Angus Robertson

The logs on your own PC will tell you why it worked, probably Let's Encrypt tried the IPv4 address first, or both, not sure about the rules for checking multiple IP addresses in DNS records. The TSslX509Certs component accesses your local web server using DNS before starting the order to make sure it's available from the public internet, but ICS prefers IPv4 so would not check IPv6 first. Also, the check may not work when using NAT, I use a proxy server for such checks so I know access is from the internet. Angus

Never really saw the point of 4K monitors for development (except for image applications), for I have two 2560x1440 monitors, the main 32in at 100%, the 28in at 125% so text is the same size on both. I run Delphi on the larger screen, browsers and text editors on the side screen. Done that for 15 years, with varying sized monitors. So no scaling issues. Angus

Is it really RAD Studio 11 Alexandria? The version in Help/About just says Embarcadero® RAD Studio 11.0 Version 28.0.42600.6491, no mention of a name. Nor is anything displayed on the splash during startup. The only place I see Alexandria is for the license key. Alexandria was also the beta code name, and every 10.x release had a different code name to release name. The main web site does not mention Alexandria either, except buried in two pages. I'm planning on calling it 11.0 unless I hear otherwise. Angus

The error is that your local web server can not be accessed at 2003:e3:efff:1972:de39:6fff:fe45:4515, did you setup port forwarding for that IPv6 address and is the web server listening on that address? If you don't want Let's Encrypt to use an IPv6 address, it should not be listed in DNS. Let's Encrypt is not really designed to offer certificates for dynamic DNS domains. Angus

X509 certificates never have a password or encryption, by definition they are public. The private key used to sign an X509 certificate or use it in a server may be protected, so I assume you are opening a bundle file that contains both a certificate and a protected private key. For a PEM bundle file, the certificate and private key are separate blocks of text, so you only need the certificate and can get the public key from that. A PFX/PKCS12 bundle, is a binary blob, and OpenSSL will try and read everything in it, and fail if the key is protected and you don't have the password. I believe there are PKCS12 parsers to extract the contents of the file separately, but never looked for one. The wincrypt API to read PKCS12 is the same, reads the lot and needs a password. Angus

ICS has new classes TMsCertTools and TMsX509List to write and read SSL/TLS certificates to and from the Windows Certificate Store, including private keys. This is primarily so Let's Encrypt certificates can be installed automatically for use with the IIS web server. The PemTool sample includes new buttons to list all the Windows certificate and private key stores and allow old items to be deleted. Most of this was straight forward, but Microsoft seems to have messed up the APIs when adding CNG support for ECDSA keys in Vista, keys and certificates are held in separate stores and the way they are linked together is badly documented and flaky, trying to set IIS site bindings often gives an error that means the key can not found. I was only able to add certificates and private keys that can not be exported from Windows, the NCrypt functions fail. Angus

The ftpFixPasvLanIP fix is finally in SVN, sorry for the delay. Angus

Two new zips for Win32 and Win64 versions of OpenSSL 1.1.1i can now be downloadable from the Wiki at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp . The latest 1.1.1 DLLs are also included in the ICS distribution SVN and overnight zip. There are two security fixes, one rated high relating to decryption using SM2 (which standard ICS does not offer) and rated moderate relating to ASN.1 strings used in X509 certificates and the confusing conversion between fixed length strings and C null terminated strings that may cause a crash, this was mainly a problem display certificate content. YuOpenSSL has a new version with OpenSSL 1.1.1l. Angus

I added a web socket server implementation to ICS last year, There is a new sample OverbyteIcsWebSocket and web page websocketclient.html that accesses the server. Note there are no plans for an ICS Websocket client component, the normal ICS server/client components can be used for sending data outside the browser environment. Angus

Woops, will be fixed early next week. Angus

I suggest you build the OverbyteIcsHttpRestTst,dpr sample and it will become obvious how it is of benefit to you. Angus

If you use the newer TSslHttpRest instead of TSslHttpCli, you don't need TSslContext and can simplify your application considerably. Angus

You are probably using an old version of ICS, similar functionality was added a couple of years ago in V8.63, provided you set ftpFixPasvLanIP in Options. Angus

Getit is better than our manual install instructions, it builds the packages and sets the path to the obscure unique directory where it gets installed, over which you have no control. I prefer to keep my components no more than two directories lower than root, so I can find them easily. Angus

I attempt to keep the C++ packages up to date with each new release of ICS and Delphi, but can not test them, and get virtually no feedback from C++ users. The GetIt installers are done by Embarcadero, I just provide a zip with the Delphi and C++ packages, and again don't test C++. Never used CodeGuard, no idea how it interferes with ICS. I've been using TSslHttpCli in Windows services on my public servers for 15 years, it just works. Angus

Any API that requests system time is dependent on the computer clock being set correctly and with the correct time zone. Windows will then use NTP to keep it correct. Relying on NTP time is dangerous since the internet is not reliable, nor are NTP servers, nor DNS to reach them. Relying on a single NTL server is also dangerous, unless it's hosted across distributed hosts, like time.google.com or time.cloudflare.com, nist.gov has at least 15 different host names, don't know if they are distributed. Angus

GetSystemTime function (sysinfoapi.h) Retrieves the current system date and time in Coordinated Universal Time (UTC) format. To retrieve the current system date and time in local time, use the GetLocalTime function. https://docs.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-getsystemtime Angus

function IcsGetUTCTime: TDateTime; var SystemTime: TSystemTime; begin GetSystemTime(SystemTime); with SystemTime do begin Result := EncodeTime (wHour, wMinute, wSecond, wMilliSeconds) + EncodeDate (wYear, wMonth, wDay); end ; end; Angus

TSslWSocketServer has a property SslCliCertMethod which determines whether a client certificate is required or optional, you check the certificate in the OnSslHandshakeDone event and close the connection if invalid, it is documented on the wiki page, http://wiki.overbyte.eu/wiki/index.php/TWSocketServer. Note I've not tested this for a while. Angus

Those commands are there due to OverbyteIcsTnOptFrm.pas needing the dfm in the same directory as the library is built. But neither unit is used that often, they are the user interface for the TnEmulVT component, a telnet terminal. Angus

Currently ICS only uses the Certxx APIs to extract certificates from the Windows store and to validate certificate chains, I'm just adding bits to put certificates into the store, but won't be done this week. My reading suggests CryptAcquireCertificatePrivateKey is how you get the private key for a certificate you find in the store, but not tried it yet. ICS has classes TX509Base and TX509List which allow certificates and bundles to be created, read and saved in various formats, there is sample OverbyteIcsPemtool that illustrates everything, and another OverbyteIcsX509CertsTst that acquires certificates from Let's Encrypt. including multi-domain wildcards. Sorry, never used THTTPRIO so no idea what it does, but the ICS HTTP client supports client certificates. You can use ICS synchronously, there are methods for that. Angus

Flagged by whom? TLS 1.2 is perfectly good provided you disable a lot of weak ciphers and hashes. Most IIS sites are still only TLS 1.2, Microsoft does not support TLS 1.3 until Windows Server 2022. Angus

I'm just adding import and export for certificates to and from the Windows store, for ICS. PFXImportCertStore and PFXExportCertStoreEx seem to be preferred solution to convert to and from a PFX/PCKS12 blob containing a certificate, private key and intermediates. Beware you won't be able to export from TPMs, only certificates saved with exportable private keys. But since you have PFX and PEM files, not sure why you are using the Windows store. Angus

SVN has been updated with a new OverbyteIcsHttpAppServer adding support for PUT and DELETE verbs, also OverbyteIcsDDWebServiceSrv.pas now uses TUrlHandlerRestApi instead of as a virtual page, little simpler. Angus

Result := GetEnumName (TypeInfo (TEnum), Ord (FEnum))); Angus