Angus Robertson

Years ago I had TWSocketServers running and accepting thousands of short connections a day for a few months at a tine, had to workaround the 49 day GetTickCount wrap around. Now my servers never run for more than 35 days, due to Microsoft being more aggressive with Windows Update and forcing reboots. Angus

Look at the new OverbyteIcsSslMultiWebServ sample project, which uses TSslHttpAppSrv, From the main unit: SSL web application server sample, no real GUI, really designed to be a Windows service application. It supports multiple SSL hosts with multiple listeners, each with it's own logging file, can order it's own SSL certificates, includes hacking protection, and will email status information and errors to an administrator. If turned into a Windows service, this sample is really a commercial web server. ICS units includes functions to read all parameters from INI files, and one is included OverbyteIcsSslMultiWebServ.ini. Much of the code for this sample comes from my own public web application server that uses SQL server, and has been running for 10 years always using the latest ICS versions, the link is to the monitoring page that shows what it's doing. Angus

As François says, you should be using TWSocketServer which handles aspects of accepting and closing connections, you just plug in your existing onDataAvailable code. Also makes it easier to move to SSL in the future. If you are using the HTTP protocol, there is a new component TSimpleWebSrv in OverbyteIcsSslHttpRest,pas which uses TWSocketServer and adds a simple HTTP protocol, just a few lines of code, ICS uses it for lightweight HTTP servers for OAuth2 and Lets Encrypt. Angus

OpenSSL connection errors simply mean some aspect of protocol negotiation has failed, they almost never tell you why or how to fix it. I would make sure you set-up the SslContext similarly to InitSsl in OverbyteIcsSslHttpRest;.pas which is current best practice. Note SslCliSecurity in particular, which does all the hard for you in setting protocols, security and ciphers. Angus

Don't know, you'll have to check the code. The wiki has no documentation on proxy use. My applications do not allow a use to do that. Angus

Ideally the component would complain if you specified authentication without credentials, but no idea if that happens. Given the 20 year age of this stuff and the number of applications written around undocumented behaviour, we try and leave things alone as much as possible, and often get caught when making what are initially thought as simple changes. Having looked briefly at the code, I think NTLM got selected due to the 407 response, but you were wasting a request round trip by not specifying authentication to start with so you got that response. Angus

The main issue here is that if you don't specify a proxy authentication type but do specify credentials, ICS attempts to specify the type for you based on response types, 401, 407, etc, but this is not well documented and may change by accident when other changes are made. So really it's pot luck, safer to specify the authentication type you require so it's sent with the initial request, rather than after a 40x response. Also, just because you specify authentication does not mean the proxy or server needs it, which cab confuse testing. Angus

Interesting, not seen a Delphi application use raw SChannel before. The main downside is Microsoft is very slow keeping up with new standards, there is still no support for TLSv1.3 in Windows almost a year after it was approved and they took several years to add TLSv1.2 to Windows 2008 despite it still being supported and only with minimal ciphers. Angus.

My ICS web server has a long list of IP addresses it does not like, essentially anyone that tries to access a php, pl, sql (or various other) page on my sites, it holds the connection for one minute and then aborts it, to try and stop them making dozens of attempts a second. Of course hackers know all the tricks. Angus

10053 is aborted, can mean SSL negotiation failed or server does not like you. Angus

So to sum up, if you tell ICS to connect to a proxy it works OK, if you don't tell it to do so, it does not. So works as designed. There is no automatic proxy detection. Angus

I think that says the client can not access their Websocket API, only the server is allowed to do so. A common security measure. Maybe you need an account with whoever offers that Websocket API? Angus

Before I comment any further here, I need you to actually explain what your application is trying to do, you have not done so despite me asking. I was the first to mention NTLM. So two stages here, exactly what proxy configuration, all the actual settings and authentication, xxx where necessary, then what request and authentication. Please bear in mind that NTLM is messy and very hard to test, it's generally only used by private Windows servers that are rarely available for testing. Microsoft probably also messes with it in new server versions. So we only look at if we test it, or rely on contributors to test and fix it. Angus

Why would I roll that back, it's nothing to do the proxy support. And you said you are not using NTLM. Angus

ProxyURL is not designed to work with httpAuthNtlm, don't use it and there is no problem. httpAuthNtlm uses Windows credentials, that is the whole point of it. Mind another ICS user made changes that might be the cause of your problems: Apr 09, 2019 V8.61 OAS : Improved NTLM authentication by adding Single Sign On with NTLM Session on Windows Domain to get credentials without needing them specified here. Angus

Yes, those two DLLs are all you need, ICS uses them it it find them, then falls back to the older versions. Up to you whether you delete the old ones, doing so will relieve long term support problems if the new ones are missing, better to have an error that use something unsupported. Angus

Can not really comment without knowing how are attempting to implement the protocol and undertstanding the protocol itself, and I don't have time now. Angus

Sorry, not interested how ICS V6 behaved, it has changed a little since then. Angus

I'm not really sure how authentication works with proxies, there are separate authentication properties for server and proxy, both default to off. Not sure which causes Authorization: NTLMto be added or if it;'s different for a proxy. You must set ProxyAuth to httpAuthBasic, to use Basic and supply a proxy login. Angus

What version of ICS is this? libeay32.dll is long obsolete and support is discontinuied later this year. You should be using OpenSSL 1.1.1 which has been supported for about a year. Angus

Ideally you want to compare the logs to see any differences between 8.59 and 8.62 on the same PC. Less ideal, between working and non-working PC s on V8.62. What authentication are you trying to use? The server seems to accept basic which is simple, you are using NTLM which is complicated and rarely tested. Certainly never tested NTLM through a proxy. Angus

ICS comes with lots of samples, there is also a wiki to read, I can not write your application here,. The REST example I explained on 19 August could not make it any plainer, the screen says Sync Request or Async Request. Sometimes I suspect you ignore my advice. Angus

SSLMode is used internally by ICS components, it's not something applications normally need to worry about. It determines whether the application makes or receives SSL connections, so a client must be sslModeClient or nothing will work. Disconnection on idle connection is normal, unless you specify keep-alive, but don't know if that is part of the websockets specification. Angus

That is what we call async and sync methods. Angus

No, any v2 is OK for the language files and things, although the new EXE will probably work stand alone. Busy this week, but will create an installer next week. But it might update older settings stopping the older older version working, that was the bug I fixed, corrupted settings, so you may need to delete them to go back to the old version. Angus