Angus Robertson

OpenSSL has released new versions of the three active branches. These fix a moderate severity security issue CVE-2023-2650, which is a possible denial of service translating ASN.1 object specially crafted very long identifiers in X509 certificates, OCSP responses, PKCS7/SMIME, CMS, CMP/CRMF or TS from malicious web sites. Windows binaries are available in SVN and the overnight zip file and separately from http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp Separately, YuOpenSSL has released 3.0.9 and 1.1.1u as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Angus

Very rarely should you need to use SSL DebugLevel logging DebugSslLow, generally DebugSsl gives all the information you need. In this case, also set SslReportChain true and it will log the certificates in the chain, allowing you to see why verification failed, either the server is misconfigured and did not send an intermediate, or the intermediate is signed by a root CA that is not in the store you specified. ICS has different CA stores with varying numbers of certificates, there are hundreds of CAs, but only a few dozen are common. Angus

How the request is made depends on the value of the Async parameter. If Async is false, the function is blocking and waits for the request to complete, so the return code will be accurate, but true means async so it will return immediately the request starts and the OnRestRequestDone event is called when the request completes, from where you check various properties to see what happened. Angus

Using YuOpenSSL with ICS is easy, just uncomment {$DEFINE YuOpenSSL} in the OverbyteDefs.inc unit, add the path of the correct YuOpenSSL.dcu (single file) and rebuild the packages. I've done it several times this week testing new versions of our OpenSSL DLLs and the DCUs. You don't need any other YuOpenSSL units. Angus

So this is just a private protocol, not really REST. Commonly, textual responses are followed by CRLF, that may be what the client is expecting. Angus

REST client requests are usually sent using HTTPS, this should be obvious where the data you receive from the client contains HTTP headers, so you have to reply using HTTP, your Hi response will simply be ignored by the client. Ideally, you would be using the web server component, but creating a simple HTTP header and response HTTP page is only a few lines of code. Angus

YuOpenSSL operates identically to the SSLs in ICS, I've been using it as both Win32 and Win64 in my server and client applications for two years. But then I did adapt ICS to use YuOpenSSL. ICS also has full X509 certificate validation against CA stores I update every few months, including an internal store to avoid needing CA files, and checks OCSP for withdrawn certificates. Angus

That particular code segment is only used if you send a blank message, there are lots of lines just above it relating to setting FTransferEncoding to that specified in DefaultEncoding based on checking the actual text. So it's more likely you are not setting DefaultEncoding to smtpEnc8bit and Allow8Bit to true before sending email. Angus

OpenSSL 3.0 and 3.1 are reasonably compatible with 1.1.1 for TLS, although a number of older algorithms have moved to legacy.dll which has to be loaded if you need MD5 and such stuff. SSL_get_peer_certificate is now SSL_get1_peer_certificate, and there are some other similar changes with 0 or 1 to make clear whether memory should be freed. 3.0 also added providers instead of engines and deprecated a large number of functions with better versions, but they still work for now. Angus

Looks like a compiler funny, when the same error occurs in different random units. There are a lot of Win64 fixes in V8.71, mostly stability, but no C++ packages yet, about two weeks away. Angus

OverbyteIcsAvlTrees is unchanged for 10 years, not aware any C++ users have previously reported a problem with it. It is only used in two places in ICS, for an SSL session cache in user applications, very rarely, and for the TThreadLocalStore class in WSocket which I don't believe is used by any ICS units and is undocumented and uncommented as to use. Angus

Yes, this is normal behaviour, better to have DataAvailable trigger too often than miss potential data. Sorry, can not tell you why it was designed that way 25 years ago... Angus

Sorry, I don't do C++ so someone else will need to reproduce and fix the error, ideally within the next two weeks for the next release. Angus

The OAuth units were last updated in January, and I've rebuilt the packages dozens of times since, including today. Have you got the ICS source directory in your path? Or perhaps there is something strange about the new community edition. Angus

You need to build the IcsCommonD110Run package, which includes OverbyteIcsTicks64, before the VCL/FMX packages. The 64s refer to Int64, not Win64. Angus

I do test that new releases of ICS still build on Delphi 7, and it did last time several months ago. Not aware it's been broken since, but I will test it again next week. Delphi 2007 gets tested a lot more often. Meanwhile, just comment out anything that does not work, unless you need that feature. Angus

How often are new connections being opened? There is a ListenBacklog property that is supposed to limit the pending queue of unaccepted new connections, before windows rejects new connections. It defaults to 15 in new versions of ICS. I'd also suggest using a thread for long actions, the ICS FTP server does so for certain commands that take a while on massive files. There is also a threaded server component that uses one thread per client, but it's not been tested in several years. I'm planning a new threaded server component to allow use of multiple CPUs,. Angus

I've explained the latest version in SVN will not build on C++, the packages are not complete. You would be better with V8.70. For a web server application, the MsSslUtils and wincrypt units are only needed to support Let's Encrypt certificates, so undefining AUTO_X509_CERTS in OverbyteIcsDefs.inc will avoid all those problems. Angus

There are several points here. The HTTP server does not support OAuth2. The THttpServer component does not even handle SSL. That is TSSslHttpServer. OAuth2 in V8.70 does not support any embedded browsers, and does not use Edge. I've just searched the 560 files in the ics\packages directory, vcl.edge does not appear anywhere, vcledge does appear in packages for the next release only. So I've no idea why your installation requires vcl.edge. Angus

The poster has yet to say which version of ICS he is trying to install. The latest V8.70 release does not access Edge or Web Browser so won't need them. The unreleased SVN and overnight zip version does use Edge, but only has packages for Delphi 2007, 10.4 and 11, nothing for C++ which might explain all the errors. It should be released later this month when the hundreds of package files for dozens of compilers will be updated. Angus

ReceiveTB was added in V8.70 but is used by (I believe) only one other component, not the HTTP applications. What were you building when you got those errors. Although the error message you posted about does not say ReceiveTB but has a strange unicode character embedded. Angus

No quick answer, you are using 10 year old C++ samples with the latest Delphi components. Try undefining AUTO_X509_CERTS, build the library and see if that is any better. Angus

If you only use VCL, you don't need to build or install the common, vcl or fmx libraries, or use any units with fmx in the name. Try CBD101Install.groupproj instead which builds OverbyteIcsCBD101Run and OverbyteIcsCBD101Desgn. Currently there are no CBD packages for later versions of C++ because they have not been contributed by C++ users, but hopefully that will get fixed in May. Angus

The ICS web server supports client certificates, but this scenario seems to be using an old SOAP server that does not support SSL/TLS. Angus

Think there are two issues here: You are probably using an older ICS version that I am, there are a lot of OAuth changes in V8.71 including an embedded window so no browser needed, it is available in the overnight zip and many others are using it but won't be released until late May (and the Delphi 2010 packages are not done yet). There is one bug fix that might be effecting you. V8.71 has been tested by Delphi 2007 so should be okay on 2010. Also I don't really know what errors you are getting since you have not posted any proper logs, you can email them to me, but I'm not going to look closely unless they are from V8.71 and I can reproduce the error. Angus