Angus Robertson

Any API that requests system time is dependent on the computer clock being set correctly and with the correct time zone. Windows will then use NTP to keep it correct. Relying on NTP time is dangerous since the internet is not reliable, nor are NTP servers, nor DNS to reach them. Relying on a single NTL server is also dangerous, unless it's hosted across distributed hosts, like time.google.com or time.cloudflare.com, nist.gov has at least 15 different host names, don't know if they are distributed. Angus

GetSystemTime function (sysinfoapi.h) Retrieves the current system date and time in Coordinated Universal Time (UTC) format. To retrieve the current system date and time in local time, use the GetLocalTime function. https://docs.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-getsystemtime Angus

function IcsGetUTCTime: TDateTime; var SystemTime: TSystemTime; begin GetSystemTime(SystemTime); with SystemTime do begin Result := EncodeTime (wHour, wMinute, wSecond, wMilliSeconds) + EncodeDate (wYear, wMonth, wDay); end ; end; Angus

TSslWSocketServer has a property SslCliCertMethod which determines whether a client certificate is required or optional, you check the certificate in the OnSslHandshakeDone event and close the connection if invalid, it is documented on the wiki page, http://wiki.overbyte.eu/wiki/index.php/TWSocketServer. Note I've not tested this for a while. Angus

Those commands are there due to OverbyteIcsTnOptFrm.pas needing the dfm in the same directory as the library is built. But neither unit is used that often, they are the user interface for the TnEmulVT component, a telnet terminal. Angus

Currently ICS only uses the Certxx APIs to extract certificates from the Windows store and to validate certificate chains, I'm just adding bits to put certificates into the store, but won't be done this week. My reading suggests CryptAcquireCertificatePrivateKey is how you get the private key for a certificate you find in the store, but not tried it yet. ICS has classes TX509Base and TX509List which allow certificates and bundles to be created, read and saved in various formats, there is sample OverbyteIcsPemtool that illustrates everything, and another OverbyteIcsX509CertsTst that acquires certificates from Let's Encrypt. including multi-domain wildcards. Sorry, never used THTTPRIO so no idea what it does, but the ICS HTTP client supports client certificates. You can use ICS synchronously, there are methods for that. Angus

Flagged by whom? TLS 1.2 is perfectly good provided you disable a lot of weak ciphers and hashes. Most IIS sites are still only TLS 1.2, Microsoft does not support TLS 1.3 until Windows Server 2022. Angus

I'm just adding import and export for certificates to and from the Windows store, for ICS. PFXImportCertStore and PFXExportCertStoreEx seem to be preferred solution to convert to and from a PFX/PCKS12 blob containing a certificate, private key and intermediates. Beware you won't be able to export from TPMs, only certificates saved with exportable private keys. But since you have PFX and PEM files, not sure why you are using the Windows store. Angus

SVN has been updated with a new OverbyteIcsHttpAppServer adding support for PUT and DELETE verbs, also OverbyteIcsDDWebServiceSrv.pas now uses TUrlHandlerRestApi instead of as a virtual page, little simpler. Angus

Result := GetEnumName (TypeInfo (TEnum), Ord (FEnum))); Angus

Beware the ICS web server samples include a lot of code for dynamic demonstration pages, which you can mostly remove to give yourself the basis of a commercial web server service listening on multiple IP addresses. ordering SSL certificates and with request logging. However the REST sample page is implemented as a virtual page not a URL handler, other pages are URL handlers. The main issue with the current ICS web server being a single thread, so blocking SQL calls can reduce performance. My experience over 10 years is my SQL calls mostly take 10ms or less, so the performance hit is minimal, it can still support 50 requests a second (but not new SSL connections). The long term ICS wish list has a heavy web server, that will be configurable to allow x connections per thread, down to one if they are effectively blocking. Angus

I'll look at adding the missing handlers in the next week or so. You may want to look at a new SSL sample, OverbyteIcsDDWebService.dpr which is very similar to OverbyteIcsSslMultiWebServ.dpr, but designed as a Windows service, although it will also run as a GUI for debugging. It requires DDService service framework to be installed from https://www.magsys.co.uk/delphi/ddservice. asp. It also includes a REST server with simple lookup responses from a SQL database, which optionally requires DISQLite3 to be installed from http://www.yunqa.de. Note this sample in not in the project groups due to these pre-requisites. This sample is part of the next release, in SVN and the overnight zip. It is effectively a working REST server, very similar to a commercial server I've written at https://api.telecom-tariffs.co.uk/ but you need a login to do actual REST requests. Angus

The relocation fix is now in SVN. The repository server is working fine, but wiki.overbyte.eu with the overnight zip has been down for two days, probably due to the flooding in Liege, but ICS can also be downloaded from https://www.magsys.co.uk/delphi/magics.asp Angus

You were correct, a fragment/anchor/bookmark in the URL should never be sent to the server, it is purely an instruction to the browser on how to display the page. The ICS unit did attempt to remove # during relocation, but relocation has many different paths in the code, and it was not always being done. I've corrected in my master, won't be in SVN for a day or two, but in the latest SVN version add these lines to the function EncodePathOnly: I := Pos('#', OldPath); if I > 1 then Result := Copy (OldPath, 1, I - 1); My issue with the SSL/TLS certificate was me using an old sample application. Angus

It would help if your application had better logging, you would then have seen the real error: www.w3.org SSL Handshake Failed - error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed, State: error This only happens if ICS is set to check the certificate chain, which is normal, but means you need to keep the root store up to date to allow verification to work. I updated the ICS root stores last week but not in SVN yet, and the root certificate 'USERTrust RSA Certification Authority' seems to be different to the one the site is using, I'll look into this next week. Angus