Angus Robertson

I meant test your original code or the ICS OverbyteIcsTcpSrv sample against the ComGen data stream. Angus

So now you just need to disconnect and reconnect a few times to make sure close session is working. Then test again with your original data source. I often find testing with alternate clients or servers shows up missed issues ComGen on mahpub5 is configured to just send a line every 10 seconds, but it could be 100 lines per second, or lots of short repeated sessions. It uses an array of TIcsIpStrmLog components, so does everything that component does. Angus

Good, so at least the ICS socket server component is behaving correctly, but does not explain why it fails when you use it at a lower level. Try connecting to non-SSL port :21502 on my server and see if your own code receives the same information? If not, you need more diagnostics to see what is happening. You are connecting to a free tool I wrote called ComGen which I've used extensively for testing ICS over 15 years. Angus

Should be done in SVN in a couple of days. Angus

I'm afraid the C++ samples have not been tested for 13 years. Please try running the sample OverbyteIcsSnippets, click Remote Socket Traffic, and data should start appearing from one of my servers. All the code is in a single function, doSocketRemoteClick that should be easy to convert to C++ If that fails, we do have a serious C++ problem. Angus

You can download prebuilt samples from https://wiki.overbyte.eu/wiki/index.php/ICS_Samples to avoid building them yourself. Sorry, no idea why your sample no longer works, but I don't write C++ so can not test it. I am very careful when updating ICS to make it remain compatible with older versions of Delphi, events and such like rarely change. Logging events is the only to debug your problem. Angus

Are you saying the same code runs OK in the older version of ICS, but not the new version? You don't say what your project is for, but you would be better starting with the TIcsIpStrmLog component that hides all the low level stuff from you, try running the pre-built OverbyteIcsIpStmLogTst sample, configuring it as a TCP Server, and start it. All the logging for diagnostics is built in. Angus

When opening a new connection to a remote host, ICS does a DNS lookup that may return several IP addresses, but is only able to connect to one of those addresses, usually the first in the list, unless changed in the onDnsLookup event. An application that wants to try to connect to another IP after failure needs to retry the connect, selecting another IP from DnsResultList. Handling this automatically has never been implemented in ICS. Windows has a Winsock2 API WSAConnectByList that takes a list of IP addresses and attempts to connect to each in turn until one succeeds, or a timeout is reached. Only catch is this is a blocking request, so the application will not process messages until it completes, which is rare in ICS. This could be added without much effort as an option in TWSocket to avoid applications needing to handle the failures and next IP attempts using code (how many of us bother?). Ideally, ICS would handle multiple attempts using events and timeouts, but this is rather more complex to write and test. Would connect to list of IPs be a feature you'd use? Angus

While opening multiple connections would be good, it is not trivial, which is the benefit of WSAConnectByList. ICS does support IPv6, the IP selected depends on the TSocketFamily specified, so may be the first IPv6 address if both are available. But it does not try others if the first fails, and my office IPv6 connection is currently down due to misconfiguration at my ISP (not their opinion). Currently, IPv6 testing is done on my two hosted servers, I really should setup a VPN to one of them. So it's important for applications to be able to select TSocketFamily, to prefer or disable IPv6 depending on circumstance. Angus

In general, ICS does use FreeAndNil for new code, if not nilled in code, the nil being the important part, since double Free without nil does cause an exception. Double free is common, due to the complex inheritance of many ICS components. But I simply don't have the time to clean up code written up to 25 years ago, unless I'm updating that code for other reasons. It all needs testing afterwards, and often correction when it then fails to compile on older versions of Delphi... Angus

ICS still supports Delphi 7. Angus

There have been a lot of changed to the websocket components since ICS V9.0, and a major rewrite to support newer protocols is coming in a week or so with ICS V9.5. So please repeat all your tests with ICS from the overnight zip and see if you can still reproduce the same problems. I'm afraid the debug logs you show are meaningless for diagnostic purposes, they are purely for development use. I have a public websocket server that is supporting about 50 SQL REST requests each second, for an hour at a time. Angus

Has anyone tried this service for signing applications, free until June 2024, then $9.99: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/trusted-signing-is-in-public-preview/ba-p/4103457 Angus

ICS can not access the Windows Certificate Store without the OverbyteIcsMsSslUtils unit, and it will not build for C++ without changes. But any ICS passworded PKCS12 file can be installed manually into the Windows store using Microsoft utilities. Angus

I assume from your earlier message you are using C++, not Delphi. Our support for C++ is very limited, since I have zero knowledge of it. Earlier testing have given C++ errors I've been unable to fix trying to build the OverbyteIcsMsSslUtils unit needed for access to the Windows Store, so there are defines to prevent it being built for C++ and allow the rest of the units to work. To attempt to build the unit, you'll need to remove some defines from the bottom of the OverbyteIcsDefs.inc unit and fix the C++ errors. Please let me know if you fix it. BTW, your new Distinguished Names properties are now in SVN, with a couple of other new ones. Angus

Sorry, I know nothing about GOST. I understand there is a version for OpenSSL 3.0, but we don't provide a Windows version. Even if you build the engine DLL, ICS would need changes to use it. But ICS is open source, you can do those yourself, and they may be incorporated if of benefit to others. Angus

Do those new names end up in the certificate itself, or are they only used for validation? If in the certificate, could you please email a PEM, so I can check we report it correctly. Angus

The PemTool sample does not have edit boxes for surname oi given name, because you are the first to request them. Most personal certificates are issued for email address, not people. I'l like to see an example with names. You should be able to add a couple of lines in TSslCertTools.DoCertReqProps, plus the properties to add them: AddNameEntryByTxt(SubjName, 'GN', MyGN); AddNameEntryByTxt(SubjName, 'SN', MySN); I will do this in the next week or so. Angus

You should look at the OverbyteIcsPemtool sample, the 'New Certificate Properties' tab has settings for all the subject items, basic and extended usage, key usage, etc. However, these settings are primarily for server and computer certificates, if you need givenName and surName, I assume you are getting personal certificates from somewhere? Angus

ICS V9.4 has been released at: https://wiki.overbyte.eu/wiki/index.php/ICS_Download ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12 and C++ Builder 10.4, 11 and 12. ICS supports VCL and FMX, Win32 and Win64 targets. The distribution zip includes the latest OpenSSL 3.0.16, 3.2.4, 3.3.3 and 3.4.1 for Win32 and Win64. Changes in ICS V9.4 include: 1 - Completed the ICS Application Monitoring system added in V9.3, designed to locally and remotely monitor ICS servers and applications, and to locally restart applications on demand or if they crash. It comprises a small TIcsAppMonCli client monitoring component that is added to ICS applications, usually Windows Servers, but also client applications. This client component communicates with a TIcsAppMonSrv server component, usually running as a Windows Service on the same server so it is able to restart applications, but can also support clients on a LAN. The monitoring server has web and Websocket servers, allowing remote browsers to view the state of all applications being monitored by the server with a continually updated web page. There is also ICS Application Monitor - Remote Manager application that provides remote monitoring of multiple ICS Application Monitor servers using Json web and Websocket requests on a single screen. 2 - The SMTP client component fixes a bug introduced in V9.3 which could corrupt the Content-Transfer-Encoding header line. 3 - In TWSocket, fixed a potential problem using multiple threads where a new connection opened very quickly (ie localhost) and then stalled due to an unexpected connection state. Made DataToString Unicode compatible, only used for diagnostic dump logs. 4 - In the HTTP client, fixed a check for an overflowing buffer when receiving very long headers that could cause failure detecting headers end. Made several URL validation functions public: GetProtocolPort, IsSSLProtocol, IsKnownProtocol and IsKnownProtocolURL. 5 - When creating PKCS12/PFX certificates, change the 3DES cipher to AES256 if the legacy provider is not loaded. 6 - In the TIcsFtpMulti component, skip download of zero length file by creating an empty file, previously this got SSL handshake error. Don't report directories as being downloadable, they are not. If extended passive mode allowed, send EPSV ALL at start so firewalls and NAT routers can handle sessions more efficiently. Added CheckBadUnicode property defaults to false, so that checks for bad Unicode to Ansi conversions with ? are skipped, allowing more complex paths without errors. 7 - The FTP server FEAT request now returns EPRT and EPSV which have been supported for IPv6 for years, but were not advertised for IPv4. 8 - The OverbyteIcsSnippets sample adds two new simple REST snippets to Get/Post Parameters that send them to an ICS server, and the server echoes back those params so you can check what was actually sent. 9 - When loading the OpenSSL DLLs, no longer check they are digitally signed for Windows XP, 2003, Vista and 2008, they don't recognise SHA-256 code signing, never tested since no longer have those old versions available. 10 - The TRestParams method AddItemSO to add a SuperObject now has an Escape parameter defaulting to True, so non-ASCII characters are escaped by default. 11 - The Proxy component TProxyTarget now has a SocketFamily property so target connections can be restricted to TSocketFamily values. Added property SrvTotSess count of server session connections for logging. 12 - In the HTTP Application Web Server, fixed a memory leak with multiple virtual PUT and POST documents. 13 - The OverbyteIcsJoseTst sample 'Sign/Verify Data' tests now support hashes other than SHA-256, selected from the Key and Signing Hash Algorithm drop down list. Also, a private key matching that selection is created automatically, including X25519. 14 - There is a new unit OverbyteIcsWinUtils that contains Windows API functions, built from selected Magenta Systems libraries, with functions needed to build and control Windows Service applications, accessing the Windows registry, Windows firewall, Windows tasks, hardware, and with simple encryption for passwords. Most of these functions are used by the TIcsAppMonSrv server component and IcsAppMon sample, but should have much wider use for Windows Service server applications in particular, like allowing firewall access. It's planned to move most other Windows specific function here for ICS V10. 15 - In the ICMP component, fixed a problem setting property PingMsg to the text to ping. 16 - In the TIcsIpStrmLog component, added method ListenStates which for logprotUdpServer and logprotTcpServer returns a multiline string listing the IP, port, SSL and state of all socket listeners. The CurSockets property now reflects actual TCP Server clients. 17 - In the TIcsMailQueue component, don't keep retrying email that is too short to send with no body or with no sender headers. Added more error handling if the SMTP component fails to build the EML spool file. 18 - In OverbyteIcsUtils, finished the cleanup of old Base64 functions by adding new IcsBase64 functions using TBytes internally to replace old Base64 functions that used AnsiChars, with no overloaded versions for simplicity. Old Base64 versions retained as deprecated for user applications, please update to the IcsBase versions. Added IcsTBytesCompare to compare two TBytes. Added IcsOutputDebugStr for Posix and Windows. Added IcsDateToAStr and IcsDateTimeToAStr with alpha month (Jan/Feb). 19 - The ICS C++ packages for C++ 10.4 and later have been updated with the correct paths for the three supported platforms, and all build and install correctly for Win32. Win64 should also build, but not Win64x Modern which needs fixes in a future release of C++ 12. The release notes for V9.4 are at https://wiki.overbyte.eu/wiki/index.php/ICS_V9.4 All ICS active samples are available as prebuilt executables, to allow ease of testing without needing to install ICS and build them all. There are four separate zip files split into clients, servers, tools and miscellaneous samples which can be downloaded from https://wiki.overbyte.eu/wiki/index.php/ICS_Samples Angus

I assume you are building for C++, there is no support for old compilers, I removed all the packages prior to D10.4. C++ is always more fragile than Delphi, there are problems building for the latest C++ Win64 targets as well. Angus

I'm aware of some excellent Delphi encryption libraries but for applications already using OpenSSL, these add a lot of extra code. ICS currently has two encryption components in OverbyteIcsSslX509Utils.pas with minimal samples in PemTools, one for RSA private key encryption or a string, the second for Blowfish string and stream encryption. The latter uses the EVP_CipherAPIs so should be extendable for other symmetric ciphers like AES, so we can password zip files for instance. I could try to improve these ICS functions with more ciphers, but my crypto knowledge is low and there are so many different options for each cipher... Has anyone improved the ICS crypto stuff already. Or has someone written a Delphi encryption component using OpenSSL that can be shared with ICS? Angus

ICS has a component TIcsBlackList that can be used by servers to count access attempts by IP address, and block after a specified number of attempts until after several hours of inactivity. It's use is illustrated in the OverbyteIcsSslMultiWebServ sample. Just noticed these lines in the log for one of my web servers, someone using Alibaba Cloud in Hong Kong has made almost three million access attempts to my web site over several weeks, trying to read access data that is limited to 50 accesses per day. And still trying despite those requests being rejected. 47.76.209.138 attempts 1,481,269, first at 12:18:52, last at 20:00:17 BLOCKED 47.76.99.127 attempts 1,478,638, first at 12:04:36, last at 19:58:57 BLOCKED Should really be reporting the date of first access, but don't normally see hackers continuing this long. The sample shows various ways to detect hackers, such as web site access by IP address instead of host name, that stops hundreds daily on my sites (no HTTP allowed). Angus

Not one country, currently 619,000 IPs worldwide, spread evenly around the world, I've specifically blocked 107 countries, but not Europe yet. Possibly from a massive botnet of cheap Chinese hardware that comes compromised from the factory at very low prices, cheap IPTV boxes and dongles, Android tablets, etc, acting as an HTTPS proxies for whoever controls the botnet. Angus

Some of your tricks are already used in the ICS OverbyteIcsSslMultiWebServ sample, which is a simplified version of my public web servers. In the past, I'd mess with the connection of hackers, after detection, but this requires resources I don't want to waste, which is why I need to close the connection without reading any data or starting the SSL handshake. Filtering on content received can be useful for repeat hackers, but not when most requests come from unique IP addresses, 581,000 in the last three days, and still increasing. Angus