Angus Robertson

A PCI scan will be for a public server, so why are you hiding the public host name? SSLLabs rates SSL sites and offers extensive advice about certificate errors, server misconfiguration and chain errors. The error you describe sound like the certificate is issued by an untrusted CA, but no-one can tell without seeing it. Angus

ICS has a proxy server sample that includes logging and headers and optionally bodies, I've used it for debugging SSL connections. You can even fake a server SSL certificate (and some anti-malware packages do, to intercept SSL sessions if you can not originate in HTTP. Angus

WinPCap development ceased a few years again, it was taken over by Npcap which is used by most network sniffing software, including Wireshark which is the leader. I wrote a Delphi sample packet sniffer using WinPCap and Npcap many years ago, very basic really needs better filtering and IPv6 support, must spend some time on it. Angus

I've built the ICS V8.70 and now V8.71 packages on Delphi 11.2 dozens of times since September when it was released. The new WebSocket units are only in SVN and the overnight zip, not V8.70. The package says 11.0 because Embarcadero changed the naming scheme when releasing the first update to 11, but works with all versions of 11. Sorry, no idea why it wants to rebuild the RTL package. Angus

There was a new WebSocket server in SVN last week, sharing much code with the new client since WebSocket is a symmetrical service, and built into the existing web server samples running on port 443, rather than a separate port. Most of the methods and events are the same for client and server. The OverbyteIcsSslMultiWebServ and OverbyteIcsDDWebService samples should respond to these WebSocket URLs: wss://localhost/WebSocket/Echo (echoes messages received) wss://localhost/WebSocket/EchoPing (echo and send keep alive pings) wss://localhost/WebSocket/Chat?MyName (multi user chat server) There is a new websocketclient.html page listed on the main demo.html page that allows testing these WebSocket servers. The new client component will also access these URLs. I also have similar URLs on my public web server and anyone wants to test the client alone, but email for the full URL, I don't want it indexed. Angus

Only if a Apple user contributes something, neither Francois or I have any suitable hardware so can not test anything. Angus

ICS ships with four different root certificate stores to allow chain verification, three as files, one as linked unit. How they are used depends on the component you are using, older and low level components need extra code to check the certificate chain, if you use the TSslHttpRest component it is all built in, you decide whether to use a root store or the Windows store, look at the OverbyteIcsHttpRestTst.dpr sample to see it all working. Angus

It is not mention in the documentation, but the Magenta Hardware Components package includes a unit MagService.pas written almost 20 years ago that says: MagService is a unit of functions to control, install and remove Windows Service applications. These functions all require the application to have administrative access rights, which can be checked by IsProgAdmin. Services can be started and stopped, check if running, installed to run with startup options, an account and dependencies, have a service description set, or removed from the service database. My old WMI unit can be downloaded from the same place, although the latest version is part of ICS. But WMI is much slower than direct windows APIs. Angus

I suspect the old source file was still held open by Delphi after it had said 'another application has updated the file, reload it'. Tried deleting all historic files, still failed, restarted 11.2 and sanity was restored. Angus

The long planned new web server will use a configurable mix of threads and parallel components to make proper use of multiple CPUs, allowing heavier loads than can be supported by a single thread as at present. For instance, there could be four threads, each with 500 clients, or 500 threads each with one client. ICS already has a TSslWSocketThrdServer component (one per client), but there has never been a web server using it. I've never heard of anyone using it. Angus

As I said, SSL/TLS is always selectable for each connection, that will never change, except when QUIC becomes an alternative. TSslWSocketServer is a relatively simple component, but descends through eight different classes with 24 USE_SSL defines, all of which makes improvements difficult, the new version will be much simpler. The SChannel wrapper for ICS is an interesting project, but YuOpenSSL allows ICS to be used without external DLLs, and SChannel is different with every operating system, fine if you only want to support the latest and greatest, useless if you want applications to continue to run on Windows 7 or 8 where each time Windows Update is run, half the ciphers disappear so causing ECDSA key certificates to be ignored, for instance. Angus

SSL./TLS is nearly always optional for the SSL enabled components and that will never change. I'm planning a new web server component, and there will be no non-SSL version, as there is no non-SSL proxy component. The existing web server without SSL/TLS could then be abandoned. Angus

Why? Angus

I would also argue that using ICS without USE_SSL is risky since I do zero application testing without that define, before a new release I simply ensure the packages will build without error without that define. So testing is dependent on end users that don't use SSL/TLS. Thus the recommendation to use older tested versions. Angus

Since 95% of new features in ICS relate to SSL/TLS, those that only need limited features and no SSL/TLS may as well stick with old versions. Sure there are applications that don't need SSL/TLS so it is optional in most components, the issue is whether those components should be compilable without the SSL./TLS code to save space, at the expense of extra complexity and riskier maintenance, thousands of conditional statements. Simply, it wastes my time. Angus

Thanks, I'll look at the various package issues before the final V8.71 release when I update them all with new components. Done the defs file, but it just missed an SVN update, next time. I rarely test without USE_SSL, it will disappear from the next major release since very little of the internet works without SSL/TLS nowadays and all the conditionals and extra classes make maintenance and upgrades a nightmare. Angus

This particular web site is aimed at the UK market and has little interest for those outside the UK, it contains information about UK telephone and broadband networks. Some information is free but limited, businesses pay for access. But some users try multiple IP addresses to get around my counting accesses against IP addresses, and Tor is easy for them (I assume). I just went through the 50,000 accesses sequentially to my database to find Tor exit nodes. I did accidentally block access to British Telecom at the same time, got a phone call from their network people asking why their staff could no longer access my site (for free)... Angus

My Delphi web servers have an IP blocked list which hackers get automatically added to based on several criteria, any path with filers ,php, .pl., /,,, ;echo, mysel, etc,since there is no CGI or Perl or MySQL on the site, also if they access pages by IP address instead of the correct domain name using SSL. I also block Tor exit nodes, to try and stop IP blocked users using alternate access. Blocked IP addresses are cleared from the list 24 hours after their last access, and any accesses have a response delayed by one minute, so try and slow down the avalanche of requests hackers make, often hundreds a minute. Currently 179 IP addresses blocked on my main site. Angus

You need to request a download password on the TMagRas page, and then go to https://www.magsys.co.uk/delphi/dfiles/default.asp Sorry about password nonsense, it's to stop Google scanning my files and falsely black listing my site again. Angus

The Magenta TMagRas component will connect to any VPNs created by Windows, although I stopped testing it several years ago when the last public dial-up internet service in the UK closed, despite what the web page says, source code is now free from my download page. Angus

Reverse DNS is WSocketResolveIp, forward DNS is WSocketResolveHost, blocking means no timeout is possible, unless you mess with registry settings that affect every other application on the PC. Angus

ICS deliberately does not offer sync version of the low level Winsock functions, only high level protocols like HTTP and FTP. There is a blocking version of DnsLookup, but no timeout is possible since the OS function waits up to 30 seconds or more for DNS servers to respond to queries, So you need to implement your own abort on timeout. Or use the TDnsQuery component Angus

Yes, I have a page password protection ISAPI filter running on my public W2022 servers, but the DLL date stamp is May 2005 so not built with a recent version of Delphi, still works fine after all these years, as good applications should. Angus

The new ICS WebSocket Client component is now in SVN and will be zipped overnight. See top of OverbyteIcsWebSocketCli.pas for information on how to use it, sample is a new tab in OverbyteIcsHttpRestTst.dpr. I'll look at the ICS WebSocket Server next week, it needs to be brought up to date. Angus

ICS is mostly even driven, you never put delays in events since that upsets the protocol. So it's really down to how you queue your emails, delay sending them after an error, I mostly use triggers tested in a single once per second timer event, there are several functions in ICS for setting and checking triggers. Except for TIcsMailQueue which uses real date/times checked in a thread. How many emails (megs) are you sending each minute? It must be a lot to cause the mail server queue to run out of disk space continually. Angus