip libxml2 libxslt openssl xmlsec README.md
+```
diff --git a/scripts/build_windows.sh b/scripts/build_windows.sh
new file mode 100755
index 000000000..bde8447d4
--- /dev/null
+++ b/scripts/build_windows.sh
@@ -0,0 +1,231 @@
+#!/bin/bash
+#
+# MUST BE RUN FROM x64 Native Tools Command Prompt
+#
+# $ bash build_windows.sh
+#
+libxml2_version="2.13.4"
+libxslt_version="1.1.42"
+openssl_version="3.4.0"
+xmlsec_version="1.3.7-rc1"
+
+pwd=`pwd`
+script_dir=`dirname $0`
+work_dir="c:\\local\\dev"
+distro_dir="c:\\local\\distro"
+libxml2_output_dir="${distro_dir}\libxml2"
+libxslt_output_dir="${distro_dir}\libxslt"
+openssl_output_dir="${distro_dir}\openssl"
+xmlsec_output_dir="${distro_dir}\xmlsec"
+
+zip_folders_and_files="libxml2 libxslt openssl xmlsec README.md"
+zip_output_file="${distro_dir}\\xmlsec1-${xmlsec_version}-win64.zip"
+
+PERL_PATH="C:\\Strawberry\\perl\\bin"
+LOG_FILE="C:\\temp\\build-windows.log"
+
+function build_libxml2 {
+  # check if already built
+  full_name="libxml2-v${libxml2_version}"
+  full_url="https://gitlab.gnome.org/GNOME/libxml2/-/archive/v${libxml2_version}/${full_name}.tar.gz"
+
+  echo "*** Checking if ${full_name} is already built..."
+  if [ -d "${work_dir}\\${full_name}" -a -d "${libxml2_output_dir}" ] ; then
+    echo "Found ${full_name}, skipping build"
+    return 0
+  else
+    echo "Folder \"${work_dir}\\${full_name}\" and/or \"${libxml2_output_dir}\" are missing, rebuilding ${full_name}"
+  fi
+
+  # build it!
+  cd "${work_dir}"
+  rm -rf "${work_dir}\\${full_name}" "${libxml2_output_dir}"
+
+  if [ ! -f "${full_name}.tar.gz" ] ; then
+    echo "*** Downloading ${full_name}..."
+    wget "${full_url}"
+  else
+    echo "*** File \"${full_name}.tar.gz\" already exists"
+  fi
+
+  echo "*** Extracting \"${full_name}\" archive..."
+  tar xvfz "${full_name}.tar.gz" 2>> "${LOG_FILE}"
+
+  echo "*** Configuring \"${full_name}\" ..."
+  cd "${full_name}\win32"
+  cscript configure.js iconv=no zlib=no cruntime=/MD prefix="${libxml2_output_dir}" >> "${LOG_FILE}"
+
+  echo "*** Building \"${full_name}\" ..."
+  nmake >> "${LOG_FILE}"
+
+  echo "*** Installing \"${full_name}\" ..."
+  nmake install >> "${LOG_FILE}"
+
+  echo "*** Done with \"${full_name}\"!!!"
+  return 0
+}
+
+function build_libxslt {
+  # check if already built
+  full_name="libxslt-v${libxslt_version}"
+  full_url="https://gitlab.gnome.org/GNOME/libxslt/-/archive/v${libxslt_version}/${full_name}.tar.gz"
+
+  echo "*** Checking if ${full_name} is already built..."
+  if [ -d "${work_dir}\\${full_name}" -a -d "${libxslt_output_dir}" ] ; then
+    echo "Found ${full_name}, skipping build"
+    return 0
+  else
+    echo "Folder \"${work_dir}\\${full_name}\" and/or \"${libxslt_output_dir}\" are missing, rebuilding ${full_name}"
+  fi
+
+  # build it!
+  cd "${work_dir}"
+  rm -rf "${work_dir}\\${full_name}" "${libxslt_output_dir}"
+
+  if [ ! -f "${full_name}.tar.gz" ] ; then
+    echo "*** Downloading ${full_name}..."
+    wget "${full_url}"
+  else
+    echo "*** File \"${full_name}.tar.gz\" already exists"
+  fi
+
+  echo "*** Extracting \"${full_name}\" archive..."
+  tar xvfz "${full_name}.tar.gz" 2>> "${LOG_FILE}"
+
+  echo "*** Configuring \"${full_name}\" ..."
+  cd "${full_name}\win32"
+  cscript configure.js iconv=no zlib=no cruntime=/MD prefix="${libxslt_output_dir}" include="${libxml2_output_dir}\include\libxml2" lib="${libxml2_output_dir}\lib"
+
+  echo "*** Building \"${full_name}\" ..."
+  nmake >> "${LOG_FILE}"
+
+  echo "*** Installing \"${full_name}\" ..."
+  nmake install >> "${LOG_FILE}"
+
+  echo "*** Done with \"${full_name}\"!!!"
+  return 0
+}
+
+function build_openssl {
+  # check if already built
+  full_name="openssl-${openssl_version}"
+  full_url="https://github.com/openssl/openssl/releases/download/openssl-${openssl_version}/${full_name}.tar.gz"
+
+  echo "*** Checking if ${full_name} is already built..."
+  if [ -d "${work_dir}\\${full_name}" -a -d "${openssl_output_dir}" ] ; then
+    echo "Found ${full_name}, skipping build"
+    return 0
+  else
+    echo "Folder \"${work_dir}\\${full_name}\" and/or \"${openssl_output_dir}\" are missing, rebuilding ${full_name}"
+  fi
+
+  # build it!
+  cd "${work_dir}"
+  rm -rf "${work_dir}\\${full_name}" "${openssl_output_dir}"
+
+  if [ ! -f "${full_name}.tar.gz" ] ; then
+    echo "*** Downloading ${full_name}..."
+    wget "${full_url}"
+  else
+    echo "*** File \"${full_name}.tar.gz\" already exists"
+  fi
+
+  echo "*** Extracting \"${full_name}\" archive..."
+  tar xvfz "${full_name}.tar.gz" 2>> "${LOG_FILE}"
+
+  echo "*** Configuring \"${full_name}\" ..."
+  OLD_PATH="$PATH"
+  PATH="$PATH;$PERL_PATH"
+  cd "${full_name}"
+  perl Configure no-unit-test --prefix="${openssl_output_dir}" --release VC-WIN64A
+  PATH="$OLD_PATH"
+
+  echo "*** Building \"${full_name}\" ..."
+  nmake >> "${LOG_FILE}"
+
+  echo "*** Installing \"${full_name}\" ..."
+  nmake install_sw >> "${LOG_FILE}"
+
+  echo "*** Done with \"${full_name}\"!!!"
+  return 0
+}
+
+function build_xmlsec {
+  # check if already built
+  xmlsec_version_without_rc=`echo "${xmlsec_version}" | sed 's/-rc.*//g'`
+  full_name="xmlsec1-${xmlsec_version}"
+  full_name_without_rc="xmlsec1-${xmlsec_version_without_rc}"
+  full_url="https://www.aleksey.com/xmlsec/download/${full_name}.tar.gz"
+
+  echo "*** Checking if ${full_name} is already built..."
+  if [ -d "${work_dir}\\${full_name_without_rc}" -a -d "${xmlsec_output_dir}" ] ; then
+    echo "Found ${full_name}, skipping build"
+    return 0
+  else
+    echo "Folder \"${work_dir}\\${full_name_without_rc}\" and/or \"${xmlsec_output_dir}\" are missing, rebuilding ${full_name}"
+  fi
+
+  # build it!
+  cd "${work_dir}"
+  rm -rf "${work_dir}\\${full_name_without_rc}" "${xmlsec_output_dir}"
+
+  if [ ! -f "${full_name}.tar.gz" ] ; then
+    echo "*** Downloading ${full_name}..."
+    wget "${full_url}"
+  else
+    echo "*** File \"${full_name}.tar.gz\" already exists"
+  fi
+
+  echo "*** Extracting \"${full_name}\" archive..."
+  tar xvfz "${full_name}.tar.gz" 2>> "${LOG_FILE}"
+
+  echo "*** Configuring \"${full_name}\" ..."
+  cd "${full_name_without_rc}\win32"
+  cscript configure.js pedantic=yes werror=yes with-dl=yes cruntime=/MD xslt=yes crypto=openssl,mscng unicode=yes prefix="${xmlsec_output_dir}" include="${libxml2_output_dir}\include;${libxml2_output_dir}\include\libxml2;${libxslt_output_dir}\include;${openssl_output_dir}\include" lib="${libxml2_output_dir}\lib;${libxslt_output_dir}\lib;${openssl_output_dir}\lib"
+
+
+  echo "*** Building \"${full_name}\" ..."
+  nmake >> "${LOG_FILE}"
+
+  echo "*** Installing \"${full_name}\" ..."
+  nmake install >> "${LOG_FILE}"
+
+  echo "*** Done with \"${full_name}\"!!!"
+  return 0
+}
+
+function create_readme {
+  echo "*** Creating README..."
+  cd "${pwd}"
+  cat "${script_dir}\\README-WINDOWS.md.in" | sed "s/@libxml2_version@/${libxml2_version}/g" |  sed "s/@libxslt_version@/${libxslt_version}/g" |  sed "s/@openssl_version@/${openssl_version}/g" |  sed "s/@xmlsec_version@/${xmlsec_version}/g" > "${distro_dir}\\README.md"
+  echo "*** Done with README!!!"
+  return 0
+}
+
+function create_distro {
+  echo "*** Creating zip file..."
+  cd "${distro_dir}"
+  for ii in ${zip_folders_and_files} ; do
+    echo "*** Removing pdb files from ${ii}..."
+    rm -f ${ii}/bin/*.pdb ${ii}/bin/*/*.pdb ${ii}/lib/*.pdb  ${ii}/lib/*/*.pdb
+  done
+  rm -f "${zip_output_file}"
+  zip -r "${zip_output_file}" ${zip_folders_and_files} >> "${LOG_FILE}"
+  echo "*** Done with zip file: \"${zip_output_file}\""
+  return 0
+
+}
+
+rm "${LOG_FILE}"
+echo "*** LOG FILE: \"${LOG_FILE}\""
+
+build_libxml2
+build_libxslt
+build_openssl
+build_xmlsec
+create_readme
+create_distro
+
+exit 0
+
+
diff --git a/src/gnutls/x509vfy.c b/src/gnutls/x509vfy.c
index 171795fc2..67a727d77 100644
--- a/src/gnutls/x509vfy.c
+++ b/src/gnutls/x509vfy.c
@@ -406,6 +406,9 @@ xmlSecGnuTLSX509StoreVerifyCert(xmlSecGnuTLSX509StoreCtxPtr ctx,
     if(keyInfoCtx->certsVerificationTime > 0) {
         flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
     }
+    if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_TIME_CHECKS) != 0) {
+        flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
+    }
 
     flags |= GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
     if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS) != 0) {
diff --git a/src/mscng/x509vfy.c b/src/mscng/x509vfy.c
index c6497c98d..551aaac0f 100644
--- a/src/mscng/x509vfy.c
+++ b/src/mscng/x509vfy.c
@@ -511,7 +511,7 @@ xmlSecMSCngVerifyCertTime(PCCERT_CONTEXT cert, LPFILETIME time) {
 /**
  * xmlSecMSCngX509StoreVerifyCertificateOwn:
  * @cert: the certificate to verify.
- * @time: pointer to FILETIME that we are interested in
+ * @time: pointer to FILETIME that we are interested in (if NULL, don't check certificate notBefore/notAfter)
  * @trustedStore: trusted certificates added via xmlSecMSCngX509StoreAdoptCert().
  * @certStore: the untrusted certificates stack.
  * @store: key data store, name used for error reporting only.
@@ -531,13 +531,16 @@ xmlSecMSCngX509StoreVerifyCertificateOwn(PCCERT_CONTEXT cert, FILETIME* time,
     xmlSecAssert2(trustedStore != NULL, -1);
     xmlSecAssert2(certStore != NULL, -1);
 
-    /* check certificate validity and revokation */
-    ret = xmlSecMSCngVerifyCertTime(cert, time);
-    if(ret < 0) {
-        xmlSecInternalError("xmlSecMSCngVerifyCertTime", NULL);
-        return(-1);
+    /* if time is specified, check certificate notBefore/notAfter */
+    if (time != NULL) {
+        ret = xmlSecMSCngVerifyCertTime(cert, time);
+        if (ret < 0) {
+            xmlSecInternalError("xmlSecMSCngVerifyCertTime", NULL);
+            return(-1);
+        }
     }
 
+    /* check certificate revokation */
     ret = xmlSecMSCngCheckRevocation(certStore, cert);
     if(ret < 0) {
         xmlSecInternalError("xmlSecMSCngCheckRevocation", NULL);
@@ -769,7 +772,8 @@ static int
 xmlSecMSCngX509StoreVerifyCertificate(xmlSecMSCngX509StoreCtxPtr ctx, PCCERT_CONTEXT cert,
     HCERTSTORE certStore, xmlSecKeyInfoCtx* keyInfoCtx
 ) {
-    FILETIME fTime;
+    FILETIME timeContainer;
+    FILETIME* time = &timeContainer;
     int ret;
 
     xmlSecAssert2(ctx != NULL, -1);
@@ -785,15 +789,18 @@ xmlSecMSCngX509StoreVerifyCertificate(xmlSecMSCngX509StoreCtxPtr ctx, PCCERT_CON
         return(1);
     }
 
+    /* do we need to check certificate notBefore/notAfter times? */
     if(keyInfoCtx->certsVerificationTime > 0) {
-        xmlSecMSCngUnixTimeToFileTime(keyInfoCtx->certsVerificationTime, &fTime);
+        xmlSecMSCngUnixTimeToFileTime(keyInfoCtx->certsVerificationTime, time);
+    } else if ((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_TIME_CHECKS) != 0) {
+        time = NULL;
     } else {
         /* current time */
-        GetSystemTimeAsFileTime(&fTime);
+        GetSystemTimeAsFileTime(time);
     }
 
     /* verify based on the own trusted certificates */
-    ret = xmlSecMSCngX509StoreVerifyCertificateOwn(cert, &fTime,
+    ret = xmlSecMSCngX509StoreVerifyCertificateOwn(cert, time,
         ctx->trusted, ctx->untrusted, certStore);
     if(ret < 0){
         xmlSecInternalError("xmlSecMSCngX509StoreVerifyCertificateOwn", NULL);
@@ -804,8 +811,7 @@ xmlSecMSCngX509StoreVerifyCertificate(xmlSecMSCngX509StoreCtxPtr ctx, PCCERT_CON
     }
 
     /* verify based on the system certificates */
-    ret = xmlSecMSCngX509StoreVerifyCertificateSystem(cert, &fTime,
-        ctx->untrusted, certStore);
+    ret = xmlSecMSCngX509StoreVerifyCertificateSystem(cert, time, ctx->untrusted, certStore);
     if (ret < 0) {
         xmlSecInternalError("xmlSecMSCngX509StoreVerifyCertificateSystem", NULL);
         return(-1);
diff --git a/src/openssl/x509vfy.c b/src/openssl/x509vfy.c
index f0f846617..4d2bca2d6 100644
--- a/src/openssl/x509vfy.c
+++ b/src/openssl/x509vfy.c
@@ -674,6 +674,10 @@ xmlSecOpenSSLX509StoreSetCtx(X509_STORE_CTX* xsc, xmlSecKeyInfoCtx* keyInfoCtx)
         vpm_flags |= X509_V_FLAG_USE_CHECK_TIME;
         X509_VERIFY_PARAM_set_time(vpm, keyInfoCtx->certsVerificationTime);
     }
+    if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_TIME_CHECKS) != 0) {
+        vpm_flags |= X509_V_FLAG_NO_CHECK_TIME;
+    }
+
     X509_VERIFY_PARAM_set_flags(vpm, vpm_flags);
     X509_VERIFY_PARAM_set_depth(vpm, keyInfoCtx->certsVerificationDepth);
 
diff --git a/tests/testDSig.sh b/tests/testDSig.sh
index 28fa71aaf..49598c0c9 100755
--- a/tests/testDSig.sh
+++ b/tests/testDSig.sh
@@ -1146,6 +1146,19 @@ execDSigTest $res_success \
     "rsa x509" \
     "--trusted-$cert_format $topfolder/keys/cacert.$cert_format --enabled-key-data x509 --verification-gmt-time 2022-12-14+00:00:00"
 
+
+# currently only openssl and gnutls support skipping time checks
+# https://github.com/lsh123/xmlsec/issues/852
+if [ "z$crypto" = "zopenssl" -o "z$crypto" = "zgnutls" -o "z$crypto" = "zmscng"  ] ; then
+    extra_message="Expired cert but we skip timestamp checks"
+    execDSigTest $res_success \
+        "" \
+        "aleksey-xmldsig-01/enveloping-expired-cert" \
+        "sha1 rsa-sha1" \
+        "rsa x509" \
+        "--trusted-$cert_format $topfolder/keys/cacert.$cert_format --enabled-key-data x509 --X509-skip-time-checks"
+fi
+
 # 'Verify existing signature' MUST fail here, as --trusted-... is not passed.
 # If this passes, that's a bug. Note that we need to cleanup NSS certs DB
 # since it automaticall stores trusted certs
diff --git a/win32/Makefile.msvc b/win32/Makefile.msvc
index 61923f6b7..d64ed26c2 100755
--- a/win32/Makefile.msvc
+++ b/win32/Makefile.msvc
@@ -386,10 +386,10 @@ CFLAGS = $(CFLAGS)
 CFLAGS = $(CFLAGS)  /D "XMLSEC_NO_RSA_PKCS15"
 !endif
 
-!if "$(WITH_LEGACY_CRYPTO)" == "1"
+!if "$(WITH_LEGACY_FEATURES)" == "1"
 CFLAGS = $(CFLAGS)
 !else
-CFLAGS = $(CFLAGS)  /D "XMLSEC_NO_MD5"
+CFLAGS = $(CFLAGS)  /D "XMLSEC_NO_MD5" /D "XMLSEC_NO_RIPEMD160"
 !endif
 
 !if "$(WITH_FTP)" == "1"
diff --git a/win32/configure.js b/win32/configure.js
index b6f51c300..98d85f98d 100644
--- a/win32/configure.js
+++ b/win32/configure.js
@@ -41,26 +41,26 @@ var verMinorXmlSec;
 var verMicroXmlSec;
 
 /* Libxmlsec features. */
-var withCrypto = "openssl";
-var withDefaultCrypto = "openssl";
+var withCrypto = "mscng";
+var withDefaultCrypto = "mscng";
 var withOpenSSL = 0;
 var withOpenSSLVersion = "";
 var withNss = 0;
 var withMSCrypto = 0;
-var withMSCng = 0;
+var withMSCng = 1;
 var withLibXSLT = 1;
 var withIconv = 0;     /* disable iconv by default */
 var withFTP = 0;       /* disable ftp by default */
 var withHTTP = 0;      /* disable http by default */
 var withGost = 0;
 var withRsaPkcs15 = 1;
-var withLegacyCrypto = 0;
+var withLegacyFeatures = 0;
 
 /* Win32 build options. */
 var buildUnicode = 1;
 var buildDebug = 0;
 var buildWithMemcheck = 0;
-var buildWerror = 0;
+var buildWerror = 1;
 var buildPedantic = 1;
 var buildCc = "cl.exe";
 var buildCflags = "";
@@ -125,7 +125,7 @@ function usage()
 	txt += "  http:       Enable HTTP support (" + (withHTTP ? "yes" : "no") + ")\n";
 	txt += "  rsa-pkcs15: Enable RSA PKCS#1.5 key transport (" + (withRsaPkcs15 ? "yes" : "no") + ")\n";
 	txt += "  gost:	      Enable GOST algorithms (" + (withGost ? "yes" : "no") + ")\n";
-	txt += "  legacy-crypto: Enable legacy crypto algorithms (" + (withLegacyCrypto ? "yes" : "no") + ")\n";
+	txt += "  legacy-features: Enable legacy features and crypto algorithms (" + (withLegacyFeatures ? "yes" : "no") + ")\n";
 	txt += "\nWin32 build options, default value given in parentheses:\n\n";
 	txt += "  unicode:    Build Unicode version (" + (buildUnicode? "yes" : "no")  + ")\n";
 	txt += "  debug:      Build unoptimised debug executables (" + (buildDebug? "yes" : "no")  + ")\n";
@@ -201,7 +201,7 @@ function discoverVersion()
 	vf.WriteLine("WITH_HTTP=" + (withHTTP ? "1" : "0"));
 	vf.WriteLine("WITH_GOST=" + (withGost ? "1" : "0"));
 	vf.WriteLine("WITH_RSA_PKCS15=" + (withRsaPkcs15 ? "1" : "0"));
-	vf.WriteLine("WITH_LEGACY_CRYPTO=" + (withLegacyCrypto ? "1" : "0"));
+	vf.WriteLine("WITH_LEGACY_FEATURES=" + (withLegacyFeatures ? "1" : "0"));
 	vf.WriteLine("UNICODE=" + (buildUnicode? "1" : "0"));
 	vf.WriteLine("DEBUG=" + (buildDebug? "1" : "0"));
 	vf.WriteLine("MEMCHECK=" + (buildWithMemcheck ? "1" : "0"));
@@ -344,8 +344,10 @@ for (i = 0; (i < WScript.Arguments.length) && (error == 0); i++) {
 			withRsaPkcs15 = strToBool(arg.substring(opt.length + 1, arg.length));
 		else if (opt == "gost")
 			withGost = strToBool(arg.substring(opt.length + 1, arg.length));
+		else if (opt == "legacy-features")
+			withLegacyFeatures = strToBool(arg.substring(opt.length + 1, arg.length));
 		else if (opt == "legacy-crypto")
-			withLegacyCrypto = strToBool(arg.substring(opt.length + 1, arg.length));
+			withLegacyFeatures = strToBool(arg.substring(opt.length + 1, arg.length));
 		else if (opt == "unicode")
 			buildUnicode = strToBool(arg.substring(opt.length + 1, arg.length));
 		else if (opt == "debug")
@@ -481,29 +483,29 @@ var txtOut = "\nXMLSEC configuration\n";
 txtOut += "----------------------------\n";
 txtOut += "          Use Crypto: " + withCrypto + "\n";
 txtOut += "  Use Default Crypto: " + withDefaultCrypto + "\n";
+txtOut += "           Use MSCng: " + boolToStr(withMSCng) + "\n";
 txtOut += "         Use OpenSSL: " + boolToStr(withOpenSSL) + "\n";
 txtOut += " Use OpenSSL Version: " + withOpenSSLVersion + "\n";
 txtOut += "             Use NSS: " + boolToStr(withNss) + "\n";
 txtOut += "        Use MSCrypto: " + boolToStr(withMSCrypto) + "\n";
-txtOut += "           Use MSCng: " + boolToStr(withMSCng) + "\n";
 txtOut += "         Use LibXSLT: " + boolToStr(withLibXSLT) + "\n";
 txtOut += "           Use iconv: " + boolToStr(withIconv) + "\n";
 txtOut += " Enable RSA PKCS#1.5: " + boolToStr(withRsaPkcs15) + "\n";
 txtOut += "         Enable GOST: " + boolToStr(withGost) + "\n";
-txtOut += "Enable legacy crypto: " + boolToStr(withLegacyCrypto) + "\n";
+txtOut += "Enable legacy crypto: " + boolToStr(withLegacyFeatures) + "\n";
 txtOut += "         Support FTP: " + boolToStr(withFTP) + "\n";
 txtOut += "        Support HTTP: " + boolToStr(withHTTP) + "\n";
 txtOut += "\n";
 txtOut += "Win32 build configuration\n";
 txtOut += "-------------------------\n";
+txtOut += "           Pedantic: " + boolToStr(buildPedantic) + "\n";
+txtOut += "         C compiler: " + buildCc + "\n";
+txtOut += "   C compiler flags: " + buildCflags + "\n";
 txtOut += "   C-Runtime option: " + cruntime + "\n";
 txtOut += "            Unicode: " + boolToStr(buildUnicode) + "\n";
 txtOut += "      Debug symbols: " + boolToStr(buildDebug) + "\n";
 txtOut += "           Memcheck: " + boolToStr(buildWithMemcheck) + "\n";
 txtOut += " Warnings as errors: " + boolToStr(buildWerror) + "\n";
-txtOut += "           Pedantic: " + boolToStr(buildPedantic) + "\n";
-txtOut += "         C compiler: " + buildCc + "\n";
-txtOut += "   C compiler flags: " + buildCflags + "\n";
 txtOut += " Static xmlsec libs: " + boolToStr(buildStatic) + "\n";
 txtOut += "  Enable DL support: " + boolToStr(buildWithDLSupport) + "\n";
 txtOut += "     Install prefix: " + buildPrefix + "\n";
diff --git a/win32/mycfg.bat b/win32/mycfg.bat
index 80d25b889..b2936d12e 100644
--- a/win32/mycfg.bat
+++ b/win32/mycfg.bat
@@ -18,25 +18,26 @@ SET XMLSEC_PREFIX=%PREFIX%\xmlsec
 
 SET XMLSEC_INCLUDE=%LIBXML2_PREFIX%\include;%LIBXML2_PREFIX%\include\libxml2;%LIBXSLT_PREFIX%\include;%OPENSSL_PREFIX%\include;%MSSDK_INCLUDE%
 SET XMLSEC_LIB=%LIBXML2_PREFIX%\lib;%LIBXSLT_PREFIX%\lib;%OPENSSL_PREFIX%\lib;%MSSDK_LIB%
-SET XMLSEC_OPTIONS=debug=yes pedantic=yes werror=yes  with-dl=yes cruntime=/MD xslt=yes crypto=%XMLSEC_CRYPTO% unicode=yes legacy-crypto=yes http=no
+SET XMLSEC_OPTIONS=debug=yes crypto=%XMLSEC_CRYPTO% legacy-features=yes
 
 nmake clean
 del /F Makefile configure.txt
 cscript configure.js prefix=%XMLSEC_PREFIX% %XMLSEC_OPTIONS% include=%XMLSEC_INCLUDE% lib=%XMLSEC_LIB%
 
+@ECHO OFF
 mkdir binaries
-copy %LIBXML2_PREFIX%\bin\*.dll binaries
-copy %LIBXML2_PREFIX%\bin\*.pdb binaries
-copy %LIBXML2_PREFIX%\lib\*.dll binaries
-copy %LIBXML2_PREFIX%\lib\*.pdb binaries
-
-copy %LIBXSLT_PREFIX%\bin\*.dll binaries
-copy %LIBXSLT_PREFIX%\bin\*.pdb binaries
-copy %LIBXSLT_PREFIX%\lib\*.dll binaries
-copy %LIBXSLT_PREFIX%\lib\*.pdb binaries
-
-copy %OPENSSL_PREFIX%\bin\*.dll binaries
-copy %OPENSSL_PREFIX%\bin\*.pdb binaries
-copy %OPENSSL_PREFIX%\lib\*.dll binaries
-copy %OPENSSL_PREFIX%\lib\*.pdb binaries
+IF EXIST %LIBXML2_PREFIX%\bin\*.dll copy %LIBXML2_PREFIX%\bin\*.dll binaries
+IF EXIST %LIBXML2_PREFIX%\bin\*.pdb copy %LIBXML2_PREFIX%\bin\*.pdb binaries
+IF EXIST %LIBXML2_PREFIX%\lib\*.dll copy %LIBXML2_PREFIX%\lib\*.dll binaries
+IF EXIST %LIBXML2_PREFIX%\lib\*.pdb copy %LIBXML2_PREFIX%\lib\*.pdb binaries
+
+IF EXIST %LIBXSLT_PREFIX%\bin\*.dll copy %LIBXSLT_PREFIX%\bin\*.dll binaries
+IF EXIST %LIBXSLT_PREFIX%\bin\*.pdb copy %LIBXSLT_PREFIX%\bin\*.pdb binaries
+IF EXIST %LIBXSLT_PREFIX%\lib\*.dll copy %LIBXSLT_PREFIX%\lib\*.dll binaries
+IF EXIST %LIBXSLT_PREFIX%\lib\*.pdb copy %LIBXSLT_PREFIX%\lib\*.pdb binaries
+
+IF EXIST %OPENSSL_PREFIX%\bin\*.dll copy %OPENSSL_PREFIX%\bin\*.dll binaries
+IF EXIST %OPENSSL_PREFIX%\bin\*.pdb copy %OPENSSL_PREFIX%\bin\*.pdb binaries
+IF EXIST %OPENSSL_PREFIX%\lib\*.dll copy %OPENSSL_PREFIX%\lib\*.dll binaries
+IF EXIST %OPENSSL_PREFIX%\lib\*.pdb copy %OPENSSL_PREFIX%\lib\*.pdb binaries