Angus Robertson

OpenSSL has released new versions of the two supported branches, 3.0.2 and 1.1.1n, Windows binaries are available from http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp . OpenSSL 3.0.2 fixes a high security risk relating to specifically formed SSL/TLS certificates using elliptic curve public keys which can cause OpenSSL to enter an infinite loop and cause denial of service by freezing. The attack can be caused by clients processing bad server certificates, or by servers that request bad client certificates, and many other cases where these bad certificates are processed, The attack has not been seen in the wild, it was identified by Google. 3.0.2 also allows PCKS12 private keys without a password to be opened. OpenSSL 1.1.1n fixes the same bug. The bug is also in 1.0.2 and 1.1.0 but these are no longer supported and users should upgrade. Note the binaries are now digitally signed by 'Magenta Systems Ltd' instead of 'Open Source Developer, François PIETTE' due to the massive cost of renewing the open source certificate. Developers can always resign the DLLs with their own signing certificate to remove the Magenta name. Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Angus

The ICS web server sends binary data from a stream. If you want to send UTF-8, you need to make sure that stream is loaded with 8-bit data as UTF-8. Can not be more specific since there are many ways to build the response page with several helpers. ICS 8.41 is ancient, it only supported OpenSSL that are no longer supported. You should be using ICS V8,.68 and OpenSSL 3, new version today. Angus

The ICS proxy component is not designed for use in threads, it listens in the main thread and all clients use the main thread. Testing has shown single threaded ICS servers can handle hundreds of simultaneous clients, although using SSL/TLS takes an appreciable time to setup a new connection and is a limiting factor in how many new connections can be accepted each second. Exactly how many clients are accessing the proxy simultaneously, using what protocols, and for how long. Does your proxy have a GUI? That will almost certainly be the reason for the slow down. Angus

Microsoft makes it difficult to completely disable Windows Firewall on Windows 10, even if it's disabled you may find the task is still running. The Services GUI does not allow you to disable Windows Defender Firewall, it can only be done by changing the registry and rebooting. Also, doing so can upset applications that attempt to add firewall rules and assume it's always running. Not saying this is the reason for your problem, I'd check if you can connect to other servers first. Angus

Windows Firewall may be blocking access to a local server. Angus

TICsIpStrmLog can be configured as a server or client, it is a much easier to use version of TWSocket/TWSocketServer, and supports SSL/TLS. The sample application I mentioned can run as both client and server at the same time, sending data to itself. Or you can run two instances on separate PCs sending data to each other. Once connected, there is one event to send a string of data, and another event that receives strings, very simple to use. Unfortunately, the sample looks complicates because it illustrates all the features of the component. Angus

Know nothing about IntraWeb, what IP addresses did you configure it to listen on? There are several ICS samples that illustrate simple TCP connect. For simple telnet, you would be better off using TIcsIpStrmLog than TWSocket, much faster and easier to use, see sample OverbyteIcsIpStmLogTst,dpr. Angus

sgcWebSockets does include an OAuth2 server, for 600 euros. Angus

OpenSSL has released quarterly updates for the two supported branches, 3.0.1 and 1.1.1m, Windows binaries are available from http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp . OpenSSL 3.0.1 fixes a medium security risk relating to clients verifying X509 certificates from the server, a malicious server could potentially send a bad certificate that caused the client to hang or misbehave during verify. https://www.openssl.org/news/secadv/20211214.txt Now OpenSSL 3.0 has been available for three months, updated the main supported OpenSSL release to 3.0.1. The samples SslInternet directory now has both OpenSSL 1.1.1m and 3.0.1, ICS will try and load OpenSSL 3.0 first, then 1.1.1 if not found, unless the global variable GSSLEAY_DLL_IgnoreNew is set true before OpenSSL is loaded. Likewise GSSLEAY_DLL_IgnoreOld may be set true to ignore 1.1.1 and fail unless 3.0 is available. This is available from SVN and the overnight zip. Note the binaries are now digitally signed by 'Magenta Systems Ltd' instead of 'Open Source Developer, François PIETTE' due to the massive cost of renewing the open source certificate. Developers can always resign the DLLs with their own signing certificate to remove the Magenta name. Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Angus

OpenSSL 3.0 (and 3.0.1, 3.0.2 etc) has now been designated a Long Term Support release, with security and bug fixes until 7th September 2026. ICS users are recommended to update to V8.68 or later and OpenSSL 3.0 for long term support. The current LTS release 1.1.1 will continue to be supported until 11th September 2023. The older 1.0.2 release only receives security fixes if you have a paid support contract with OpenSSL. The next main release will be OpenSSL 3.1.0 with initial support for QUIC which is needed for HTTP/3, but it may take a couple of years for all the work to be completed, they plan to release updates every six months. Angus

To clarify, this is down to DNS. If a DNS lookup returns both IPv4 and IPv6 addresses, the client will usually try IPv6 first. The Windows HOSTS file has both IPv4 and IPv6 lookups for localhost so servers need to listen on both addresses. Can be fixed by removing the IPv6 address from HOSTS. Angus

Yes, I've seen that. If the client is allowed to use IPv6 and IPv4, it will try IPv6 first, timeout and try IPv4. All client software should have a setting to make it use IPv4 only, in ICS it's SocketFamily. Angus

That diagram suggests the cloud service is running both authentication and API services, really need a version where they are separate. It should not be that difficult to design an authentication REST server using ICS or Indy, clearly it would need a database behind it which takes it beyond the type of samples ICS offers, and into end user application territory. It would also need a protocol between the authentication and API servers, not sure if there is a standard for that, guess that is Okta's market. Angus

Not really look at the server OAuth2 implementations, but isn't it usually a separate REST server than handles authentication, returning a bearer token which is passed to the API server, which presumably then checks back locally with the authentication server to validate it? Often the authentication server is run by a separate company, like Okta. Started looking at Okta once, but the level of emails and calls I got put me off. Angus

The ICS fork is at: https://svn.overbyte.be/svn/ics/trunk/Source/OverbyteIcsSuperObject.pas and https://svn.overbyte.be/svn/ics/trunk/Source/OverbyteIcsSuperXMLParser.pas There is a sample application OverbyteIcsJoseTst.dpr that illustrates parsing Json and XML into a grid at multiple levels. The OverbyteIcsHttpRestTst.dpr sample does the same thing for Json APIs over the internet. The OverbyteIcsSslX509Certs.pas unit makes extensive use of SuperObject to create and parse Json for SSL certificate orders. Angus

ICS includes forked version of SuperOject 1.2 so that ICS can offer the same JSON support on all platforms, It's not the latest version, since ICS already has time zone functionality that got added to SO. Also removed TSuperWriterSock since did not need it. I've added better TDateTime support, reporting JSON parse errors and other minor fixes. Fully compatible with D7 to D11.0. The unit's only dependency is an ICS utility unit, so it can be used without anything else. Angus

I set different levels when checking the password, that determine what data the execute events are allowed to access. I will check the sample works the same with GET and POST in a day or two. Angus

Yes, ICS should build on Linux, but is awaiting a Linux expert to update the MacOS message handler code to proper Linux. Angus

I thought you were writing an HTTP client, not a server, how would code to create chunks help you? ICS does not contain any server code or samples to create chunked data, it is normally created by the application. The ICS HTTP client and HTTP proxy both unchunk received data into a stream. The point I was making was the proxy component can accept chunked data and forward it as unchunked, which I thought was your original question. I'd have thought the Indy client would unchunk as well. Angus

My main TUrlHandler.Execute functions start with: if (Client.AuthUserName <> '') then begin to check for authentication, but the server does the main authentication in the onCheckPassword event which returns false for failure, but does not clear AuthUserName. So there may be a bug for POST. Sorry, don't have time to test it this week. Angus

If Authentication fails, the client Flags property is set to hg401 so that response is finally returned. The code and sample web servers have checks for h401 in many places, I'd guess your code is checking the flag for GET for not for POST, somewhere. The component does not stop calling events because authentication has failed. Any of those events may also set Flags to hg401 or something else. Angus

Chunking an HTTP response is a server decision, there is no way a client can stop it. Some web applications are simply written to return the response as lots of small chunks instead of building the response locally and sending it once the length is known. One web site I access daily recently changed so that all file downloads now come as a single chunk, this is annoying since there is no HTTP content size header and you've no idea how much is arriving. The only real solution is to access the site through an HTTP proxy that unchunks the response and fowards it as sized content, the ICS proxy does this. Angus

Your first suggestion was correct, that file only contains the data just written to it, a few bytes. Angus

Thanks, both fixes done in my local copy, will be in SVN in a few days. Angus

Sorry if you think my replies are insulting. But you are asking the same question more than once, and ignored my previous reply that answered that question, and previous replies that suggested simpler, quicker ways of doing what we think you are trying to do. If you don't want our advice, please don't keep asking for it. Angus