Jump to content

Angus Robertson

Members
  • Content Count

    1881
  • Joined

  • Last visited

  • Days Won

    33

Everything posted by Angus Robertson

  1. I had to remove a lot of TNT components during my conversions. I would start your conversion in Delphi 7, made sure all your forms are saved as text, then use a text editor to globally replace TNT components one form at a time in PAS and DFM, with standard VCL versions, so it builds, but won't run properly. Then open in a modern compiler. Maybe change WideString to UnicodeString, or perhaps you have an alias already. Angus
  2. Widestring and Unicodestring are not the same thing, despite both being 16-bit. You really need to change Widestring to Strimg sooner or later. And beware of ansistring as I said before. Angus
  3. Angus Robertson

    ICS V8.67 announced

    ICS V8.67 has been released at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0 and C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0. ICS supports VCL and FMX, Win32, Win64 and MacOS 32-bit targets. The distribution zip includes the latest OpenSSL 1.1.1i win32, with OpenSSL 3.0 and Win64 versions of OpenSSL being available from the download page. Changes in ICS V8.67 include: 1 - Added support and packages for RAD Studio 11.0. Updated SSL/TLS root certificate bundles, old certificates gone, new ones added, nothing major. 2 - Added support for OpenSSL 3.0 which is a major new release, primarily a lot of internal changes to ease long term support. There is an optional FIPS module with 3.0 but not available here since our DLLs are not built to the standards required for certification. The old engines for special extensions are replaced by new more versatile providers of which the FIPS module is one, a provider legacy.dll has obsolete ciphers and hash digests, including MD2, MD4, Blowfish, DES, IDEA, RC2, RC4, SEED, that most applications no longer need and which needs to loaded by the application by setting global variable GSSLEAY_LOAD_LEGACY to true before loading OpenSSL. 3 - OpenSSL 3.0 does not offer any specific new features of benefit to ICS at present, although HTTP/3 support is planned for 3.1 or later, so the main ICS distribution retains OpenSSL 1.1.1i which is fully supported until September 2023. OpenSSL 3.0 may be downloaded from the download page. There are two global variables to restrict which OpenSSL version is loaded, GSSLEAY_DLL_IgnoreNew set true will ignore 3.0, while GSSLEAY_DLL_IgnoreOld will ignore 1.1.1, if both sets of DLLs are available in the same directory. The main SSL samples all set these globals, which can be changed for testing one version or the other, or set by the application, but must be before OpenSSL is initialised. 4 - The main implication for ICS with OpenSSL 3.0 is for SSL/TLS certificate private keys saved with password protection, which is required for PKCS12 certificates for importing into the Windows certificate store. The new PKCS12 default password encryption AES256 is not recognised until Windows Server 2016 v1709 and Windows 10 v1709, so Server 2012, Windows 10 RTM and earlier won't load AES passworded keys, only 3DES, for which the legacy.dll must be loaded. 5 - The TX509Base class has various improvements. The ValidateCertChain method reports CA roots for multiple certificate verification paths with two or more intermediate certificates, rather than only the last. The CertMainInfo method provides a single line with the main certificate information. 6 - There are two new classes to write and read SSL/TLS certificates to and from the Windows Certificate Store, including private keys. This is primarily so Let's Encrypt certificates can be installed automatically for use with the IIS web server. TMsX509List descends from TX509List adding a method LoadFromStore to load the list from a Windows certificate store by store name TMsCertStore and location MsCertLocation. For My/Personal store, attempts to load private keys if they are allowed to be exported unencrypted. TMsCertTools descends from TSslCertTools adding methods SaveToStorePfx and LoadFromMyStore to access Windows certificate stores. Note access to the Local Machine Store for web server certificates requires administrator rights. 7 - Various improvements for the OverbyteIcsPemTool sample. It includes new buttons to list the contents of Windows certificate and private key stores and allow old items to be deleted. This may be useful for cleaning up old certificates and private keys from the Windows stores. Added ResavePrivateKey and Resave Private Key menu option which prompt for a PFX or PEM file containing an encrypted private key with a new cipher, renaming old file to .oldpem/pfx. Specifically for files saved with old ciphers than OpenSSL 3.0 does not support as standard if required for older versions of Windows. Displaying certificates and bundles is no longer a new modal window, but updates the existing log window. Improved import certificates from Windows certificate store to use TMsX509List instead of Windows API calls, and to access all Windows store locations instead of just user, specifically the Local Machine store where server certificates are located. 8 - For the TX509Certs component, the default cipher for encrypting PFX/P12 files is now PrivKeyEncAES256 with 3.0 unless the legacy DLL is loaded when still PrivKeyEncTripleDES so older versions of Windows can load them. Changed extraction of download PEM bundle so that main certificate does not need to be first in file, log them all, and ignore any self signed root certificates. If testing dns-01 challenge fails, rotate to next public server and three retries (previously only happened on timeout). When saving files with private keys, log encryption type used. Added more certificate output formats, OutFmtPwPem and OutFmtPwP12 specify whether to password PEM and P12/PFX private keys. Note Windows always needs passworded P12/PRX files, while Apache web server only accepts PEM files without a password. Allow automatic installation of new certificates to the Windows Certificate Store so they can be used by IIS web sites, by setting output format to OutFmtWinStore. Note application must have administrator rights to do this. 9 - Fixed two problems in the FTP client, support option ftpFixPasvLanIP for PUT/APPE uploads as well as downloads, and support IPv6 for PUT/APPE uploads as well as downloads. 10 - Fixed a problem in TIcsMailQueue with sequential number generation to avoid file locking errors and unicode BOM corrupting file, generate large random number for errors instead of reverting to 1. Don't save BOM withunicode compilers. 11 - In the Application Web Server TSslHttpAppSrv, added an optional LastModified parameter to the AnswerStream, AnswerPage, and AnswerString methods to avoid adding a custom header line with the date. Added NO_CACHE_EX and NO_STORE_EX literals. Added PUT and DELETE verb handlers, similar to GET and POST. 12 - For the HTTP client TSslHttpCli, fixed a relocation problem where the Location: header included a path with a space, encode the space. Fixed another relocation problem where HEAD sometimes stalled. Remove # fragment or anchor from URL in relocation, only used by browsers and not by servers. 13 - In the TIcsBlackList component, Internally use BlockedFlag instead of setting attempts to 9999 once the actual maximum failed attempts is reached, so we can keep counting attempts. 14 - Added a new SSL sample, OverbyteIcsDDWebService.dpr which is very similar to OverbyteIcsSslMultiWebServ.dpr, but designed as a Windows service, although it will also run as a GUI for debugging. It requires DDService service framework to be installed from https://www.magsys.co.uk/delphi/ddservice. asp. It also includes a REST server with simple lookup responses from a SQL database, which optionally requires DISQLite3 5.36.5 or later to be installed from http://www.yunqa.de. Note this sample in not in the project groups due to these pre-requisites. 15 - Moved TRestParams from the OverbyteIcsSslHttpRest unit to OverbyteIcsUrl to ease circular references. Added a new method AddItemNULL to add a null, in Json this will be unquoted. Added a new TRestParamsSrv component which provides methods for creating REST server Json responses from a SQL database resultset, one or more rows, also error responses. Note this is only compiled if DATABASE is defined in OverbyteIcsDefs.inc to avoid bringing in database units that are not available on all Delphi editions. There is a REST server sample OverbyteIcsDDWebService.dpr that illustrates SQL lookups. 16 - In the proxy component TIcsHttpProxy, don't send an HTTP request header until after HTTP body has been processed in case the body length changes. HTTP Forward Proxy using HTTP works again, broken in V8.65. Using HTTP Forward Proxy, convert absolute URL to path only since some servers can not process an absolute URL and sulk. 17 - In the Jose unit, rewrote the functions converting private keys to and from Json Web Keys with new OpenSSL 3.0 provider functions. Use AnsiStrings and functions when dealing with binary data to avoid possible issues with string conversions and nulls. Json now created with TRestParams. 18 - Added two new sample project groups, OtherDemos64 and SslDemos64 which include Win64 versions of all the main active samples with 64 added to the project name, so they can be regularly built alongside the Win32 versions without changing platforms and overwriting executables.
  4. Over the last two years, I've converting Delphi 2007 applications to modern compilers. Not finished yet. Apart from all the other comments made, a couple of my own. Avoid the simple solution of using AnsiString, you will end up with thousands of compiler cast warning and have trouble with functions that use UnicodeString. Use TBytes for non-string data, there are lots of ways of converting TB to other formats Look at file handling carefully, loading a text file into a TStringList will result in Chinese as it assumes it's reading unicode, unless it finds a BOM or is told otherwise, ditto saving files. Angus
  5. You are looking at a low level component where you'd need to code all that stuff yourself. Please use TIcsFtpMulti instead, which reads directories automatically and downloads or uploads multiple files with a single function call. The main sample is OverbyteIcsXferTst, but there also is a very simple sample in OverbyteIcsSnippets where you can press a button to download sample files. Angus
  6. Angus Robertson

    KeepAliveTimeSec of TSslHttpServer

    Can you please answer the several questions I have previously asked, rather than just repeating one of the symptoms of your problem? Angus
  7. Angus Robertson

    Obfuscating secrets

    Simple XOR encryption with a numeric key will make it much harder to search the EXE for client ID and passwords, AES if you don't care about the size overhead. Angus
  8. > ICS can not start, because some necessary SSL DLLs are missing. Because you failed to distribute all the required files with your prorgram. > ICS is trying to download those DLLs from a non-SSL server via http://... , but can not !!! Because you told the ICS application you designed to do an impossible download. Bad program design. Before distributing applications to hundreds of PCs, I find a little testing helps. Angus
  9. You don't download OpenSSL using ICS, you use a normal browser. But you already have OpenSSL, it is also distributed as part of ICS, in the openssl folder, and the DLLs are also in the sslsamples folder so all the ICS samples work. You just have to make sure the DLLs are in the same folder as your exe, unless you specify a different folder in code. Angus
  10. Angus Robertson

    KeepAliveTimeSec of TSslHttpServer

    The websocket protocol has a keep-alive feature, if data is not being sent regularly, it is designed to be kept open. ICS does this for websocket client and server. ICS is quite capable of keeping sockets open for hours, but unless there is some traffic external routers and caches may decide the connection is dead and close it, I had to fix an FTP control channel issue where it was unexpectedly closed after a two hour upload of 50GB, needed to send keep-alives. That was annoying and time consuming, the 50GB uploads worked, but because the control channel was dead were considered failed. But here we are talking about a simple web server, the HTTP protocol allows keep-alive connections usually closing after a couple of idle minutes, I'm not aware it allows hours long connections without any traffic, and certainly the ICS web server is not designed or tested for that concept. Angus
  11. Angus Robertson

    KeepAliveTimeSec of TSslHttpServer

    I see a project, without any explanation of what you are trying to achieve or how to use it. You have previously mentioned holding open client sessions for long periods, without saying how or why you are trying to do this. Web servers don't hold open connections. Then the server itself closing when a client closes? Sorry, without details, I can not investigate anything. Angus
  12. Thanks, I've made the change in my copy, but it won't be in SVN for several days until I see if it breaks anything. Generally, applications use specific events like onSessionConnected, Closed, etc to check for errors, rather than the State changing. But if this change proves not to be backward compatible, it will be reverted. ICS itself does not use the OnChangeState event, except for when a server starts listening. Angus
  13. Angus Robertson

    Load DLL from resource, bypassing a file?

    I'm looking at adding the OpenSSL DLLs as resources to ICS projects, to simplify distribution to one file. But currently it seems a DLL can only be loaded using the LoadLibrary API from a disk file, so the resource has to be written to disk first then LoadLibrary used. It would be faster to load the resource straight to memory, but there does not seem to be an API that does the magic of LoadLibrary for a memory address, need a handle to the library so that exports can be loaded. A little Googling suggests some hacking techniques might work, but with the risk that AV software might take a dislike to the application. Any simple solution, or do we have to live with temporary files? Angus
  14. Angus Robertson

    Using Dymo LabelWriter from Delphi

    I've got a twin Dymo label writer, and still use the v8 label software, I have a setup file dated 2014 (113M) if you want to install the old version. But never tried to use it from Delphi, not aware type libraries have changed, that sort of stuff tends to be stagnant in terms of development. Hardly use the Dymo now, was excellent for printing postage stamps in the UK, but that service ceased years ago, as did using the post in general. Angus
  15. You are using an old version of ICS, all gettickcount functions now use Int64. FConnectTick : Int64; { V8.71 changed from cardinal to Int64 } FLastRecvTick : Int64; { V8.71 } FLastSendTick : Int64; { V8.71 } ICS has supported In64 ticks on all Windows platforms since 2009 using the OverbyteIcsTicks64 unit which uses QueryPerformanceCounter for ancient operating systems, although Cardinal ticks were only fully removed for the latest release. Angus
  16. Angus Robertson

    Load DLL from resource, bypassing a file?

    The DLLs will probably end up in a similar place to the existing sample INI files, which works well, unless you want to find them manually... Angus
  17. Angus Robertson

    Load DLL from resource, bypassing a file?

    Which is what I'll do for the first version, may experiment later with memory loading, but don't plan to spend much effort on it. Angus
  18. Angus Robertson

    KeepAliveTimeSec of TSslHttpServer

    But those five minute client connections are not shown in either of the logs you posted. How do you know the server closed the connection, and not the client, windows or a router? Angus
  19. Angus Robertson

    KeepAliveTimeSec of TSslHttpServer

    The new log does not show any client connections. If you wish me to investigate an ICS problem, I need to be able to reproduce that problem or have extensive logs that clearly illustrate the problem such that it can be found and fixed. Those logs need to be annotated to show what I'm supposed to look at to see the problem. The current ICS samples don't log sufficient detail to show when and why connections close, and why the server has been closed. That information has never been needed, since the servers have been running in various versions for 20 years without unexpected closing being reported as a problem. Angus
  20. Angus Robertson

    Load DLL from resource, bypassing a file?

    My plan is to build the OpenSSL resource file at the same time as signing the DLLs and distribute them together in the zip for each new release. The latest resource file will also be part of the ICS distribution alongside the latest DLLs. ICS will only support OpenSSL 3.0 and later, versions will under support. The resource files will have the three DLLs, licence file, and a version string, used for the path when extracting the DLLs into a temporary directory. Is there anything else that would be useful to allow other projects to use the same OpenSSL resource files, to avoid building their own? Angus
  21. Angus Robertson

    KeepAliveTimeSec of TSslHttpServer

    The log shows several sessions from an older VCL web server sample, it does not log when buttons are clicked to start and stop the server. The two GET requests are closed after a few seconds, the server was closed about 90 seconds later, no idea why but unconnected to the client closing. I don't see any client connections held open by the browser, and certainly nothing closed after five minutes. The FMX IcsSslMultiWebServ sample has better logging straight to file, particularly when the Display HTTP protocol box is ticked, but does not log time stamps nor sessions closing, so would need some updating to log the problem you seem to be having. Angus
  22. Angus Robertson

    KeepAliveTimeSec of TSslHttpServer

    Using the IcsSslMultiWebServ sample I asked you to test? Can I please see the server log file? Angus
  23. Angus Robertson

    Load DLL from resource, bypassing a file?

    Thanks all, BTMemoryLoadLibary and BTMemoryGetProcAddress would appear to be the solution, but do add a lot of extra code. I think I'll implement the simpler save/load resource first, which will be conditional, then look at adding more conditional code to optionally load directly to memory. Ultimately, how to build applications is up to the developer. The OBJ solution is best, it's called YuOpenSSL, but is not a simple compile of the OpenSSL C code, lots of macros and other issues. Angus
  24. Angus Robertson

    ICS V9.0 announced

    All your questions have been answered previously, more than once, and today again. Angus
  25. My earlier comments did state this is an old unsupported component, with better modern components. Angus
×