Angus Robertson

Sorry, I know nothing about GOST. I understand there is a version for OpenSSL 3.0, but we don't provide a Windows version. Even if you build the engine DLL, ICS would need changes to use it. But ICS is open source, you can do those yourself, and they may be incorporated if of benefit to others. Angus

Do those new names end up in the certificate itself, or are they only used for validation? If in the certificate, could you please email a PEM, so I can check we report it correctly. Angus

The PemTool sample does not have edit boxes for surname oi given name, because you are the first to request them. Most personal certificates are issued for email address, not people. I'l like to see an example with names. You should be able to add a couple of lines in TSslCertTools.DoCertReqProps, plus the properties to add them: AddNameEntryByTxt(SubjName, 'GN', MyGN); AddNameEntryByTxt(SubjName, 'SN', MySN); I will do this in the next week or so. Angus

You should look at the OverbyteIcsPemtool sample, the 'New Certificate Properties' tab has settings for all the subject items, basic and extended usage, key usage, etc. However, these settings are primarily for server and computer certificates, if you need givenName and surName, I assume you are getting personal certificates from somewhere? Angus

I assume you are building for C++, there is no support for old compilers, I removed all the packages prior to D10.4. C++ is always more fragile than Delphi, there are problems building for the latest C++ Win64 targets as well. Angus

I'm aware of some excellent Delphi encryption libraries but for applications already using OpenSSL, these add a lot of extra code. ICS currently has two encryption components in OverbyteIcsSslX509Utils.pas with minimal samples in PemTools, one for RSA private key encryption or a string, the second for Blowfish string and stream encryption. The latter uses the EVP_CipherAPIs so should be extendable for other symmetric ciphers like AES, so we can password zip files for instance. I could try to improve these ICS functions with more ciphers, but my crypto knowledge is low and there are so many different options for each cipher... Has anyone improved the ICS crypto stuff already. Or has someone written a Delphi encryption component using OpenSSL that can be shared with ICS? Angus

Not one country, currently 619,000 IPs worldwide, spread evenly around the world, I've specifically blocked 107 countries, but not Europe yet. Possibly from a massive botnet of cheap Chinese hardware that comes compromised from the factory at very low prices, cheap IPTV boxes and dongles, Android tablets, etc, acting as an HTTPS proxies for whoever controls the botnet. Angus

Some of your tricks are already used in the ICS OverbyteIcsSslMultiWebServ sample, which is a simplified version of my public web servers. In the past, I'd mess with the connection of hackers, after detection, but this requires resources I don't want to waste, which is why I need to close the connection without reading any data or starting the SSL handshake. Filtering on content received can be useful for repeat hackers, but not when most requests come from unique IP addresses, 581,000 in the last three days, and still increasing. Angus

Not necessarily, this is a Windows server, and I don't want these requests to reach the actual web server or it's log files, which seems to be how fail2ban works. Angus

I guess I've developed my own Delphi ICS version of fail2ban! That is the advantage of using your own Delphi web server. Angus

Sorry if this is getting repetitive, but my web server has now taken connections from 450,000 different IP addresses over three days, almost certainly all from a single Chinese hacker, those requests that get through all have legitimate REST arguments to access my SQL database, so not a blind DOS attack, but a script. My GEO blocking is still rejecting 90% of the requests. Only blocked one legitimate paid user so far, who was very understanding. Angus

Illegal accesses to my web site have escalated since my last message here in March, and increased 10 fold in the last 10 days. Initially, the Chinese hackers are using what I assume are VPN IPs in various countries, which were relatively easy to slow down. Then I got attempts from 20,000 IPs in Vietnam, and increasingly from other countries. My ICS web server had access attempts from 170,000 different IPs over the last 15 hours on Sunday night. I added geo-blocking last week from a list of countries in Asia, Africa, South America and the Middle East, and 200,000 connections were rejected and 20,000 allowed, although probably only 1,000 would have been from legitimate users on a Sunday night. Did this using the Delphi TMMDBReader component from https://github.com/optinsoft/MMDBReader that reads MaxMind database files of IP addresses, listing country, ASN, City, ISP and other information (for a price), but I'm currently using a simple country lookup database from https://db-ip.com/ . MaxMind has an anonymous IP database that is probably ideal for my purpose, but no public pricing so probably more than I want to pay. Angus

OpenSSL has issued new releases of all the currently supported versions, 3.5.1, 3.4.2, 3.3.4, 3.2.5 and 3.0.17. OpenSSL 3.5.1 fixes a low risk CVE-2025-4575 relating to use of a command in the openssl.exe application to use trusted certificates. All releases include periodic miscellaneous minor bug fixes. Windows binaries are available in SVN and the overnight zip file and separately from https://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp In addition to the three DLL files, the zips include compiled RES resource files that contain the same DLLs, text files and version information, see the RC file. The RES file may be linked into application EXE files and code then used to extract the DLLs from the resource to a temporary directory to avoid distributing them separately. ICS V9.1 and later optionally support loading the resource files. These OpenSSL versions are included with ICS V9.5 beta available from SVN and the overnight zip. ICS V9.5 beta now defaults to using OpenSSL 3.5.1, provided the new OverbyteIcsDefs.inc files is installed, or you undefine OpenSSL_35 and suppress an earlier version. The SSL/TLS Certificate Authority Root Stores bundles have also been updated with new roots, more information at https://wiki.overbyte.eu/wiki/index.php/FAQ_SSL/TLS_Certificate_Authority_Root_Stores and downloads at: https://www.magsys.co.uk/download/software/ca-root-bundles.zip and are already included with ICS V9.5 beta. Separately, https://www.yunqa.de/ has released 3.0.17, 3.3.4 and 3.4.2 as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Angus

You use the Windows API WNetAddConnection2 to make a connection to a network resource and can redirect a local device to the network resource, ie map a UNC drive to a local drive letter that you can access, the API needs the remote login. The ICS TIcsFileCopy component uses it for remote path access. Angus

Your issues are now fixed in SVN and will be zipped overnight. The GET and DELETE methods now support REST PContBodyJson, PContBodyUrlEn and PContBodyXML content types, beware web servers may not support this. The ICS web server also now supports body content with GET and DELETE requests, provided there are UrlJHandlers for these methods or the application handles the content stream. The TRestParams component has a new RParamFmt property that for Json only defines whether nested objects or an array should be formatted, default is RPFmtNestObj (Nested Objects, same as previously), or RPFmtArrayVal (Array of Values) if first element is any array, or RPFmtArrayObj (Array of Objects) where each element is treated as object in the array. Note RPFmtArrayObj allows duplicate names in Add methods, since output into different objects. For instance: RPFmtNestObj: {"field1":"data1","field2":"data2","field3":[data1, data2, data3]} RPFmtArrayVal: [data1, data2, data3] RPFmtArrayObj: [{"field":"data1"},{"field":"data2"},{"field":[data1, data2, data3]}] Angus