Angus Robertson

From your description, I'm not sure how anything is set-up here, or why you are using an OpenSSL tool for testing. The proxy server needs it's own SSL/TLS certificate matching the host name localhost which you seem to have created, but this will fail validation by clients unless those clients have the root certificate installed, Personal Root CA in your case. But this is unrelated to the client certificate which should be installed in the Firefox certificate store, and then validated by the proxy server. Your openssl c_client command line does not have a client certificate which is the reason for the errors. Angus

Thanks, always useful to know new ICS components have been tested in wider environments than my own servers. The final release is planned for May, once one more new sample is finished. Angus

The important word there is 'should', many Windows APIs are considered historic and obsolete but are widely used and supported. Angus

Check the WM_POWER message as well. Angus

ICS V8.66 has been released at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio and 10.4 Sydney, and C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio and 10.4 Sydney. ICS supports VCL and FMX, Win32, Win64 and MacOS 32-bit targets. The distribution zip includes the latest OpenSSL 1.1.1k win32, with other versions of OpenSSL being available from the download page. Changes in ICS V8.66 include: 1 - Added a new TIcsInetAlive component to check for IPv4 and/or IPv6 internet connectivity, using Ping and/or HTTP, defaulting to www.msftconnecttest.com run by Microsoft for Windows 10 alive checking. The online and offline check intervals may be set, and event fires when online state changes. Sample OverbyteIcsHttpRestTst has a demo for new component. 2 - OpenSSL 1.0.2 and 1.1.0 ceased security fix support over 12 months ago so ICS now only supports 1.1.1, with 3.0 support due in the next few months. This removes a lot of legacy code and functions, and several old ICS functions needed for backward compatibility. Two components only used for 1.0.2 have been removed, TSslStaticLock and TSslDynamicLock which may give an error loading forms, until they are removed. SslContext SslOptions is now ignored, use SslOptions2 instead which has more modern options. Can not remove SslOptions because it's saved on too many DFMs. Most modern applications should not be using SslConext, but IcsHosts for servers for high level client components like TSslHttpRest. 3 - Undertook a major clean-up of OpenSSL functions that may require end user application changes if low level OpenSSL functions have been used, hopefully very rarely. All OpenSSL functions have been renamed to their original names removing ICS f_ prefix for commonality with other Delphi applications. Renamed literals BIO_CTRL_PENDING_, CRYPTO_NUM_LOCKS_, CRYPTO_LOCK_, OPENSSL_VERSION_ with underscore to avoid conflicts with functions of the same case sensitive names. Removed unit OverbyteIcsLibeayEx not used for a while. Most OpenSSL type pointers to Dummy array are now simple Pointer type. Changed most OpenSSL var parameters to pointers for commonality. New TSslWSocket method SslOK is TLS/SSL negotiated OK. LoadVerifyLocations no longer lets OpenSSL use default CA folder locations which is potentially a security risk. 4 - Bring server SSL/TLS security levels up to latest Mozilla recommendations. In 2021 Mozilla now recommends TLSv1.3 as modern ciphers and TLSv1.2/1.3 as Intermediate supporting all browsers from last five years, so IcsHosts now use sslCiphersMozillaSrvTLS12 as Intermediate level, also Mozilla recommends no cipher server preference so changed that. Updated SslSrvSecurity levels: sslSrvSecInter, sslSrvSecInterFS and sslSrvSecHigh now all the same TLSv1.2 or 1.3, sslSrvSecTls12Less now TLSv1.2 only, sslSrvSecSsl3 not supported, only sslSrvSecBack supports TLSv1 and 1.1, sslSrvSecTls13Only unchanged TLSv1.3 only. 5 - Added support for YuOpenSSL which provides OpenSSL in a pre-built DCU statically linked into applications, rather than using external OpenSSL DLLs. This make application distribution more reliable since it can not fail by users deleting the DLLs or copying incompatible versions into the directory. YuOpenSSL is a commercial product from https://www.yunqa.de/ and is supplied as separate compiled DCUs for Delphi 5 to 10.4. DEFINE YuOpenSSL in Include\OverbyteIcsDefs.inc determines whether the DCU is linked or the external DLLs. Note only one version of OpenSSL can be linked with YuOpenSSL, whereas different DLLs can be supported. Apart from setting the define and adding a path to YuOpenSSL.dcu, no other application code changes are needed unless you check or report the DLL directory, when GSSLStaticLinked can be checked to see if OpenSSL is statically linked. Also worth noting that YuOpenSSL provides access to the all OpenSSL APIs, while ICS only accesses those DLL APIs needed for functionality we support. 6 - Added a better way of configuring Socks proxy and HTTP Tunnel proxy settings in TWSocket, similarly to that added for THttpCli in V8.62. The new ProxyURL property sets SOCKS or HTTP Tunnel proxy settings using a single URL, ie proto://[user:password@]host:port where proto is socks5 or http. Also added new methods SetSocks and SetHTTPTunnel to set proxy properties in a single call. Socks proxy and HTTP tunnelling again support host names, broken in V8.56. The sample OverbyteIcsSocksTst has been updated to demonstrate use of the new ProxyURL property and also now supports HTTP Tunnel proxy. 7 - TIcsRestEmail has new OAAuthType property and event for OAuth2 browser URL perhaps via email for servers. TIcsRestEmail now sets OAuth2 errors, and clears old tokens. Increased default timeout for TIcsRestEmail AOuth2 login to 120 seconds since several web page warnings may be seen while attempting to login through the web page. 8 - TIcsHttpMulti has a new ParseLevels property that follow links on a parsed web page to lower level pages, which are also parsed, looking for files to download with a specific file extension, ie .avi. It ignores parent links without a file extension, and external links. This allows the component to download files indexed using HTTP from CCTV camera memory cards. 9 - In TSslHttpRest ensure SSL is initialised for non-REST HTTP requests like GET, POST and PUT. 10 - In TSslWSocketServer, added better error handling when IcsHosts SslCert is blank, so SslContext is still created for automatically created self signed certificates. 11 - In TSslWSocketServer, TSslHttpAppSrv and TSslHttpSrv, added new onBeforeCtxInit event which if set is called once before each IcsHosts SslContext is initialised to allow the context parameters to be adjusted for special ciphers or protocols. 12 - In THttpCli, AddrResolvedStr is now still available after the connection closes to report the IP address used for the connection. When using an HTTPS proxy with the CONNECT command don't send host and port which some servers are unable to handle, probably broken with V8.64. 13 - In TIcsMailQueue, added a new method CheckOAuthLogins that should be called before the queue starts when using OAuth2 email logins, which allows interactively checking with a browser of any OAuth2 login credentials, avoids asking for login first time email sent maybe days later. 14 - In TSslX509Certs, When starting the local web server for file challenges, check the server IP address still exists or change to 0.0.0.0, may not work if multiple IPs exist. 15 - Updated to OpenSSL 1.1.1k with two high security fixes, one introduced in the last version relating to a certificate chain validation that ICS does not use, the other relating to servers using TLSv1.2 and renegotiation, and that feature is removed in V8.66.

The new ProxyURL property is currently only for simple proxy servers in the HTTP client component, for SOCKS you set the SocksServer, SocksPort, SocksLevel, SocksAuthentication, SocksUserCode and SocksPassword properties, as shown in OverbyteIcsHttpsTst.dpr sample. As the source comment suggests, the single ProxyURL property could be updated to support more proxy options like SOCKS, but no-one has asked about it before. Angus

Your changes are now in SVN and the overnight zip, with several other DNS query improvements, including support for trying lists of DNS servers where one or more don't respond. It is also easier to access the arrays of different DNS answers. These have all simplified DNS lookups in the Mail Queue and X509 certificate ordering components. Angus

TX509Base has dozens of methods for loading, saving, and examining certificates, but was never properly documented. However, virtually all these properties and methods are used in the OverbyteIcsPemtool,dpr sample, also the TSslCertTools derivative that allows creation and signing of certificates. Angus

The SslCertX509 property is type TX509Base and has methods to load, save and examine the content of the certificate and private key, IsCertLoaded, IsPKeyLoaded and IsInterLoaded say what has been loaded, so in your case nothing because you have not yet called InitContext, only created it in your code snippet. If you just want to examine a certificate text, load it into a TX509Base object instead with the LoadFromTextEx method which will return any errors. Angus

SslContext.SslCertX509,ValidNotAfter returns certificate expiry as TDateTime Angus

Well it seems ICS and FileZilla are both trying to compensate for the misconfigured server, the other difference in the logs is FileZilla has set binary mode, but you did not in ICS, perhaps the FTP server is giving a misleading error and does not like ASCII mode. You could also try the better FTP sample OverbyteIcsXferTst.dpr, it will probably set binary automatically. Angus

Sorry, I can not see what host name or IP address either client connected with, only the LAN 10.xx.xx.xx address the passive connection is trying to use, and I assume the FTP server is not on your LAN so is incorrect. The FileZilla log may make some comment after the passive mode line, but not in a language I understand. A public FTP server should never offer a private 10.xx or 192.168.xx address for a passive connection, it is incorrectly configured. There may be an issue with the ftpFixPasvLanIP FOptions which is attempting to fix this problem, but without more logging or testing there is little I can do. Angus

Are you talking about Filezilla server or client? Both are quite clever in handling poorly implemented NAT routers provided they are configured correctly. ICS knows there is a problem, thus the suspicious comment, but I can not advise you with the partial redacted log you supplied. Look at the FileZilla log and see what is different. Angus

Thanks, will check it and add to ICS next week. I bodge sync MX look-up in the mail queue unit, would be good to have a cleaner option. Angus

Thanks, will be fixed next week. Angus

Look at the IP addresses, totally different for control and data channels. Perhaps you are accessing FTP via a NAT router that can cause problems. Angus

If you allow an HTTPS request to be made, you must load OpenSSL before that happens. Or use the modern component TSslHttpRest which handles all the SSL stuff for you. Angus

I assume you are talking about a websocket client component, there is such a new component in ICS V8.71 not released yet but can be downloaded from the overnight zip or SVN. The new client is in OverbyteIcsWebSocketCli.pas with a sample in OverbyteIcsHttpRestTst.dpr (because it descends from the HTTP REST component). It's been tested against a couple of public websocket servers, and both of the ICS server implementations, one is new and built into the multi web server sample. It's also running on one of my public web sites, which the sample tests against. Angus

OpenSSL has released a new version 3.1.0, Windows binaries are available in SVN and the overnight zip file and separately from http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp This is a minor release that does not require a new version of ICS, the main improvement is a FIPS 140-3 compliant FIPS Provider, 3.0 was FIPS 140-2. Note the ICS Windows build can not be FIPS approved. There have been numerous performance improvements implemented compared to the OpenSSL 3.0 release. Plans for future OpenSSL releases are at: https://www.openssl.org/roadmap.html Angus

Much of my code is similar to yours, except it uses different methods that do vastly more complicated things than the simple methods in the older component. Just build it and run it, with a log window, and it will just download a file. Or you can run the OverbyteIcsXferTst.dpr sample that does the same thing. It will be in SVN in a few days when I've done more snippets. Angus

Uses OverbyteIcsWsocket, OverbyteIcsFtpcli, OverbyteIcsFileCopy, OverbyteIcsFtpMulti; procedure TSnippets.AddLogText(const Line: String); begin LogWin.Lines.Add(Line); end; procedure TSnippets.onXferEvent (LogLevel: TIcsCopyLogLevel ; Info: string ; var Cancel: boolean) ; begin if (LogLevel = LogLevelInfo) or (LogLevel = LogLevelFile) then begin AddLogText (Info) ; LabelProgress.Caption := Info ; end ; if (LogLevel = LogLevelProg) then begin if Info <> '' then LabelProgress.Caption := 'Progress: ' + Info else LabelProgress.Caption := '' ; end ; if (LogLevel = LogLevelDiag) and ShowDiags.Checked then AddLogText (Info) ; if AbortFlag then Cancel := true ; end; procedure TSnippets.doFtpDownOneFileClick(Sender: TObject); var FtpMultiClient: TIcsFtpMulti ; taskres: TIcsTaskResult ; myftppath, myftpfile, myfiletarget: String; myftphost, myftpusername, myftppassword: String; myftptype: TFtpType; myfilereplace: TIcsFileCopyRepl; begin // parameters for the single FTP download operation myftppath := '/testing' ; // FTP server path for file myftpfile := 'speed50meg.zip'; // FTP file to download myfiletarget := IncludeTrailingPathDelimiter(DirTemp.Text) + myftpfile; // where we download to myftphost := 'ics.ftptest.org' ; // supports IPv4 and IPv6 myftpusername := 'anonymous' ; // no uploads myftppassword := 'icssnippets' ; myftptype := FtpTypeAuthSslBoth; // or FtpTypeNone, FtpTypeConnSslBoth (no SSL or only SSL) myfilereplace := FCReplAlways; // or FCReplNever, FCReplNewer // create component and events to see progress FtpMultiClient := TIcsFtpMulti.Create (self) ; FtpMultiClient.CopyEvent := onXferEvent ; doFtpDownOneFile.Enabled := false ; AbortFlag := false ; LabelProgress.Caption := '' ; try try // essential FTP parameters FtpMultiClient.SocketFamily := sfIPv4; // or sfIPv6 or sfAny FtpMultiClient.HostName1 := myftphost ; FtpMultiClient.FtpType := myftptype ; FtpMultiClient.UserName := myftpusername ; FtpMultiClient.PassWord := myftppassword ; FtpMultiClient.MaxAttempts := 2 ; // logon attempts, may try IPv6 then IPv4 FtpMultiClient.FailRepeat := 2 ; // retries for failed xfers FtpMultiClient.PassiveX := True ; // must be after connection type FtpMultiClient.FtpSslVerMethod := ftpSslVerBundle; // or ftpSslVerNone to skip checking certificates FtpMultiClient.FtpSslReportChain := False; // true to list SSL certificates FtpMultiClient.SrcDir := '/' ; // required FtpMultiClient.BulkMode := BulkModeDownload ; // required // connect, login, get features taskres := FtpMultiClient.FtpLogon ; if taskres = TaskResOKNew then begin taskres := FtpMultiClient.FtpDownOneFile (myftppath, myftpfile, myfiletarget, myfilereplace) ; end ; AddLogText ('Task Result: ' + IcsGetTaskResName (taskres)) ; AddLogText (FtpMultiClient.ReqResponse) ; except AddLogText ('FTP Error - ' + IcsGetExceptMess (ExceptObject)) ; end ; finally FtpMultiClient.FtpLogoff ; FreeAndNil (FtpMultiClient) ; LabelProgress.Caption := 'FTP Completed' ; doFtpDownOneFile.Enabled := true ; end ; end; This code is from a new ICS snippets application that has simple examples of many common ICS tasks, this one downloads a single file using SSL from one of my public FTP servers, using the modern TIcsFtpMulti component. It only needs a couple more properties and it will download multiple directories of files. Angus

Most ICS high level protocol components provide both sync and async methods, the former are often easier to work with for many applications. Impossible to say why the presented code is not working, since there are no given parameters or any logging of what the component actually does. It is also the old way to create FTP applications. You should build the sample OverbyteIcsXferTst.dpr which uses the modern TIcsFtpMulti component. Look at the Single FTP tab and the doFtpDown1Click method which shows how to download a single file, although it is just as easy to tell it to download a complete directory structure of thousands of files, I appreciate OverbyteIcsXferTst.dpr is a complex sample illustrating several different components, I'll do a simple FTP snippet later today. Angus

LocaleCharsFromUnicode was available in XE2 so is now used from that version. A lot of conditional code has now gone. Angus

Now perhaps, maybe not 10 years ago when this stuff was written, but I'll bring the unit up to date shortly. Angus

ICS V9 is https://svn.overbyte.be/svn/icsv9/ But maybe I've set permissions for private access until more of it is completed. Angus