Angus Robertson

ICS still supports Delphi 7. Angus

There have been a lot of changed to the websocket components since ICS V9.0, and a major rewrite to support newer protocols is coming in a week or so with ICS V9.5. So please repeat all your tests with ICS from the overnight zip and see if you can still reproduce the same problems. I'm afraid the debug logs you show are meaningless for diagnostic purposes, they are purely for development use. I have a public websocket server that is supporting about 50 SQL REST requests each second, for an hour at a time. Angus

Has anyone tried this service for signing applications, free until June 2024, then $9.99: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/trusted-signing-is-in-public-preview/ba-p/4103457 Angus

ICS can not access the Windows Certificate Store without the OverbyteIcsMsSslUtils unit, and it will not build for C++ without changes. But any ICS passworded PKCS12 file can be installed manually into the Windows store using Microsoft utilities. Angus

I assume from your earlier message you are using C++, not Delphi. Our support for C++ is very limited, since I have zero knowledge of it. Earlier testing have given C++ errors I've been unable to fix trying to build the OverbyteIcsMsSslUtils unit needed for access to the Windows Store, so there are defines to prevent it being built for C++ and allow the rest of the units to work. To attempt to build the unit, you'll need to remove some defines from the bottom of the OverbyteIcsDefs.inc unit and fix the C++ errors. Please let me know if you fix it. BTW, your new Distinguished Names properties are now in SVN, with a couple of other new ones. Angus

Sorry, I know nothing about GOST. I understand there is a version for OpenSSL 3.0, but we don't provide a Windows version. Even if you build the engine DLL, ICS would need changes to use it. But ICS is open source, you can do those yourself, and they may be incorporated if of benefit to others. Angus

Do those new names end up in the certificate itself, or are they only used for validation? If in the certificate, could you please email a PEM, so I can check we report it correctly. Angus

The PemTool sample does not have edit boxes for surname oi given name, because you are the first to request them. Most personal certificates are issued for email address, not people. I'l like to see an example with names. You should be able to add a couple of lines in TSslCertTools.DoCertReqProps, plus the properties to add them: AddNameEntryByTxt(SubjName, 'GN', MyGN); AddNameEntryByTxt(SubjName, 'SN', MySN); I will do this in the next week or so. Angus

You should look at the OverbyteIcsPemtool sample, the 'New Certificate Properties' tab has settings for all the subject items, basic and extended usage, key usage, etc. However, these settings are primarily for server and computer certificates, if you need givenName and surName, I assume you are getting personal certificates from somewhere? Angus

ICS V9.4 has been released at: https://wiki.overbyte.eu/wiki/index.php/ICS_Download ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12 and C++ Builder 10.4, 11 and 12. ICS supports VCL and FMX, Win32 and Win64 targets. The distribution zip includes the latest OpenSSL 3.0.16, 3.2.4, 3.3.3 and 3.4.1 for Win32 and Win64. Changes in ICS V9.4 include: 1 - Completed the ICS Application Monitoring system added in V9.3, designed to locally and remotely monitor ICS servers and applications, and to locally restart applications on demand or if they crash. It comprises a small TIcsAppMonCli client monitoring component that is added to ICS applications, usually Windows Servers, but also client applications. This client component communicates with a TIcsAppMonSrv server component, usually running as a Windows Service on the same server so it is able to restart applications, but can also support clients on a LAN. The monitoring server has web and Websocket servers, allowing remote browsers to view the state of all applications being monitored by the server with a continually updated web page. There is also ICS Application Monitor - Remote Manager application that provides remote monitoring of multiple ICS Application Monitor servers using Json web and Websocket requests on a single screen. 2 - The SMTP client component fixes a bug introduced in V9.3 which could corrupt the Content-Transfer-Encoding header line. 3 - In TWSocket, fixed a potential problem using multiple threads where a new connection opened very quickly (ie localhost) and then stalled due to an unexpected connection state. Made DataToString Unicode compatible, only used for diagnostic dump logs. 4 - In the HTTP client, fixed a check for an overflowing buffer when receiving very long headers that could cause failure detecting headers end. Made several URL validation functions public: GetProtocolPort, IsSSLProtocol, IsKnownProtocol and IsKnownProtocolURL. 5 - When creating PKCS12/PFX certificates, change the 3DES cipher to AES256 if the legacy provider is not loaded. 6 - In the TIcsFtpMulti component, skip download of zero length file by creating an empty file, previously this got SSL handshake error. Don't report directories as being downloadable, they are not. If extended passive mode allowed, send EPSV ALL at start so firewalls and NAT routers can handle sessions more efficiently. Added CheckBadUnicode property defaults to false, so that checks for bad Unicode to Ansi conversions with ? are skipped, allowing more complex paths without errors. 7 - The FTP server FEAT request now returns EPRT and EPSV which have been supported for IPv6 for years, but were not advertised for IPv4. 8 - The OverbyteIcsSnippets sample adds two new simple REST snippets to Get/Post Parameters that send them to an ICS server, and the server echoes back those params so you can check what was actually sent. 9 - When loading the OpenSSL DLLs, no longer check they are digitally signed for Windows XP, 2003, Vista and 2008, they don't recognise SHA-256 code signing, never tested since no longer have those old versions available. 10 - The TRestParams method AddItemSO to add a SuperObject now has an Escape parameter defaulting to True, so non-ASCII characters are escaped by default. 11 - The Proxy component TProxyTarget now has a SocketFamily property so target connections can be restricted to TSocketFamily values. Added property SrvTotSess count of server session connections for logging. 12 - In the HTTP Application Web Server, fixed a memory leak with multiple virtual PUT and POST documents. 13 - The OverbyteIcsJoseTst sample 'Sign/Verify Data' tests now support hashes other than SHA-256, selected from the Key and Signing Hash Algorithm drop down list. Also, a private key matching that selection is created automatically, including X25519. 14 - There is a new unit OverbyteIcsWinUtils that contains Windows API functions, built from selected Magenta Systems libraries, with functions needed to build and control Windows Service applications, accessing the Windows registry, Windows firewall, Windows tasks, hardware, and with simple encryption for passwords. Most of these functions are used by the TIcsAppMonSrv server component and IcsAppMon sample, but should have much wider use for Windows Service server applications in particular, like allowing firewall access. It's planned to move most other Windows specific function here for ICS V10. 15 - In the ICMP component, fixed a problem setting property PingMsg to the text to ping. 16 - In the TIcsIpStrmLog component, added method ListenStates which for logprotUdpServer and logprotTcpServer returns a multiline string listing the IP, port, SSL and state of all socket listeners. The CurSockets property now reflects actual TCP Server clients. 17 - In the TIcsMailQueue component, don't keep retrying email that is too short to send with no body or with no sender headers. Added more error handling if the SMTP component fails to build the EML spool file. 18 - In OverbyteIcsUtils, finished the cleanup of old Base64 functions by adding new IcsBase64 functions using TBytes internally to replace old Base64 functions that used AnsiChars, with no overloaded versions for simplicity. Old Base64 versions retained as deprecated for user applications, please update to the IcsBase versions. Added IcsTBytesCompare to compare two TBytes. Added IcsOutputDebugStr for Posix and Windows. Added IcsDateToAStr and IcsDateTimeToAStr with alpha month (Jan/Feb). 19 - The ICS C++ packages for C++ 10.4 and later have been updated with the correct paths for the three supported platforms, and all build and install correctly for Win32. Win64 should also build, but not Win64x Modern which needs fixes in a future release of C++ 12. The release notes for V9.4 are at https://wiki.overbyte.eu/wiki/index.php/ICS_V9.4 All ICS active samples are available as prebuilt executables, to allow ease of testing without needing to install ICS and build them all. There are four separate zip files split into clients, servers, tools and miscellaneous samples which can be downloaded from https://wiki.overbyte.eu/wiki/index.php/ICS_Samples Angus

I assume you are building for C++, there is no support for old compilers, I removed all the packages prior to D10.4. C++ is always more fragile than Delphi, there are problems building for the latest C++ Win64 targets as well. Angus

I'm aware of some excellent Delphi encryption libraries but for applications already using OpenSSL, these add a lot of extra code. ICS currently has two encryption components in OverbyteIcsSslX509Utils.pas with minimal samples in PemTools, one for RSA private key encryption or a string, the second for Blowfish string and stream encryption. The latter uses the EVP_CipherAPIs so should be extendable for other symmetric ciphers like AES, so we can password zip files for instance. I could try to improve these ICS functions with more ciphers, but my crypto knowledge is low and there are so many different options for each cipher... Has anyone improved the ICS crypto stuff already. Or has someone written a Delphi encryption component using OpenSSL that can be shared with ICS? Angus

ICS has a component TIcsBlackList that can be used by servers to count access attempts by IP address, and block after a specified number of attempts until after several hours of inactivity. It's use is illustrated in the OverbyteIcsSslMultiWebServ sample. Just noticed these lines in the log for one of my web servers, someone using Alibaba Cloud in Hong Kong has made almost three million access attempts to my web site over several weeks, trying to read access data that is limited to 50 accesses per day. And still trying despite those requests being rejected. 47.76.209.138 attempts 1,481,269, first at 12:18:52, last at 20:00:17 BLOCKED 47.76.99.127 attempts 1,478,638, first at 12:04:36, last at 19:58:57 BLOCKED Should really be reporting the date of first access, but don't normally see hackers continuing this long. The sample shows various ways to detect hackers, such as web site access by IP address instead of host name, that stops hundreds daily on my sites (no HTTP allowed). Angus

Not one country, currently 619,000 IPs worldwide, spread evenly around the world, I've specifically blocked 107 countries, but not Europe yet. Possibly from a massive botnet of cheap Chinese hardware that comes compromised from the factory at very low prices, cheap IPTV boxes and dongles, Android tablets, etc, acting as an HTTPS proxies for whoever controls the botnet. Angus

Some of your tricks are already used in the ICS OverbyteIcsSslMultiWebServ sample, which is a simplified version of my public web servers. In the past, I'd mess with the connection of hackers, after detection, but this requires resources I don't want to waste, which is why I need to close the connection without reading any data or starting the SSL handshake. Filtering on content received can be useful for repeat hackers, but not when most requests come from unique IP addresses, 581,000 in the last three days, and still increasing. Angus

Not necessarily, this is a Windows server, and I don't want these requests to reach the actual web server or it's log files, which seems to be how fail2ban works. Angus

I guess I've developed my own Delphi ICS version of fail2ban! That is the advantage of using your own Delphi web server. Angus

Sorry if this is getting repetitive, but my web server has now taken connections from 450,000 different IP addresses over three days, almost certainly all from a single Chinese hacker, those requests that get through all have legitimate REST arguments to access my SQL database, so not a blind DOS attack, but a script. My GEO blocking is still rejecting 90% of the requests. Only blocked one legitimate paid user so far, who was very understanding. Angus

Illegal accesses to my web site have escalated since my last message here in March, and increased 10 fold in the last 10 days. Initially, the Chinese hackers are using what I assume are VPN IPs in various countries, which were relatively easy to slow down. Then I got attempts from 20,000 IPs in Vietnam, and increasingly from other countries. My ICS web server had access attempts from 170,000 different IPs over the last 15 hours on Sunday night. I added geo-blocking last week from a list of countries in Asia, Africa, South America and the Middle East, and 200,000 connections were rejected and 20,000 allowed, although probably only 1,000 would have been from legitimate users on a Sunday night. Did this using the Delphi TMMDBReader component from https://github.com/optinsoft/MMDBReader that reads MaxMind database files of IP addresses, listing country, ASN, City, ISP and other information (for a price), but I'm currently using a simple country lookup database from https://db-ip.com/ . MaxMind has an anonymous IP database that is probably ideal for my purpose, but no public pricing so probably more than I want to pay. Angus

OpenSSL has issued new releases of all the currently supported versions, 3.5.1, 3.4.2, 3.3.4, 3.2.5 and 3.0.17. OpenSSL 3.5.1 fixes a low risk CVE-2025-4575 relating to use of a command in the openssl.exe application to use trusted certificates. All releases include periodic miscellaneous minor bug fixes. Windows binaries are available in SVN and the overnight zip file and separately from https://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp In addition to the three DLL files, the zips include compiled RES resource files that contain the same DLLs, text files and version information, see the RC file. The RES file may be linked into application EXE files and code then used to extract the DLLs from the resource to a temporary directory to avoid distributing them separately. ICS V9.1 and later optionally support loading the resource files. These OpenSSL versions are included with ICS V9.5 beta available from SVN and the overnight zip. ICS V9.5 beta now defaults to using OpenSSL 3.5.1, provided the new OverbyteIcsDefs.inc files is installed, or you undefine OpenSSL_35 and suppress an earlier version. The SSL/TLS Certificate Authority Root Stores bundles have also been updated with new roots, more information at https://wiki.overbyte.eu/wiki/index.php/FAQ_SSL/TLS_Certificate_Authority_Root_Stores and downloads at: https://www.magsys.co.uk/download/software/ca-root-bundles.zip and are already included with ICS V9.5 beta. Separately, https://www.yunqa.de/ has released 3.0.17, 3.3.4 and 3.4.2 as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Angus

You use the Windows API WNetAddConnection2 to make a connection to a network resource and can redirect a local device to the network resource, ie map a UNC drive to a local drive letter that you can access, the API needs the remote login. The ICS TIcsFileCopy component uses it for remote path access. Angus

Your issues are now fixed in SVN and will be zipped overnight. The GET and DELETE methods now support REST PContBodyJson, PContBodyUrlEn and PContBodyXML content types, beware web servers may not support this. The ICS web server also now supports body content with GET and DELETE requests, provided there are UrlJHandlers for these methods or the application handles the content stream. The TRestParams component has a new RParamFmt property that for Json only defines whether nested objects or an array should be formatted, default is RPFmtNestObj (Nested Objects, same as previously), or RPFmtArrayVal (Array of Values) if first element is any array, or RPFmtArrayObj (Array of Objects) where each element is treated as object in the array. Note RPFmtArrayObj allows duplicate names in Add methods, since output into different objects. For instance: RPFmtNestObj: {"field1":"data1","field2":"data2","field3":[data1, data2, data3]} RPFmtArrayVal: [data1, data2, data3] RPFmtArrayObj: [{"field":"data1"},{"field":"data2"},{"field":[data1, data2, data3]}] Angus

Your change is now in SVN, but you'll need a new DEFINE OpenSSL_Deprecated to use it. I've moved about 130 OpenSSL deprecated 3.0 exports to a new table only loaded with the new define, and fixed two units that still used deprecated EC_x exports. Not sure if all these deprecated exports will disappear in OpenSSL 4.0 due next April, but at least ICS is now ready. Angus

Decoding just the inline MIME file name does work: Unicode Header: TaWa für HG-SV 352 vom 20.06.2025 09_49_08.pdf [CharSet=utf-8] The forum problem is extra stuff being added: n\n\n\n\t\u00a0\n\n\n\n----boundary_51 Angus

The TMimeDecodeW.PartNameW property should decode the inline MIME correctly, although PartName should have returned the encoded version. This is because the unit was written in AnsiString times, and unicode added later to the W . It's possibly due for rewrite to remove AnsiStrings. However I'm not sure about the quotes around the name, I don't think we expect them for inline MIME. I can not test your MIME because DelphiPraxis has corrupted what appears to be fixed text with hidden unicode characters that can not be pasted into Delphi, or easily removed, so our MimeDemo sample is unable to decode your name value. Angus