Angus Robertson

I did some initial testing, and the version of OverbyteIcsSslMultiWebServ in SVN has the comment 'Added authentication using POST requests.' There were no relevant changes to the server itself. But I'll be doing some more work on POST uploads and authentication next week, so will test it again before the next release. Angus

I'm not sure that this is actually a problem, since ICS already has various derived components like: THttpAppSrv = class(THttpServer) which don't give any errors. But I don't see any purpose in setting the name FWSocketServer.Name either, it might have been used for debugging a long time ago, but I've just removed it from my copy so your problem will go away, unless anything thinks the name is needed? Angus

Done a little more research, to connect to this site needs literal SslOpt2_LEGACY_SERVER_CONNECT adding to SslContext.SslOptions2. With OpenSSL 1.1.1 this defaulted set, but with 3.0 is not set due to: Angus

I'm now seeing the same 'unsafe legacy renegotiation disabled' error on both sites with OpenSSL 3.0, but that error did not happen with 1.1.1. So better, but not really fixed unless it really is an OpenSSL error that few other sites show up. Angus

I added the TSslHttpRest REST component four years ago, to speed up application development by combining several other ICS components needed for HTTPS applications together and building parameters in various ways. It is used for OAuth2 authentication, TIcsTwitter, TIcsRestEmail (Gmail and Outlook), TDnsQueryHttps, TIcsSMS, TIcsInetAlive and SSL/TLS certificate ordering TSslX509Certs. The last ICS TSslHttpRest release added various file downloading strategies, including resuming failed partial transfers, the next TSslHttpRest release will add various file uploading strategies using POST including multipart MIME with metadata content. Ideally, there will be new components to simplify access to various cloud services, ie TIcsMsAzure, TIcsGoogleCloud, TIcsAmazonCloud, TIcsOSSwift (Open Stack), TIcsMsDrive, TIcsDropbox, perhaps TIcsWebDAV if still used. I'm old-fashioned, I don't use any cloud facilities, I just have hosted Windows servers in a rack running the ICS FTP server for all my own upload and download needs. So supporting these various cloud protocols needs research and accounts, and a lot of reading and testing, and decisions of which specific APIs need support from a component. But I guess various ICS users are already using one or more of these cloud providers with their own applications, perhaps also with non-ICS components. Ideally I'd like such users to take ownership for developing and testing the component for a specific cloud service, based on a common template, while I update TSslHttpRest to support the extra features like multipart MIME needed, So is anyone using ICS for cloud storage? Angus

Sorry, I did say I was unable to connect to depatisnet.dpma.de with either version of OpenSSL, it was www.dpma.de that connects with 1.1.1 but not 3.0. Not sure what this means, could be OpenSSL has improved security that now breaks the site. depatisnet.dpma.de appears to be configured differently, so always fails. Someone using Wireshark may be able to interpret the handshaking, but that won't fix anything. It's frustrating that the browsers work, why? You could try looking for a proxy that works, but they are often based on OpenSSL. Angus

Currently, the ICS REST component sample does not include file uploading, only building, sending and parsing parameters. There is an old non-SSL sample \WebDemos\ OverbyteIcsHttpPost.dpr that illustrates four different methods for uploading a file using POST, including multi part MIME, which may be tested against the ICS web server samples to receive files. It really needs combing with the OverbyteIcsHttpRestTst.dpr sample for modern use. Angus

ICS V8.68 supports both OpenSSL 1.1.1 and 3.0, you don't need to use an old version. By default it looks for the 3.0 DLLs, then 1.1.1, or GSSLEAY_DLL_IgnoreOld and GSSLEAY_DLL_IgnoreNew control which is loaded. Angus

Done a little more research. SSL Labs tests www.dpma.de okay, but it warns does not support Secure Renegotiation. Using ICS and OpenSSL 3.0.2 I get a different error to depatisnet.dpma.de, 'unsafe legacy renegotiation disabled', but I can connect OK using OpenSSL 1.1.1. There is an OpenSSL issue about this, but it seems OpenSSL is removing support for unsafe negotiations which some older servers try to use. The ICS REST component specifically disables renegotiation, but even enabling it does now allow connection to either web site. So I'm afraid my earlier comment stands, misconfigured web server. Angus

In technical terms, depatisnet.dpma.de is a crap web site! Just run an https://www.ssllabs.com/ test and it says 'Assessment failed: No secure protocols supported' which is very rare, normally poor sites scrape through with a D or E assessment for old protocols. As you say, normal browsers seem to display the page OK, perhaps there is some scripted magic relocation going on or the server does not like our Agent string, but that should only be checked once SSL is negotiated. Rather than using TSslHttpCli, you should start new projects with TSslHttpRest which handles all the SSL and logging for you, look at the OverbyteIcsHttpRestTst.dpr sample. Unfortunately OpenSSL does not provide explanation for protocol errors, they just fail. Angus

The old download page exists, http://vclzip.bizland.com/v4src.htm but all the source downloads are password protected and you can not buy a new license. But maybe someone not using theirs would sell it? I still use VCLZip. Not sure if Kevin is still around, would have been good if it had been made open source. Angus

Ditto, I use Delphi 2007 (and 10.4 and 11.1) on Windows 11. Learnt 10 years ago that I needed a backup of the four NET target files, and have restored them numerous times since after Windows Updates. Sort of related, I also have a workaround that brings the old Windows Help 32 system back to life, as used by Delphi 7 and many other applications from 20 years ago, but which was removed from Windows Vista and later https://www.magsys.co.uk/apps/ Angus

I agree Pointer() would be better here, and probably in many other places in ICS... Angus

That function should not be using RcvdCount, it may not be accurate when it is called. Most components receive data into a fixed size buffer, not a string, I'll change it next week. Angus

VLCZip was commercial software sold with Delphi source, last release was about 15 years ago, but I still use it in my applications. It never became open source. So really need to replace it, but adding a DLL to my projects is a non-starter. ZipMaster should ideally build the C code into a DCU so that it can be linked directly, but this would be needed for all compilers. I still use Delphi 2007 for some of my historic projects, too much work to update them. Or built to OBJ files like ZLIB that can just be inserted into a PAS unit? Angus

Bottom line is testing multiple variants of authentication and proxy settings is a nightmare, takes a long time to setup all the testing environments locally, so if you want this investigated we will need access to the proxy and server to which ICS is failing to connect. But won't have time to look for at least a week. The change three years ago was done by a user accessing a Windows domain with single sign on, but I guess not via a proxy, which I can not test. Angus

Did you work out the Device Installation Class under which your modems are installed, other than Modem or Ports? It should be a single line change to enumerate a new class. Angus

It's unclear to me from the readme and help whether ZipMaster is a linkable Delphi component or a DLL with a Delphi interface. The documentation seem to assume you are familiar with the component and not migrating from something like VCLZip. Angus

The Ansi warnings relate to my updated version of AsyncPro adport.pas unit that allows named COM ports to be opened, but this is for 4.06, not recent Unicode versions, you'd need to update whatever Async Pro you are using with my very minor changes. Strange the component did not find one of your modems, although it did find 18 other COM ports you've previously installed. Can only guess Samsung has installed it using keys, you'd need to check what they are and update the component. Angus

The Magenta Hardware Components download includes compiled demos for all the components. Angus

I released Magenta Serial Port Detection Component free earlier this year, part of Magenta Hardware Components at: https://www.magsys.co.uk/delphi/maghardware.asp It finds serial ports by several methods. Angus

OpenSSL has released new versions of the two supported branches, 3.0.2 and 1.1.1n, Windows binaries are available from http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp . OpenSSL 3.0.2 fixes a high security risk relating to specifically formed SSL/TLS certificates using elliptic curve public keys which can cause OpenSSL to enter an infinite loop and cause denial of service by freezing. The attack can be caused by clients processing bad server certificates, or by servers that request bad client certificates, and many other cases where these bad certificates are processed, The attack has not been seen in the wild, it was identified by Google. 3.0.2 also allows PCKS12 private keys without a password to be opened. OpenSSL 1.1.1n fixes the same bug. The bug is also in 1.0.2 and 1.1.0 but these are no longer supported and users should upgrade. Note the binaries are now digitally signed by 'Magenta Systems Ltd' instead of 'Open Source Developer, François PIETTE' due to the massive cost of renewing the open source certificate. Developers can always resign the DLLs with their own signing certificate to remove the Magenta name. Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Angus

The ICS web server sends binary data from a stream. If you want to send UTF-8, you need to make sure that stream is loaded with 8-bit data as UTF-8. Can not be more specific since there are many ways to build the response page with several helpers. ICS 8.41 is ancient, it only supported OpenSSL that are no longer supported. You should be using ICS V8,.68 and OpenSSL 3, new version today. Angus

The ICS proxy component is not designed for use in threads, it listens in the main thread and all clients use the main thread. Testing has shown single threaded ICS servers can handle hundreds of simultaneous clients, although using SSL/TLS takes an appreciable time to setup a new connection and is a limiting factor in how many new connections can be accepted each second. Exactly how many clients are accessing the proxy simultaneously, using what protocols, and for how long. Does your proxy have a GUI? That will almost certainly be the reason for the slow down. Angus

Microsoft makes it difficult to completely disable Windows Firewall on Windows 10, even if it's disabled you may find the task is still running. The Services GUI does not allow you to disable Windows Defender Firewall, it can only be done by changing the registry and rebooting. Also, doing so can upset applications that attempt to add firewall rules and assume it's always running. Not saying this is the reason for your problem, I'd check if you can connect to other servers first. Angus