Angus Robertson

Your main problem is trying to use old software in a world where security changes need newer software. The SSL error you got is almost certainly because the application was using obsolete SSL protocols that are no longer supported, only TLSv1.2 and TLSv1.3 are acceptable today, and the latter needs software released in the last two years, V8.58 is four years old and will be packaged with obsolete versions of OpenSSL and default protocols. You should be using V8.70. Also we have not updated or tested the C++ samples for 10 years, so they need updating to use the latest protocols, you need to compare the Delphi samples and see what changes have been made in 10 years. Sorry, the ICS authors don't support C++, that can only be done by users of the component. Angus

The component probably was in use 15 to 20 years ago, it looks like clean code, but compilers change. That User Made page is all very old projects for old versions of ICS, several of them are now part of ICS. Angus

But what error are you getting, and when, compile or runtime?. That ancient program was built for an earlier version of ICS, but should still work once the unit names are corrected. You may want to change all strings to AnsiStrings and Char to AnsiChar since you are using a unicode compiler. Or are you expecting someone to correct, build and debug it for you? Angus

ISuperObject documentation and examples are very poor, but it's a reliable and fast library... There is an example in the OverbyteIcsSslX509Certs.pas unit, search for SA([]) which creates an empty array, then you can add elements with a blank name to create a simple array. Angus

Conditionally added CRLF to a header line is certainly possible, but it would be better done when the properties are set. I'm planning a new multi-threaded web server which will be an opportunity to clean up legacy problems with the existing server that has evolved over 25 years. Angus

The USP of LZMA in 7Zip was higher compression size and better decompression speed, against a slower compression speed, which is usually done rather less frequently. ZLIB deflate as used by ZIP and HTTP compression is speed, not minimal size, with options for both. The ZLIB library in Delphi is optimised C code which will be faster than the Pascal conversion of LZMA, I'm sure the DLL version will be faster, but then we are into DLL hell. Angus

OpenSSL has released new versions of the two supported branches, 3.0.7 and 1.1.1s, Windows binaries are available from http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp . OpenSSL 3.0.7 fixes two serious security bugs in 3.0.0 and later relating to verifying X509 certificates with email punycode (non-ASCII characters) name constraint checking, that can cause a crash. These bugs can only happen after a certificate chain has been successfully checked, mainly in client applications (or servers that request and verify client certificates) so should not happen with self signed certificates. Another security bug fixed related to using null encryption, which ICS doesn't use. Also, the RIPEMD160 hash no longer requires the legacy provider. OpenSSL 1.1.1s has general bug fixes. Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Angus

The SendHeader function does not add any line endings to PersisentHeaders, each header line requires a line ending, including the last header. Changing that now would break all existing web servers. Angus

SendHeader is really an internal function, it is called during most of the other Send/Answer methods, and will send any PersistentHeader property lines, together with headers specified by the Send/Answer functions, that may also add their own headers. Only use SendHeader if you are using low level functions like Send and SendStream. You can use the onRespHdr event to log the headers actually being sent, to check they are correct. Angus

There are various methods for sending web server responses, SendDocument has a CustomHeaders property where you put complete header lines, while AnswerPage, AnswerStream, AnswerString, etc have a Header property that does the same. You don't need to use an event. Angus

The missing path "\$(Platform)" error in D11.2 effected many other components, it was nothing to do with HTMLViewer specifically, Angus

ICS attempts to extract a private key from the Windows store, but I don't recall it working on any of my servers or PCs, so untested. So if it works, good, if not, as expected. I don't plan on testing this again since it is not a core ICS function, not needed for any samples. Personally, I would not distribute an application that relies on extracting a private key from the Windows Store, you have to hope that whoever imported it ticked the correct box to allow export, and Microsoft has not changed the rules again. I would tell the customer you need the PFX. to use with OpenSSL. But you easily test if your FSslCertX509 object has a matching key and can be used as a server certificate. If you are using the recommend IcsHosts server properties, the certificate gets checked and reported before the server starts, so you know if it's going to work. Angus

We are going in circles here, even if you load the certificate into the context a subsequent error will happen since there is no private key with the certificate. The TX509Base and TMsX509List classes can hold a private key, but if you use PemTool to list a store you'll see it reports 'Private key in User Store, Could not export private key - The requested operation is not supported'. Only the Microsoft crypto functions can access the private key store, and OpenSSL does not use them. For your own code, you don't show a definition for lMsX509List nor how you are indexing into the list, but it should be something like FSslCertX509 := MyList{x]. or MyList.Items[x] Angus

No, the question is why if you already have a PFX file with a private key, you are installing it into the Windows Store in the first place, then reading it again without the private key and expecting it to work as a server certificate. Why not use the PFX directly. The ICS pemtool loads certificates into the windows into the Windows Store correctly, I do it all the time to use Let's Encrypt certificates with IIS. The exception will be an error in your code. Angus

So you are attempting to use a certificate from the Windows store as a server certificate? How did you set the private key for this certificate. You can not extract private keys from the Windows store? Server certificates are useless without a private key. Private keys are kept by Windows in a different store and linked to certificates, but not stored together. Windows itself provides a means to export certificates with a private key, if allowed, but this is not implemented by ICS, not sure if the APIs allow it. Most certificate have key export blocked to stop them being stolen. Angus

Can you please explain the purpose of using a certificate from the Windows store? Is this in your client or server application, as a server or client certificate. Is your server or client giving an exception? Angus

The ZLIB changes to use System.Zlib are now in SVN, considerably simplified so two defines are now only used once each in one unit, making it easier to support. But you do need to use the new OverbyteIcsDefs.inc or edit your own version, see the SVN notes. Angus

Sorry, yes 21H1 is out of support in two months, 21H2 I guess has another eight months. Angus

My Windows Server 2019 is version 1809, the long term support version of Windows 10, which Microsoft promises not to break with untested Windows updates. The TLS bug seemed to be 21H2 only, for both Windows 10 and 11, and 10 21H2 is out of support in two months anyway. Angus

To send custom error responses you can create overloaded versions of Answer404, etc, in your version of THttpConnection or THttpAppSrvConnection. Angus

Just done some testing using the D11.2 TRESTClient component on Windows 11 Enterprise 22H2 fully updated, It seems all TLS protocols are still available to the client. I have servers built with the ICS web server component that can report the TLS client hello packet that tells the server what protocols the client can accept. The URL is https://api2.telecom-tariffs.co.uk/serverinfo.htm which returns an information page about the server and client connected, for the TRESTClient with all TLS boxes ticked the Hello starts with: Client Hello: Server Name: api2.telecom-tariffs.co.uk, ALPN: , Versions: TLSv1.2, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1.0, TLSv1.3 Key Share Data which means all four protocols are accepted, ticking just TLS12 and only that protocol appears in the Hello, and works. Windows 11 also connects with TLS/1.3 if requested, without registry patches. However, I may have previously done the patches two years ago when first testing TLS/1.3. I do hack the PC a lot, currently Edge and Windows File Explorer are dead with exceptions. Angus

It's possible that changing the SSL version tick boxes might require a reboot to be effective, that is certainly the case when you change SSL protocol settings such as ciphers in the registry or using Powershell. Angus

In theory, you can do this with the ICS JOSE functions like IcsJoseJWKPubKey and IcsJoseJWSComp that are used to implement the ACME protocol for Let's Encyrpt certificate ordering, which work with the ICS REST component. But often these JWT implementations have little tweaks or special features that might mean minor changes to these functions. ICS may be installed from GetIt or http://wiki.overbyte.eu/wiki/index.php/ICS_Download. Angus

You probably have not initialised OpenSSL to load the DLLs with OverbyteIcsWSocket.LoadSsl Angus

Not sure if it's just my PC, but updating to Windows 11 22H2 last week stopped .BAT files running due to the file association being removed, it seems Windows now prefers them to be called .CMD instead. Most other file associations disappeared as well, but that is just Microsoft wanting us to use it's own apps and not better ones. Easy enough to rename my common batch files, but GetIt often builds libraries using BAT files, so had to restore the file association with a little REG file. Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat] [-HKEY_CURRENT_USER\Software\Classes\.bat] [-HKEY_CURRENT_USER\SOFTWARE\Classes\batfile] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bat] @="batfile" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command] @="\"%1\" %*" Windows Explorer also now crashes with a .NET run time error, which is pretty sad, fortunately I mainly use the Delphi UltraExplorer instead. Possible the Explorer crash is due to third party software like Open Shell Menu. Angus