-
Content Count
2008 -
Joined
-
Last visited
-
Days Won
36
Everything posted by Angus Robertson
-
SSL/TLS Certificate Authority Root Stores
Angus Robertson posted a topic in ICS - Internet Component Suite
CA Trusted Store Background The whole SSL/TLS certificate verification process depends upon finding a trusted root certificate that signed the next certificate up the chain, and so on. But who chooses those trusted roots? The answer is the author of the application that accepts an SSL/TLS certificate, or maybe the operating system the application is running on, or the SSL library used to build the application. The bad news is that root certificates come and go, old roots stop being accepted for various reasons, and new roots are introduced for new security standards or new businesses. Historically most roots were RSA Sha1 digest signed and most still are, despite Sha1 being banned for new certificates. Increasingly Sha256 and ECC root certificates are being introduced and required by new intermediate certificates. Typically, active certificate authorities have at least four roots, with 2,048 and 4,096 bit RSA keys and 256 and 394 bit ECDSA keys (which are much smaller than RSA). Sources of CA Trusted Stores SSL/TLS trusted root certificate bundles and always changing, annually perhaps for major changes, although Microsoft officially Windows roots every two months. The Common CA Database (CCADB) https://www.ccadb.org/ is a repository of information about Certificate Authorities (CAs), and is used by a number of different root store operators to manage their root stores. But it's not easy to create root bundles from CCADB and another developer got frustrated with updating roots, and created a Trust Stores Observatory Git repository: https://github.com/nabla-c0d3/trust_stores_observatory which contains over 500 root certificates and lists of which trust store contain which roots by different operating systems. But even this does not contain certificates in a form easily used by OpenSSL, so Magenta Systems Ltd has written a small tool that converts the YAML files from TSO into PEM bundle files, one each for the different operating systems. New PEM Bundle CA Trusted Store Files There are six different PEM CA bundle files, built from the Trust Stores Observatory Git repository: apple.pem - 174 Certificates google_aosp.pem - 137 Certificates microsoft_windows.pem - 289 Certificates mozilla_nss.pem - 137 Certificates openjdk.pem - 88 Certificates oracle_java.pem - 88 Certificates Each certificate is prefixed by it's description, issuer fields, expiry, public key type and SHA256 hash, so the bundles are self documenting rather than being just cryptic base64 blocks. These PEM bundles may be loaded into an OpenSSL context as a root store. These bundles may be downloaded at: https://www.magsys.co.uk/download/software/ca-root-bundles.zip Magenta Systems Ltd will periodically update these bundles, as needed. ICS V8.63 contains the content of microsoft_windows.pem. Angus -
TFTPServer on Port forwarded machine not working
Angus Robertson replied to AllanF's topic in ICS - Internet Component Suite
The client and server logging should show if the control channel is closed prematurely. If you not already using my old TMagFtp client component, I'd suggest you update your client to use the latest version which is now in ICS, TIcsFtpMulti which uses special directory commands when working with the ICS FTP server, and automatically retries transfers when they fail due to control channel closing or other errors. Angus -
TFTPServer on Port forwarded machine not working
Angus Robertson replied to AllanF's topic in ICS - Internet Component Suite
The line that matters here relating to passive IP addresses is ; 227 Entering Passive Mode (27,316,15,428,191,207); which indicates a public address is being correctly advertised to the client, although you have not logged the server IP address so I'm guessing here. You are also using a two year old version of ICS. If even one file transfers correctly, that suggests the correct public IP address is being used. You need to check the logs to make sure the same public IP is being sent for each file. Another possibility is the public IP changed during the session, while most of us have stable public IP addresses that stay the same for weeks or years, some ISPs (mobile in particular) use CNAT and the public IP address may change every few minutes. Angus -
TFTPServer on Port forwarded machine not working
Angus Robertson replied to AllanF's topic in ICS - Internet Component Suite
I need to see the logs I asked you to keep. Angus -
TFTPServer on Port forwarded machine not working
Angus Robertson replied to AllanF's topic in ICS - Internet Component Suite
Just did a test with my FTP behind a NAT router, it currently fails to download files. It used to work with my old Sonicwall router which was intelligent enough to manipulate the FTP protocol to change the IP address, but no longer works with my current Draytek Vigor router which apparently does not understand FTP (but does work with IPv6 which the Sonicwall did not). Or maybe I've not configured something in the Draytek. It's probably PasvIpAddr would fix it, but I'd have to change my FTP server and I don't have time as the moment - I have three other public FTP servers so not a priority, sorry. Angus -
TFTPServer on Port forwarded machine not working
Angus Robertson replied to AllanF's topic in ICS - Internet Component Suite
Unfortunately the use of PasvIpAddr in the FTP server is undocumented and the developer that added and used those options is no longer able to answer questions about them. You'll need to examine your server and client logs and compare them with FileZilla to so what is wrong. I have an ICS FTP server behind a NAT router that works fine without any special settings except PasvPortRangeStart=21001 and PasvPortRangeSize=997, but I'm aware different NAT routers have varying abilities to cope with FTP. Angus -
Studying TSslHttpAppSrv
Angus Robertson replied to Clément's topic in ICS - Internet Component Suite
Your example is not thread safe, since AnswerString is being sent from within your own thread rather than the main thread where the client connection was opened. You should have AnswerDelayed := TRUE; in the handler, and then sent the Answer after the thread terminates. Web clients are unlikely to wait hours for a request to conclude, the web server has timeouts. Angus -
i have made RFC1123_StrToDate more robust with error handling, it will be in SVN later today with other changes. Angus
-
Thanks, RFC1123_StrToDate is a very old function that probably precedes TryEncodeTime being added to Delphi, and has worked fine ever since. Using it would avoid an internal exception if the web server returns bad date headers, which is very rare, and you'd get a date at least if the time was invalid. I'll look into it. Angus
-
The correct way to resume FTP is to use the new TIcsFtpMulti component in OverbyteIcsFtpMulti.pas, with a demo in OverbyteIcsXferTst.dpr, it will automatically repeat failed transfers using resume if possible. There is a function to FTP a single file if you don't want it to automatically upload or download a nested directory structure. Angus
-
Which component or unit are you referring to? Angus
-
Remote SSH session control inside a Delphi program
Angus Robertson replied to Epo's topic in ICS - Internet Component Suite
Sorry, ICS does not support SSH. There is an SSH terminal application on the ICS User Made web page, gut it was written in 2002 using old versions of OpenSSL and ICS,and is unlikely to still work. Angus -
TX509Base.LoadFromP12Buffer
Angus Robertson replied to mitzi's topic in ICS - Internet Component Suite
OpenSSL does have newer functions to format certificate information, but most users want single fields, not a list of cryptic fields. Angus -
TX509Base.LoadFromP12Buffer
Angus Robertson replied to mitzi's topic in ICS - Internet Component Suite
All the common subject and issuer fields are available as properties, ie SubjectCName, SubjectOName, IssuerCName, SubjectCOName, SubAltNameDNS, etc, or you can use GetNameEntryByNid with the NID literal for obscure ones like STREET, not even sure that exists... Look at the function ListCertDetail in OverbyteIcsPemtool1.pas which creates a string detailing most certificate fields. Angus -
TX509Base.LoadFromP12Buffer
Angus Robertson replied to mitzi's topic in ICS - Internet Component Suite
Only concerned about internal DER ASN_ENCODING format which ICS already supports, not file formats. OverbyteIcsPemtool1.pas already has code for opening a store, getting certificate contexts and converting them to X509 and PEM, need to move that into one of the library units, create a PCCERT_CONTEXT and add it to the correct store. Angus -
TX509Base.LoadFromP12Buffer
Angus Robertson replied to mitzi's topic in ICS - Internet Component Suite
ICS has code to read certificates from the Windows certificate store, but not to add them. Not needed for ICS applications generally, but for servers using SChannel. Angus -
TX509Base.LoadFromP12Buffer
Angus Robertson replied to mitzi's topic in ICS - Internet Component Suite
Thanks, added to my master, will be in SVN in a couple of days with other minor SSL improvements. Are you working with the Windows certificate store by any chance, by pending list includes putting certificates (Let's Encrypt) into the store. Angus -
Studying TSslHttpAppSrv
Angus Robertson replied to Clément's topic in ICS - Internet Component Suite
All Windows services run in their own thread already, TWSocketServer often runs in Windows services without needing extra threads. Using a thread for some client responses and not for others is exactly what the FTP servers does, it is no difficult, just make sure the response is sent in the main thread once SQL is done. Bringing TWSocketThrdServer up to date and creating TsslHttpThrdSrv is a major project and needs someone to sponsor it. My company effectively sponsors most ICS development since I create features mostly that are needed for our applications but which are then used by others without any cost. But so far I've not needed TsslHttpThrdSrv. It has been disscused in the past, it was going to be designed to handle x clients in a single thread before using another thread for x more, typically x would be 100 or more for a simple web server but could be one so each client gets a thread. Angus -
Need Synchronous SslSmtpClient
Angus Robertson replied to mgarey's topic in ICS - Internet Component Suite
Look at the new TIcsMailQueue component added to ICS earlier this year, it does exactly what you need. You can queue hundreds of emails at the same time, and they will be sent and retried over several minutes or days. The component is described half way down the page at http://wiki.overbyte.eu/wiki/index.php/ICS_V8.60 Angus -
Studying TSslHttpAppSrv
Angus Robertson replied to Clément's topic in ICS - Internet Component Suite
Not sure why you want to run the server in a thread, that just listens on one or more ports and creates clients. Running the client in a thread can be done, ICS has TWSocketThrdServer that does exactly that, but it is rarely used, has not been updated for 10 years, lacks newer multi-listen and SSL stuff and there is no web server derived from it, lack of demand from end users. My own TSslHttpAppSrv SQL driven web server runs happily in a single thread, the SQL stored procedures rarely take very long so are not blocking others users significantly, obviously this depends on volume, I'm only handling couple of thousand SQL requests a day, from the logging, SQL proc took 16ms, 31ms, 141ms, 63ms, 390ms, 16ms. So I never bothered with threads. As Francois says, using a thread just for the database lookup and returning the page in the main thread is the safest solution, look at class TClientProcessingThread in the ICS FTP server which uses a thread to calculate MD5sums and directory listing, Angus -
SChannel TLS - perform TLS communication with WinAPI
Angus Robertson replied to Fr0sT.Brutal's topic in I made this
ICS support Delphi 7 onwards so we avoid any language features or libraries added after that, or have our own versions of them, such as ANSI or Wide5tring functions. Users tell me quickly if I accidentally do something that Delphi 7 does not support so it is still used. Angus -
SChannel TLS - perform TLS communication with WinAPI
Angus Robertson replied to Fr0sT.Brutal's topic in I made this
Good, seems to read whole pages correctly now. BTW, your ICS fix is in SVN now. Angus -
Best components for creating windows service apps
Angus Robertson replied to microtronx's topic in VCL
Or the automated Google scan tools were finding something in one of the components or OpenSSL binaries that has been used in a malicious application somewhere, unfortunately they don't tell you anything specific, just that your site is banned in all browsers until you remove your malicious file, so it's trial and error. Angus -
SChannel TLS - perform TLS communication with WinAPI
Angus Robertson replied to Fr0sT.Brutal's topic in I made this
Not sure when Default() was added, but it gave an error in Delphi 2007. The keep-alive issue was not in the ICS server, but in my application. But you still need to fix data being received correctly, if you remove the close line for your google example, it takes four minutes for the window to become responsive and display the received data, which is the Google timeout. The Microsoft page actually shows how poor the ciphers are in older Windows versions, it says there are none for TLS/1,2 in Windows 7, although a couple have now been added. but not nearly as good as OpenSSL supports on Windows 7. Angus -
SChannel TLS - perform TLS communication with WinAPI
Angus Robertson replied to Fr0sT.Brutal's topic in I made this
I started fixing errors with Delphi 2007 to get it to build, but there were too many. Simple things like type LONG missing. Does not matter for personal projects, but is important if the code is ever to incorporated into libraries. The issue with async requests seems to relate to most of the content not being returned until the connection is closed. This URL works fine: www.magsys.co.uk GET /delphi/ddservice.asp HTTP/1.1 Connection: close Host: www.magsys.co.uk While this does not, the end of the page only appears after the server closes the connection on a 60 second timeout: www.telecom-tariffs.co.uk GET /serverinfo.htm HTTP/1.1 Connection: close The first server is IIS. the second the ICS web server, so it seems we have aggressive Keep-Alive that is ignoring the Close command, another ICS bug for me to fix. But it shows up a bug in your code as well. I chose that page because it shows the SSL/TLS connection parameters selected by the server, useful to check browser capabilities, and the poor range of ciphers supported by SChannel on older versions of Windows. Angus