Angus Robertson

ICS is not supported on Linux, yet. The FAQ at the top of this thread shows how to do it on Windows, there is a sample application with source code. Angus

This is all down how you install new certificates into the Windows Store, which has always been a black art. You can double click on a PFX/P12 file, or do it from IIS Server Certificates which is better. Both should install intermediates into the correct store, but may not, and won't remove old intermediates with the same name, that may still be sent with requests. Which is one reason why ICS now has a new TMsCertTools class that allow installation of certificates to the Windows store. Angus

Let's Encrypt started using R3 intermediates last December, there were three different versions since then, two signed by the expired root, which Windows IIS was still sending out, one expired this week but IIS still used it. Angus

After investigation, the main issue today was with the Windows IIS web server using Let;'s Encrypt certificates. The Windows Intermediate Certificate Authorities store had old certificates that it was still sending out with each request, according to the excellent SSL Labs test site. Essentially, you only install new certificates in the store and old ones remain until removed manually using Admin Tools, Manage Computer Certificates, or the latest version of the ICS PemTools sampl;e which also allows deletion of certificates, which can now be done from applications as well. IIS then sends any intermediates it finds matching for the server certificate. Browsers seem cleverer than OpenSSL in ignoring unwanted certificates, so the problem may not be that visible. My IIS server has IPv4 and IPv6 binding on several IP addresses, and the issue did not appear on all bindings, possibly due to caching. I had to reboot the server after deleting the unwanted certificates to stop IIS sending them, even after restarting IIS itself. So if you have installed Let;'s Encrypt certificates into the Windows store, I'd recommend you deleted these old intermediates: Issued to CN: R3, (O): Let's Encrypt Issuer (CN): DST Root CA X3, (O): Digital Signature Trust Co. Expires: 29/09/20213 Issued to (CN): Let's Encrypt Authority X3, (O): Let's Encrypt Issued by (CN): DST Root CA X3, (O): Digital Signature Trust Co. Expires: 17/03/2021 16:40:46, Issued to (CN): ISRG Root X1, (O): Internet Security Research Group Issuer (CN): DST Root CA X3, (O): Digital Signature Trust Co. Expires: 2024-09-30T18:14:03, The last one is still being distributed by Let's Encrypt with new orders, and needs a change to ICS to remove it, but does not seem to give an error with OpenSSL. Angus

The patch will not be used, there are no benefits or bug fixes, it's purely cosmetic with severe implementation issues. Angus

Sorry, your proposed changes would require change to all ICS applications using SSL, due to the change of a unit name and various function names, ICS is always designed to be backward compatible so that most applications can be easily rebuilt with new versions without numerous errors to fix. Angus

I only support Delphi Windows platforms, I have no Apple hardware so can not build MacOS, and have no commercial interest in doing so, ditto mobile platforms. I have added the odd contributed fix for MacOS and C++, and made sure ICS builds on Linux, but Linux requires more low level work. All of this requires help from others, which is never forthcoming. Angus

I've updated that unit in SVN twice today so far, and was about to do it again, so you'll see your changes real soon. Not sure how long they will be useful for, SHA1 is long deprecated. Angus

From the projects window, when I click Show Build Groups pane, the projects tree view disappears but no new pane appears, it worked when I first installed D11.0, but I must have done something to make it disappear. The tree view is supposed to shrink and another pane appear. The build groups still exist because I can not create a new one with the old name. Angus

Thanks, Build Groups pane came back after a restart. Should have tried that earlier, had three different versions of Delphi open at the same time. Angus

Nothing to see, the project tree disappears, the toolbar remains, but the pane goes blank, but the right click menu shows the actions for the build pane, like new group. I've used Build Groups in D11 many times over the two months including RTM, it only disappeared last week when I was trying to get rid of extraneous windows. Angus

The zip is there now, forgot to run the upload job, too early in the morning for me. Angus

The zip is available now. I find Github massively more complicated to use than SVN, it also runs on my own servers not in the cloud, so SVN is here to stay for now. I use TortoiseSVN which is simple to install and use. But it's rare for SVN to have files not in the nightly zip, usually only during beta testing new compilers. Angus

Sorry again, the Delphi 11 packages are in SVN, but are not yet zipped automatically into the zip file, will be fixed shortly. Later: the zip is now corrected, with Delphi 11 packages. Angus

Two new zips for Win32 and Win64 versions of OpenSSL 3.0.0 can now be downloadable from the Wiki at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/ma?g?ics.asp . ICS V8.67 from SVN or the overnight zip is required to use 3.0 and later, due for final release in a few days. The ICS distribution will continue to include OpenSSL 1.1.1 for a while until 3.0 becomes better tested. Beware the ICS Jose unit currently gives errors with the Win64 platform, being investigated, Win32 plafform is ok. OpenSSL 3.0 is a major new release, primarily a lot of internal changes to ease long term support. There is an optional FIPS module with 3.0 but not available here since our DLLs are not built to standards required for certification. The old engines for special extensions are replaced by new more versatile providers of which the FIPS module is one, a provider legacy.dll contained in the distribution has obsolete ciphers and hash digests that most applications no longer need and which needs to loaded by the application. For details of the changes in 3.0.0, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Highlights are: * Implemented support for fully "pluggable" TLSv1.3 groups * Added support for Kernel TLS (KTLS), Linux only * Changed the license to the Apache License v2.0. * Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2, RC4, RC5, and DES to the legacy provider. * Moved the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 to the legacy provider. * Added convenience functions for generating asymmetric key pairs. * X509 certificates signed using SHA1 are no longer allowed at security level 1 or higher. * Added a Certificate Management Protocol (CMP, RFC 4210) implementation. * Added a proper HTTP client. * Changed our version number scheme, major, minor, patch, so 3.0.0 (no patch letter) * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0. * TLS 1.3 FFDHE key exchange support added Angus

Thanks, I always install the VCL/FMX packages, should test the VCL only ones more often. Will be fixed tomorrow. Angus

The logs on your own PC will tell you why it worked, probably Let's Encrypt tried the IPv4 address first, or both, not sure about the rules for checking multiple IP addresses in DNS records. The TSslX509Certs component accesses your local web server using DNS before starting the order to make sure it's available from the public internet, but ICS prefers IPv4 so would not check IPv6 first. Also, the check may not work when using NAT, I use a proxy server for such checks so I know access is from the internet. Angus

Never really saw the point of 4K monitors for development (except for image applications), for I have two 2560x1440 monitors, the main 32in at 100%, the 28in at 125% so text is the same size on both. I run Delphi on the larger screen, browsers and text editors on the side screen. Done that for 15 years, with varying sized monitors. So no scaling issues. Angus

Is it really RAD Studio 11 Alexandria? The version in Help/About just says Embarcadero® RAD Studio 11.0 Version 28.0.42600.6491, no mention of a name. Nor is anything displayed on the splash during startup. The only place I see Alexandria is for the license key. Alexandria was also the beta code name, and every 10.x release had a different code name to release name. The main web site does not mention Alexandria either, except buried in two pages. I'm planning on calling it 11.0 unless I hear otherwise. Angus

The error is that your local web server can not be accessed at 2003:e3:efff:1972:de39:6fff:fe45:4515, did you setup port forwarding for that IPv6 address and is the web server listening on that address? If you don't want Let's Encrypt to use an IPv6 address, it should not be listed in DNS. Let's Encrypt is not really designed to offer certificates for dynamic DNS domains. Angus

X509 certificates never have a password or encryption, by definition they are public. The private key used to sign an X509 certificate or use it in a server may be protected, so I assume you are opening a bundle file that contains both a certificate and a protected private key. For a PEM bundle file, the certificate and private key are separate blocks of text, so you only need the certificate and can get the public key from that. A PFX/PKCS12 bundle, is a binary blob, and OpenSSL will try and read everything in it, and fail if the key is protected and you don't have the password. I believe there are PKCS12 parsers to extract the contents of the file separately, but never looked for one. The wincrypt API to read PKCS12 is the same, reads the lot and needs a password. Angus

ICS has new classes TMsCertTools and TMsX509List to write and read SSL/TLS certificates to and from the Windows Certificate Store, including private keys. This is primarily so Let's Encrypt certificates can be installed automatically for use with the IIS web server. The PemTool sample includes new buttons to list all the Windows certificate and private key stores and allow old items to be deleted. Most of this was straight forward, but Microsoft seems to have messed up the APIs when adding CNG support for ECDSA keys in Vista, keys and certificates are held in separate stores and the way they are linked together is badly documented and flaky, trying to set IIS site bindings often gives an error that means the key can not found. I was only able to add certificates and private keys that can not be exported from Windows, the NCrypt functions fail. Angus

The ftpFixPasvLanIP fix is finally in SVN, sorry for the delay. Angus

Two new zips for Win32 and Win64 versions of OpenSSL 1.1.1i can now be downloadable from the Wiki at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp . The latest 1.1.1 DLLs are also included in the ICS distribution SVN and overnight zip. There are two security fixes, one rated high relating to decryption using SM2 (which standard ICS does not offer) and rated moderate relating to ASN.1 strings used in X509 certificates and the confusing conversion between fixed length strings and C null terminated strings that may cause a crash, this was mainly a problem display certificate content. YuOpenSSL has a new version with OpenSSL 1.1.1l. Angus

I added a web socket server implementation to ICS last year, There is a new sample OverbyteIcsWebSocket and web page websocketclient.html that accesses the server. Note there are no plans for an ICS Websocket client component, the normal ICS server/client components can be used for sending data outside the browser environment. Angus