Angus Robertson

GetIt is also dead in Delphi 11.0, but was working last week, so probably just a temporary thing. Angus

Thanks for all the fixes, will do them tomorrow. Angus

The purpose of #pragma is a mystery to me lacking any C++ knowledge, but I'll fix it! Should be in SVN in a couple of days, thanks again. I don't get any errors building Delphi Win64 samples, I specifically created a lot of Win64 projects to allow more testing, but less sure about the Delphi 11.0 64-bit debugger, the IDE locked up on me. Angus

Thanks, Compiler15 would be Delphi XE, so still an early unicode version, will change it. Angus

WriteBOM is a TStringList method, I guess it was introduced some time after Delphi 2010, will have to investigate when. Angus

Thanks, OverbyteIcsSslThrdLock has gone, I'll fix the package problems, I can not build them so rely on others to test them. No idea how the C++ obj files are created, guess it needs to be rebuilt somehow. Angus

ICS V8.67 is now available from GetIt for RAD Studio 10.4 and 11.0. Angus

For the last few years, Let;'s Encrypt issued free certificates whose intermediate was signed by an old root issued by Digital Signature Trust Co, that expires today. In the ICS root bundles and certifica\te chain logs, it appears as follows: Issued to (CN): DST Root CA X3, (O): Digital Signature Trust Co. Issuer: Self Signed Expires: 2021-09-30T14:01:15, Signature: sha1WithRSAEncryption Valid From: 2000-09-30T21:12:19, Serial Number: 44afb080d6a327ba893039862ef8406b Fingerprint (sha256): 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739 Public Key: RSA Key Encryption 2048 bits, 112 security bits Let;'s Encrypt distributed it's own root certificate, Issued by (CN): ISRG Root X1, (O): Internet Security Research Group a few years ago, but older applications might not have been updated with it, so since then certificates issued by Let;'s Encrypt have two intermediates so that either root was acceptable. Unfortunately not all application verify the chain correctly, including OpenSSL, there was a blog about this two weeks ago, https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ There are implications for servers running Let;'s Encrypt certificates and clients verifying the chains, last night one of my ICS client applications started giving chain verification errors on some of my servers, specifically those using Let;'s Encrypt certificates issued in July and due to expire in two weeks, but not those with certificates issued from mid August, I'm still investigating what changed, I did make changes to the ICS functions that build certificate bundles, and Let;'s Encrypt periodically change the intermediates they issue. So this message is really a warning to watch out for failure to connect to web sites using Let;'s Encrypt certificates today. More later. Angus

ICS V8.58 added a new TSslX509Certs component allowing ICS servers to automatically order, download and install SSL/TLS certificates from various suppliers, including free certificates from Let's Encrypt, and commercial certificates for DigiCert, Comodo, Thawte and GeoTrust from CertCentre AG. It also acts as a private CA to issue local certificates. The TSslWSocketServer, TSslHttpServer, TSslHttpAppSrv, TIcsProxy and TIcsHttpProxy components can assign a TSslX509Certs component to support automatic certificate ordering of domain validated certificates with very little extra code. There is a new sample project OverbyteIcsX509CertsTst to demonstrate the TSslX509Certs component, which may be used as a standalone application to order X509 certificates from Let's Encrypt and CertCentre AG, and monitor the certificate orders database, and to issue own CA certificates. http://wiki.overbyte.eu/wiki/index.php/FAQ_Order_SSL_Certificates I'm about to revisit the TSslX509Certs component to support some Let's Encrypt changes like the new SSL challenge, so am interested in any feedback or suggestions from those that have used it, Even just the sample application which can be used to order certificates for other web servers or applications. Angus

ICS is not supported on Linux, yet. The FAQ at the top of this thread shows how to do it on Windows, there is a sample application with source code. Angus

This is all down how you install new certificates into the Windows Store, which has always been a black art. You can double click on a PFX/P12 file, or do it from IIS Server Certificates which is better. Both should install intermediates into the correct store, but may not, and won't remove old intermediates with the same name, that may still be sent with requests. Which is one reason why ICS now has a new TMsCertTools class that allow installation of certificates to the Windows store. Angus

Let's Encrypt started using R3 intermediates last December, there were three different versions since then, two signed by the expired root, which Windows IIS was still sending out, one expired this week but IIS still used it. Angus

After investigation, the main issue today was with the Windows IIS web server using Let;'s Encrypt certificates. The Windows Intermediate Certificate Authorities store had old certificates that it was still sending out with each request, according to the excellent SSL Labs test site. Essentially, you only install new certificates in the store and old ones remain until removed manually using Admin Tools, Manage Computer Certificates, or the latest version of the ICS PemTools sampl;e which also allows deletion of certificates, which can now be done from applications as well. IIS then sends any intermediates it finds matching for the server certificate. Browsers seem cleverer than OpenSSL in ignoring unwanted certificates, so the problem may not be that visible. My IIS server has IPv4 and IPv6 binding on several IP addresses, and the issue did not appear on all bindings, possibly due to caching. I had to reboot the server after deleting the unwanted certificates to stop IIS sending them, even after restarting IIS itself. So if you have installed Let;'s Encrypt certificates into the Windows store, I'd recommend you deleted these old intermediates: Issued to CN: R3, (O): Let's Encrypt Issuer (CN): DST Root CA X3, (O): Digital Signature Trust Co. Expires: 29/09/20213 Issued to (CN): Let's Encrypt Authority X3, (O): Let's Encrypt Issued by (CN): DST Root CA X3, (O): Digital Signature Trust Co. Expires: 17/03/2021 16:40:46, Issued to (CN): ISRG Root X1, (O): Internet Security Research Group Issuer (CN): DST Root CA X3, (O): Digital Signature Trust Co. Expires: 2024-09-30T18:14:03, The last one is still being distributed by Let's Encrypt with new orders, and needs a change to ICS to remove it, but does not seem to give an error with OpenSSL. Angus

The patch will not be used, there are no benefits or bug fixes, it's purely cosmetic with severe implementation issues. Angus

Sorry, your proposed changes would require change to all ICS applications using SSL, due to the change of a unit name and various function names, ICS is always designed to be backward compatible so that most applications can be easily rebuilt with new versions without numerous errors to fix. Angus

I only support Delphi Windows platforms, I have no Apple hardware so can not build MacOS, and have no commercial interest in doing so, ditto mobile platforms. I have added the odd contributed fix for MacOS and C++, and made sure ICS builds on Linux, but Linux requires more low level work. All of this requires help from others, which is never forthcoming. Angus

I've updated that unit in SVN twice today so far, and was about to do it again, so you'll see your changes real soon. Not sure how long they will be useful for, SHA1 is long deprecated. Angus

From the projects window, when I click Show Build Groups pane, the projects tree view disappears but no new pane appears, it worked when I first installed D11.0, but I must have done something to make it disappear. The tree view is supposed to shrink and another pane appear. The build groups still exist because I can not create a new one with the old name. Angus

Thanks, Build Groups pane came back after a restart. Should have tried that earlier, had three different versions of Delphi open at the same time. Angus

Nothing to see, the project tree disappears, the toolbar remains, but the pane goes blank, but the right click menu shows the actions for the build pane, like new group. I've used Build Groups in D11 many times over the two months including RTM, it only disappeared last week when I was trying to get rid of extraneous windows. Angus

The zip is there now, forgot to run the upload job, too early in the morning for me. Angus

The zip is available now. I find Github massively more complicated to use than SVN, it also runs on my own servers not in the cloud, so SVN is here to stay for now. I use TortoiseSVN which is simple to install and use. But it's rare for SVN to have files not in the nightly zip, usually only during beta testing new compilers. Angus

Sorry again, the Delphi 11 packages are in SVN, but are not yet zipped automatically into the zip file, will be fixed shortly. Later: the zip is now corrected, with Delphi 11 packages. Angus

Two new zips for Win32 and Win64 versions of OpenSSL 3.0.0 can now be downloadable from the Wiki at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/ma?g?ics.asp . ICS V8.67 from SVN or the overnight zip is required to use 3.0 and later, due for final release in a few days. The ICS distribution will continue to include OpenSSL 1.1.1 for a while until 3.0 becomes better tested. Beware the ICS Jose unit currently gives errors with the Win64 platform, being investigated, Win32 plafform is ok. OpenSSL 3.0 is a major new release, primarily a lot of internal changes to ease long term support. There is an optional FIPS module with 3.0 but not available here since our DLLs are not built to standards required for certification. The old engines for special extensions are replaced by new more versatile providers of which the FIPS module is one, a provider legacy.dll contained in the distribution has obsolete ciphers and hash digests that most applications no longer need and which needs to loaded by the application. For details of the changes in 3.0.0, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Highlights are: * Implemented support for fully "pluggable" TLSv1.3 groups * Added support for Kernel TLS (KTLS), Linux only * Changed the license to the Apache License v2.0. * Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2, RC4, RC5, and DES to the legacy provider. * Moved the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 to the legacy provider. * Added convenience functions for generating asymmetric key pairs. * X509 certificates signed using SHA1 are no longer allowed at security level 1 or higher. * Added a Certificate Management Protocol (CMP, RFC 4210) implementation. * Added a proper HTTP client. * Changed our version number scheme, major, minor, patch, so 3.0.0 (no patch letter) * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0. * TLS 1.3 FFDHE key exchange support added Angus

Thanks, I always install the VCL/FMX packages, should test the VCL only ones more often. Will be fixed tomorrow. Angus