Angus Robertson

Currently ICS only uses the Certxx APIs to extract certificates from the Windows store and to validate certificate chains, I'm just adding bits to put certificates into the store, but won't be done this week. My reading suggests CryptAcquireCertificatePrivateKey is how you get the private key for a certificate you find in the store, but not tried it yet. ICS has classes TX509Base and TX509List which allow certificates and bundles to be created, read and saved in various formats, there is sample OverbyteIcsPemtool that illustrates everything, and another OverbyteIcsX509CertsTst that acquires certificates from Let's Encrypt. including multi-domain wildcards. Sorry, never used THTTPRIO so no idea what it does, but the ICS HTTP client supports client certificates. You can use ICS synchronously, there are methods for that. Angus

Flagged by whom? TLS 1.2 is perfectly good provided you disable a lot of weak ciphers and hashes. Most IIS sites are still only TLS 1.2, Microsoft does not support TLS 1.3 until Windows Server 2022. Angus

I'm just adding import and export for certificates to and from the Windows store, for ICS. PFXImportCertStore and PFXExportCertStoreEx seem to be preferred solution to convert to and from a PFX/PCKS12 blob containing a certificate, private key and intermediates. Beware you won't be able to export from TPMs, only certificates saved with exportable private keys. But since you have PFX and PEM files, not sure why you are using the Windows store. Angus

SVN has been updated with a new OverbyteIcsHttpAppServer adding support for PUT and DELETE verbs, also OverbyteIcsDDWebServiceSrv.pas now uses TUrlHandlerRestApi instead of as a virtual page, little simpler. Angus

Result := GetEnumName (TypeInfo (TEnum), Ord (FEnum))); Angus

Beware the ICS web server samples include a lot of code for dynamic demonstration pages, which you can mostly remove to give yourself the basis of a commercial web server service listening on multiple IP addresses. ordering SSL certificates and with request logging. However the REST sample page is implemented as a virtual page not a URL handler, other pages are URL handlers. The main issue with the current ICS web server being a single thread, so blocking SQL calls can reduce performance. My experience over 10 years is my SQL calls mostly take 10ms or less, so the performance hit is minimal, it can still support 50 requests a second (but not new SSL connections). The long term ICS wish list has a heavy web server, that will be configurable to allow x connections per thread, down to one if they are effectively blocking. Angus

I'll look at adding the missing handlers in the next week or so. You may want to look at a new SSL sample, OverbyteIcsDDWebService.dpr which is very similar to OverbyteIcsSslMultiWebServ.dpr, but designed as a Windows service, although it will also run as a GUI for debugging. It requires DDService service framework to be installed from https://www.magsys.co.uk/delphi/ddservice. asp. It also includes a REST server with simple lookup responses from a SQL database, which optionally requires DISQLite3 to be installed from http://www.yunqa.de. Note this sample in not in the project groups due to these pre-requisites. This sample is part of the next release, in SVN and the overnight zip. It is effectively a working REST server, very similar to a commercial server I've written at https://api.telecom-tariffs.co.uk/ but you need a login to do actual REST requests. Angus

The relocation fix is now in SVN. The repository server is working fine, but wiki.overbyte.eu with the overnight zip has been down for two days, probably due to the flooding in Liege, but ICS can also be downloaded from https://www.magsys.co.uk/delphi/magics.asp Angus

You were correct, a fragment/anchor/bookmark in the URL should never be sent to the server, it is purely an instruction to the browser on how to display the page. The ICS unit did attempt to remove # during relocation, but relocation has many different paths in the code, and it was not always being done. I've corrected in my master, won't be in SVN for a day or two, but in the latest SVN version add these lines to the function EncodePathOnly: I := Pos('#', OldPath); if I > 1 then Result := Copy (OldPath, 1, I - 1); My issue with the SSL/TLS certificate was me using an old sample application. Angus

It would help if your application had better logging, you would then have seen the real error: www.w3.org SSL Handshake Failed - error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed, State: error This only happens if ICS is set to check the certificate chain, which is normal, but means you need to keep the root store up to date to allow verification to work. I updated the ICS root stores last week but not in SVN yet, and the root certificate 'USERTrust RSA Certification Authority' seems to be different to the one the site is using, I'll look into this next week. Angus

Neither Firefox nor ICS redirect to w3.org, using the ICS Frame Browser sample: FrameBrowser Get: https://www.htmlvalidator.com/help.php?h=aria-atomic&amp;m=6 [0] > GET /help.php?h=aria-atomic&amp;m=6 HTTP/1.1 [0] < HTTP/1.1 302 Found [0] < Location: help.php?m=2&h=html Redirected to: https://www.htmlvalidator.com/help.php?m=2&h=html [0] > GET /help.php?m=2&h=html HTTP/1.1 [0] < HTTP/1.1 200 OK Angus

Just created VMs with Windows 11 and Windows Server 2022 versions to see what the real internal versions are, and it seems still major version 10. Windows 11 has a raw version of 10.0.22000 and DisplayVersion 21H2. Windows Server 2022 preview is a little older and says 10.0.20348 and DisplayVersion 21H2. So it looks like build 20000 and higher are the new versions, not major version 11. Also, for a year or so they seem to have been using DisplayVersion (20H2) from the registry instead of ReleaseID ( last was 2009), and Windows 11 still says 2009. Angus

This is an Intel firmware Trusted Platform Module in the PC BIOS, using Intel Platform Trust Technology built into many Intel processors. In my Asus BIOS, I found PCH-FW Configuration, then Enable PTT, not very clear what PTT meant, so I never set it, they should spell out Trust to make it clearer. Now WMI says: Win32_Tpm, instance 1 of 1 IsActivated_InitialValue = True IsEnabled_InitialValue = True IsOwned_InitialValue = True ManufacturerId = 1229870147 ManufacturerIdTxt = INTC ManufacturerVersion = 500.14.0.0 ManufacturerVersionFull20 = 500.14.0.0 ManufacturerVersionInfo = Intel PhysicalPresenceVersionInfo = 1.3 My older Asus PC says ManufacturerIdTxt = IFX which is Infineon Technologies AG who make the chip in most TPM modules. Angus

Or use Computer Management, Device Manager, Security devices, and it should say Trusted Platform Module 2.0 with a very old driver. Angus

A UEFI BIOS is something you have, or an old fashioned BIOS. TPM is hardware, but sometimes needs to be enabled in the BIOS. I built a new PC six months ago, had an Asus MB choice between five SATA ports and a TPM slot, or six SATA ports, but I needed all six for a lot of flash and spinning rust, with RAID. Unfortunately, TPMs do not seem to come on PCIe cards, only special slots. had one in my old PC. Angus

It is possible to patch the Windows 11 installer to skip the TPM check. Has anyone tried Windows Server 2022 yet, does it also require a TPM? Presumably based on W11 rather than W10. Angus

I know Git is much better than SVN, but I would rather spend my limited time improving ICS than learning Git and migrating our systems built around it. Whoever finally takes over as ICS maintainer will need to start again since SVN runs on my hosted servers. Angus

TCustomTimeoutWSocket is only built if BUILTIN_TIMEOUT is defined, although that has been the default for a few years. Server client sockets do descent from that class, and the timeout settings could be set in code when the client is created. But you would then have one ICS thread timer per client, rather than a single timer monitoring all clients as happens with the high level servers. Angus

How would a Git repository be more beneficial than the existing SVN repository? I'm afraid I dislike Git, my past experience of it is very poor, very time consuming to make contributions and I do not have the time to learn any more about it. There are very few contributors to ICS, maybe one external fix a month, easily handled by SVN. Angus

Not strictly an ICS issue, but this topic is read by others as well. Reverse DNS lookup with IPv4 generally works well, most proper providers at least provide their main name even if the IP is not specially allocated, ie msnbot-157-55-39-2.search.msn.com. But IPv6 rDNS is much less useful, mainly because most addresses include 64-bit of effectively random data, which are added to the 64-bits of public address. So my public ranges are 2a00:1940:1:2 and 2a00:1940:2:2, but my remote address is today seen as 2a00:1940:1:2:ed4c:1a97:12fa:c6e7. I have reverse DNS for my public server addresses like 2a00:1940:2:2::139, but not the random ones. Some DNS servers seem able to look-up IPv6 addresses using just the public part of the address, like btcentralplus.com in the UK, but most don't. You can find the public name using Whois, but this is not designed for heavy use by a server looking up each new client that connects. One solution would seem to be a simple text file with the public names, even just the first 32-bits are enough, 2a00:1940 is Merula my hosting company, 2a02:c7f is BSkyB Broadband, 2a00:1450 is Google, etc. Has anyone found such a file? Any other thoughts on reverse DNS for IPv6? Angus

Sorry, there has been insufficient interest in webhooks to justify any further investigation with ICS. Presumably you want to write a webhook client? Exactly what webhook server do you want to access? Angus

Good, as ICS has developed over 20 years there are local functions like DirExists in various units, often duplicated and not always kept up to date, which I'm slowly concentrating in OverbyteUtils. Angus

The quick solution is to replace DirExists with SysUtils.DirectoryExists which is available in Unicode compilers, and which is already used in OverbyteUtils for IcsDirExistsW. I'll fix this in SVN shortly. Angus

Thanks, I'll try and test this next week. The API is documented as returning INVALID_FILE_ATTRIBUTES for failure, which we assume is -1, but maybe it's not. Angus

Easiest solution is to put a breakpoint in the CommandRNTO procedure and step through under the debugger to see which statement fails. There is nothing obvious that would fail on Win64. Angus