-
Content Count
2129 -
Joined
-
Last visited
-
Days Won
39
Everything posted by Angus Robertson
-
if Obj <> nil then Obj.Free
Angus Robertson replied to EugeneK's topic in ICS - Internet Component Suite
ICS still supports Delphi 7. Angus -
Websocket server/client frame sending rate issue
Angus Robertson replied to FrozenK's topic in ICS - Internet Component Suite
There have been a lot of changed to the websocket components since ICS V9.0, and a major rewrite to support newer protocols is coming in a week or so with ICS V9.5. So please repeat all your tests with ICS from the overnight zip and see if you can still reproduce the same problems. I'm afraid the debug logs you show are meaningless for diagnostic purposes, they are purely for development use. I have a public websocket server that is supporting about 50 SQL REST requests each second, for an hour at a time. Angus -
Has anyone tried this service for signing applications, free until June 2024, then $9.99: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/trusted-signing-is-in-public-preview/ba-p/4103457 Angus
-
TSslCertTools for generate CSR
Angus Robertson replied to Eric Winfly's topic in ICS - Internet Component Suite
ICS can not access the Windows Certificate Store without the OverbyteIcsMsSslUtils unit, and it will not build for C++ without changes. But any ICS passworded PKCS12 file can be installed manually into the Windows store using Microsoft utilities. Angus -
TSslCertTools for generate CSR
Angus Robertson replied to Eric Winfly's topic in ICS - Internet Component Suite
I assume from your earlier message you are using C++, not Delphi. Our support for C++ is very limited, since I have zero knowledge of it. Earlier testing have given C++ errors I've been unable to fix trying to build the OverbyteIcsMsSslUtils unit needed for access to the Windows Store, so there are defines to prevent it being built for C++ and allow the rest of the units to work. To attempt to build the unit, you'll need to remove some defines from the bottom of the OverbyteIcsDefs.inc unit and fix the C++ errors. Please let me know if you fix it. BTW, your new Distinguished Names properties are now in SVN, with a couple of other new ones. Angus -
OpenSSL engines support (GOST)
Angus Robertson replied to Arvur's topic in ICS - Internet Component Suite
Sorry, I know nothing about GOST. I understand there is a version for OpenSSL 3.0, but we don't provide a Windows version. Even if you build the engine DLL, ICS would need changes to use it. But ICS is open source, you can do those yourself, and they may be incorporated if of benefit to others. Angus -
TSslCertTools for generate CSR
Angus Robertson replied to Eric Winfly's topic in ICS - Internet Component Suite
Do those new names end up in the certificate itself, or are they only used for validation? If in the certificate, could you please email a PEM, so I can check we report it correctly. Angus -
TSslCertTools for generate CSR
Angus Robertson replied to Eric Winfly's topic in ICS - Internet Component Suite
The PemTool sample does not have edit boxes for surname oi given name, because you are the first to request them. Most personal certificates are issued for email address, not people. I'l like to see an example with names. You should be able to add a couple of lines in TSslCertTools.DoCertReqProps, plus the properties to add them: AddNameEntryByTxt(SubjName, 'GN', MyGN); AddNameEntryByTxt(SubjName, 'SN', MySN); I will do this in the next week or so. Angus -
TSslCertTools for generate CSR
Angus Robertson replied to Eric Winfly's topic in ICS - Internet Component Suite
You should look at the OverbyteIcsPemtool sample, the 'New Certificate Properties' tab has settings for all the subject items, basic and extended usage, key usage, etc. However, these settings are primarily for server and computer certificates, if you need givenName and surName, I assume you are getting personal certificates from somewhere? Angus -
ICS V9.4 has been released at: https://wiki.overbyte.eu/wiki/index.php/ICS_Download ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12 and C++ Builder 10.4, 11 and 12. ICS supports VCL and FMX, Win32 and Win64 targets. The distribution zip includes the latest OpenSSL 3.0.16, 3.2.4, 3.3.3 and 3.4.1 for Win32 and Win64. Changes in ICS V9.4 include: 1 - Completed the ICS Application Monitoring system added in V9.3, designed to locally and remotely monitor ICS servers and applications, and to locally restart applications on demand or if they crash. It comprises a small TIcsAppMonCli client monitoring component that is added to ICS applications, usually Windows Servers, but also client applications. This client component communicates with a TIcsAppMonSrv server component, usually running as a Windows Service on the same server so it is able to restart applications, but can also support clients on a LAN. The monitoring server has web and Websocket servers, allowing remote browsers to view the state of all applications being monitored by the server with a continually updated web page. There is also ICS Application Monitor - Remote Manager application that provides remote monitoring of multiple ICS Application Monitor servers using Json web and Websocket requests on a single screen. 2 - The SMTP client component fixes a bug introduced in V9.3 which could corrupt the Content-Transfer-Encoding header line. 3 - In TWSocket, fixed a potential problem using multiple threads where a new connection opened very quickly (ie localhost) and then stalled due to an unexpected connection state. Made DataToString Unicode compatible, only used for diagnostic dump logs. 4 - In the HTTP client, fixed a check for an overflowing buffer when receiving very long headers that could cause failure detecting headers end. Made several URL validation functions public: GetProtocolPort, IsSSLProtocol, IsKnownProtocol and IsKnownProtocolURL. 5 - When creating PKCS12/PFX certificates, change the 3DES cipher to AES256 if the legacy provider is not loaded. 6 - In the TIcsFtpMulti component, skip download of zero length file by creating an empty file, previously this got SSL handshake error. Don't report directories as being downloadable, they are not. If extended passive mode allowed, send EPSV ALL at start so firewalls and NAT routers can handle sessions more efficiently. Added CheckBadUnicode property defaults to false, so that checks for bad Unicode to Ansi conversions with ? are skipped, allowing more complex paths without errors. 7 - The FTP server FEAT request now returns EPRT and EPSV which have been supported for IPv6 for years, but were not advertised for IPv4. 8 - The OverbyteIcsSnippets sample adds two new simple REST snippets to Get/Post Parameters that send them to an ICS server, and the server echoes back those params so you can check what was actually sent. 9 - When loading the OpenSSL DLLs, no longer check they are digitally signed for Windows XP, 2003, Vista and 2008, they don't recognise SHA-256 code signing, never tested since no longer have those old versions available. 10 - The TRestParams method AddItemSO to add a SuperObject now has an Escape parameter defaulting to True, so non-ASCII characters are escaped by default. 11 - The Proxy component TProxyTarget now has a SocketFamily property so target connections can be restricted to TSocketFamily values. Added property SrvTotSess count of server session connections for logging. 12 - In the HTTP Application Web Server, fixed a memory leak with multiple virtual PUT and POST documents. 13 - The OverbyteIcsJoseTst sample 'Sign/Verify Data' tests now support hashes other than SHA-256, selected from the Key and Signing Hash Algorithm drop down list. Also, a private key matching that selection is created automatically, including X25519. 14 - There is a new unit OverbyteIcsWinUtils that contains Windows API functions, built from selected Magenta Systems libraries, with functions needed to build and control Windows Service applications, accessing the Windows registry, Windows firewall, Windows tasks, hardware, and with simple encryption for passwords. Most of these functions are used by the TIcsAppMonSrv server component and IcsAppMon sample, but should have much wider use for Windows Service server applications in particular, like allowing firewall access. It's planned to move most other Windows specific function here for ICS V10. 15 - In the ICMP component, fixed a problem setting property PingMsg to the text to ping. 16 - In the TIcsIpStrmLog component, added method ListenStates which for logprotUdpServer and logprotTcpServer returns a multiline string listing the IP, port, SSL and state of all socket listeners. The CurSockets property now reflects actual TCP Server clients. 17 - In the TIcsMailQueue component, don't keep retrying email that is too short to send with no body or with no sender headers. Added more error handling if the SMTP component fails to build the EML spool file. 18 - In OverbyteIcsUtils, finished the cleanup of old Base64 functions by adding new IcsBase64 functions using TBytes internally to replace old Base64 functions that used AnsiChars, with no overloaded versions for simplicity. Old Base64 versions retained as deprecated for user applications, please update to the IcsBase versions. Added IcsTBytesCompare to compare two TBytes. Added IcsOutputDebugStr for Posix and Windows. Added IcsDateToAStr and IcsDateTimeToAStr with alpha month (Jan/Feb). 19 - The ICS C++ packages for C++ 10.4 and later have been updated with the correct paths for the three supported platforms, and all build and install correctly for Win32. Win64 should also build, but not Win64x Modern which needs fixes in a future release of C++ 12. The release notes for V9.4 are at https://wiki.overbyte.eu/wiki/index.php/ICS_V9.4 All ICS active samples are available as prebuilt executables, to allow ease of testing without needing to install ICS and build them all. There are four separate zip files split into clients, servers, tools and miscellaneous samples which can be downloaded from https://wiki.overbyte.eu/wiki/index.php/ICS_Samples Angus
-
ICS V9.4 announced
Angus Robertson replied to Angus Robertson's topic in ICS - Internet Component Suite
I assume you are building for C++, there is no support for old compilers, I removed all the packages prior to D10.4. C++ is always more fragile than Delphi, there are problems building for the latest C++ Win64 targets as well. Angus -
I'm aware of some excellent Delphi encryption libraries but for applications already using OpenSSL, these add a lot of extra code. ICS currently has two encryption components in OverbyteIcsSslX509Utils.pas with minimal samples in PemTools, one for RSA private key encryption or a string, the second for Blowfish string and stream encryption. The latter uses the EVP_CipherAPIs so should be extendable for other symmetric ciphers like AES, so we can password zip files for instance. I could try to improve these ICS functions with more ciphers, but my crypto knowledge is low and there are so many different options for each cipher... Has anyone improved the ICS crypto stuff already. Or has someone written a Delphi encryption component using OpenSSL that can be shared with ICS? Angus
-
ICS has a component TIcsBlackList that can be used by servers to count access attempts by IP address, and block after a specified number of attempts until after several hours of inactivity. It's use is illustrated in the OverbyteIcsSslMultiWebServ sample. Just noticed these lines in the log for one of my web servers, someone using Alibaba Cloud in Hong Kong has made almost three million access attempts to my web site over several weeks, trying to read access data that is limited to 50 accesses per day. And still trying despite those requests being rejected. 47.76.209.138 attempts 1,481,269, first at 12:18:52, last at 20:00:17 BLOCKED 47.76.99.127 attempts 1,478,638, first at 12:04:36, last at 19:58:57 BLOCKED Should really be reporting the date of first access, but don't normally see hackers continuing this long. The sample shows various ways to detect hackers, such as web site access by IP address instead of host name, that stops hundreds daily on my sites (no HTTP allowed). Angus
-
Blocking hackers
Angus Robertson replied to Angus Robertson's topic in ICS - Internet Component Suite
Not one country, currently 619,000 IPs worldwide, spread evenly around the world, I've specifically blocked 107 countries, but not Europe yet. Possibly from a massive botnet of cheap Chinese hardware that comes compromised from the factory at very low prices, cheap IPTV boxes and dongles, Android tablets, etc, acting as an HTTPS proxies for whoever controls the botnet. Angus -
Blocking hackers
Angus Robertson replied to Angus Robertson's topic in ICS - Internet Component Suite
Some of your tricks are already used in the ICS OverbyteIcsSslMultiWebServ sample, which is a simplified version of my public web servers. In the past, I'd mess with the connection of hackers, after detection, but this requires resources I don't want to waste, which is why I need to close the connection without reading any data or starting the SSL handshake. Filtering on content received can be useful for repeat hackers, but not when most requests come from unique IP addresses, 581,000 in the last three days, and still increasing. Angus -
Blocking hackers
Angus Robertson replied to Angus Robertson's topic in ICS - Internet Component Suite
Not necessarily, this is a Windows server, and I don't want these requests to reach the actual web server or it's log files, which seems to be how fail2ban works. Angus -
Blocking hackers
Angus Robertson replied to Angus Robertson's topic in ICS - Internet Component Suite
I guess I've developed my own Delphi ICS version of fail2ban! That is the advantage of using your own Delphi web server. Angus -
Blocking hackers
Angus Robertson replied to Angus Robertson's topic in ICS - Internet Component Suite
Sorry if this is getting repetitive, but my web server has now taken connections from 450,000 different IP addresses over three days, almost certainly all from a single Chinese hacker, those requests that get through all have legitimate REST arguments to access my SQL database, so not a blind DOS attack, but a script. My GEO blocking is still rejecting 90% of the requests. Only blocked one legitimate paid user so far, who was very understanding. Angus -
Blocking hackers
Angus Robertson replied to Angus Robertson's topic in ICS - Internet Component Suite
Illegal accesses to my web site have escalated since my last message here in March, and increased 10 fold in the last 10 days. Initially, the Chinese hackers are using what I assume are VPN IPs in various countries, which were relatively easy to slow down. Then I got attempts from 20,000 IPs in Vietnam, and increasingly from other countries. My ICS web server had access attempts from 170,000 different IPs over the last 15 hours on Sunday night. I added geo-blocking last week from a list of countries in Asia, Africa, South America and the Middle East, and 200,000 connections were rejected and 20,000 allowed, although probably only 1,000 would have been from legitimate users on a Sunday night. Did this using the Delphi TMMDBReader component from https://github.com/optinsoft/MMDBReader that reads MaxMind database files of IP addresses, listing country, ASN, City, ISP and other information (for a price), but I'm currently using a simple country lookup database from https://db-ip.com/ . MaxMind has an anonymous IP database that is probably ideal for my purpose, but no public pricing so probably more than I want to pay. Angus -
New OpenSSL releases 3.5.1, 3.4.2, 3.3.4, 3.2.5 and 3.0.17 and new resource files linked by ICS
Angus Robertson posted a topic in ICS - Internet Component Suite
OpenSSL has issued new releases of all the currently supported versions, 3.5.1, 3.4.2, 3.3.4, 3.2.5 and 3.0.17. OpenSSL 3.5.1 fixes a low risk CVE-2025-4575 relating to use of a command in the openssl.exe application to use trusted certificates. All releases include periodic miscellaneous minor bug fixes. Windows binaries are available in SVN and the overnight zip file and separately from https://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp In addition to the three DLL files, the zips include compiled RES resource files that contain the same DLLs, text files and version information, see the RC file. The RES file may be linked into application EXE files and code then used to extract the DLLs from the resource to a temporary directory to avoid distributing them separately. ICS V9.1 and later optionally support loading the resource files. These OpenSSL versions are included with ICS V9.5 beta available from SVN and the overnight zip. ICS V9.5 beta now defaults to using OpenSSL 3.5.1, provided the new OverbyteIcsDefs.inc files is installed, or you undefine OpenSSL_35 and suppress an earlier version. The SSL/TLS Certificate Authority Root Stores bundles have also been updated with new roots, more information at https://wiki.overbyte.eu/wiki/index.php/FAQ_SSL/TLS_Certificate_Authority_Root_Stores and downloads at: https://www.magsys.co.uk/download/software/ca-root-bundles.zip and are already included with ICS V9.5 beta. Separately, https://www.yunqa.de/ has released 3.0.17, 3.3.4 and 3.4.2 as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Angus -
File operations over shared folder
Angus Robertson replied to Squall_FF8's topic in Network, Cloud and Web
You use the Windows API WNetAddConnection2 to make a connection to a network resource and can redirect a local device to the network resource, ie map a UNC drive to a local drive letter that you can access, the API needs the remote login. The ICS TIcsFileCopy component uses it for remote path access. Angus -
Your issues are now fixed in SVN and will be zipped overnight. The GET and DELETE methods now support REST PContBodyJson, PContBodyUrlEn and PContBodyXML content types, beware web servers may not support this. The ICS web server also now supports body content with GET and DELETE requests, provided there are UrlJHandlers for these methods or the application handles the content stream. The TRestParams component has a new RParamFmt property that for Json only defines whether nested objects or an array should be formatted, default is RPFmtNestObj (Nested Objects, same as previously), or RPFmtArrayVal (Array of Values) if first element is any array, or RPFmtArrayObj (Array of Objects) where each element is treated as object in the array. Note RPFmtArrayObj allows duplicate names in Add methods, since output into different objects. For instance: RPFmtNestObj: {"field1":"data1","field2":"data2","field3":[data1, data2, data3]} RPFmtArrayVal: [data1, data2, data3] RPFmtArrayObj: [{"field":"data1"},{"field":"data2"},{"field":[data1, data2, data3]}] Angus
-
Added RSA_Verify prototype in OverbyteIcsLIBEAY
Angus Robertson replied to Frédéric's topic in ICS - Internet Component Suite
Your change is now in SVN, but you'll need a new DEFINE OpenSSL_Deprecated to use it. I've moved about 130 OpenSSL deprecated 3.0 exports to a new table only loaded with the new define, and fixed two units that still used deprecated EC_x exports. Not sure if all these deprecated exports will disappear in OpenSSL 4.0 due next April, but at least ICS is now ready. Angus -
MimeDecode.PartInfos[i].PFileName empty when Attchment name BASE64 encoded
Angus Robertson replied to omnibrain's topic in ICS - Internet Component Suite
Decoding just the inline MIME file name does work: Unicode Header: TaWa für HG-SV 352 vom 20.06.2025 09_49_08.pdf [CharSet=utf-8] The forum problem is extra stuff being added: n\n\n\n\t\u00a0\n\n\n\n----boundary_51 Angus -
MimeDecode.PartInfos[i].PFileName empty when Attchment name BASE64 encoded
Angus Robertson replied to omnibrain's topic in ICS - Internet Component Suite
The TMimeDecodeW.PartNameW property should decode the inline MIME correctly, although PartName should have returned the encoded version. This is because the unit was written in AnsiString times, and unicode added later to the W . It's possibly due for rewrite to remove AnsiStrings. However I'm not sure about the quotes around the name, I don't think we expect them for inline MIME. I can not test your MIME because DelphiPraxis has corrupted what appears to be fixed text with hidden unicode characters that can not be pasted into Delphi, or easily removed, so our MimeDemo sample is unable to decode your name value. Angus