Angus Robertson

Ultimately, if the DLLs are missing and you make an SSL request, you will get an exception sooner or later. Angus

I'd suggest if you call StartSslHandshake without previously loading OpenSSL or initialising an SslContext, you need to revise your code when using low level components. The newer higher level components do all the OpenSSL set-up for you, so errors like this won't happen. This will only be fixed if you can reproduce it in an ICS sample, it really is not possible to check OpenSSL has been opened before every single OpenSSL function. Angus

The OverbyteIcsSslMailSnd1 email sample was improved to show when OnGetData is used and ignored. OnGetData is really a historic event to get one line at a time, now it is more common to set an entire message at the start and let the component handle encoding, line endings, etc. Angus

Thanks for the unit, should be in SVN next week with an updated PemTools sample. Angus

Can you please email me the complete edited unit, pasting from this forum often leaves unicode characters where we don't want them. Once you have the cert and key in a TX509Base object, that can be used for ICS servers, although less easily with IcsHosts which is designed to read files. Angus

There was a large SVN update yesterday, including SSL client certificate support in the proxy server, and improved logging in the REST client, so you know if a client certificates was requested by the server. Available from SVN and the overnight zip. Angus

PemTool used to work for client certificates, but I broke it when adding international domain support, where spaces and @ are illegal. Angus

This is working now, the proxy log says: Http > 443/443 (3) Source 17 - Client SSL Connected OK with TLSv1.3, cipher TLS_AES_128_GCM_SHA256, encryption AESGCM(128), message auth AEAD Client certificate received, should we trust client? CN: angus@magsys.co.uk, Issuer: Self Signed, Expires: 09/04/2030 and the event can be adjusted to either check a common name or an issuer name for corporate certificates. The hardest part was testing, I had to correct PemTool to properly create client certificates before Firefox would send one, I'll include a new test client certificate with the samples since this keeps coming up. Will be in SVN in a day or so. Angus

Thanks, this was fixed last week when you reported it by email, it will be in SVN in a day or two. However, ICS does not use DECRYPT_MESSAGE_FN . Angus

<error linking to "libssl-3.dll"> is not an ICS error message, we load the DLL once, not for each request. So there is something else happening here... <connection closed prematurely> is usually the server saying go away for some reason, perhaps busy, might not like the SSL options offered. Angus

That error should be found by runtime range checking, probably enabled for release but not debugging. Angus

voci[3] will cause an exception since its length is only 3, base 0. No idea what this has to do with ICS. Angus

Exceptions in OpenSSL are almost impossible to trace, but incredibly rare. Nothing in the logs will be useful. Does it happen to several different servers or just one specific servers? In server applications, OpenSSL errors are common when hackers attempt to access them using invalid protocols, I get dozens a day on my public servers, but rarely do they cause an exception. I assume this is the REST client? Before looking at the ICS code, always check the server actually works properly using https://www.ssllabs.com/ssltest/ Angus

Sorry, a quick scan of the TIcsProxy code suggests that client certificate checking is not yet supported. It should be happening in TIcsProxy.ServerHandshakeDone which needs a new event onServerHandshakeDone which passes PeerCert to the application where you can check it and cause the client to be disconnected for an invalid certificate (see the web server). I'll try and do it next week. Angus

OpenSSL has released new versions of the three active branches. These fix a moderate severity security issue CVE-2023-2650, which is a possible denial of service translating ASN.1 object specially crafted very long identifiers in X509 certificates, OCSP responses, PKCS7/SMIME, CMS, CMP/CRMF or TS from malicious web sites. Windows binaries are available in SVN and the overnight zip file and separately from http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp Separately, YuOpenSSL has released 3.0.9 and 1.1.1u as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Angus

Very rarely should you need to use SSL DebugLevel logging DebugSslLow, generally DebugSsl gives all the information you need. In this case, also set SslReportChain true and it will log the certificates in the chain, allowing you to see why verification failed, either the server is misconfigured and did not send an intermediate, or the intermediate is signed by a root CA that is not in the store you specified. ICS has different CA stores with varying numbers of certificates, there are hundreds of CAs, but only a few dozen are common. Angus

How the request is made depends on the value of the Async parameter. If Async is false, the function is blocking and waits for the request to complete, so the return code will be accurate, but true means async so it will return immediately the request starts and the OnRestRequestDone event is called when the request completes, from where you check various properties to see what happened. Angus

Using YuOpenSSL with ICS is easy, just uncomment {$DEFINE YuOpenSSL} in the OverbyteDefs.inc unit, add the path of the correct YuOpenSSL.dcu (single file) and rebuild the packages. I've done it several times this week testing new versions of our OpenSSL DLLs and the DCUs. You don't need any other YuOpenSSL units. Angus

So this is just a private protocol, not really REST. Commonly, textual responses are followed by CRLF, that may be what the client is expecting. Angus

REST client requests are usually sent using HTTPS, this should be obvious where the data you receive from the client contains HTTP headers, so you have to reply using HTTP, your Hi response will simply be ignored by the client. Ideally, you would be using the web server component, but creating a simple HTTP header and response HTTP page is only a few lines of code. Angus

YuOpenSSL operates identically to the SSLs in ICS, I've been using it as both Win32 and Win64 in my server and client applications for two years. But then I did adapt ICS to use YuOpenSSL. ICS also has full X509 certificate validation against CA stores I update every few months, including an internal store to avoid needing CA files, and checks OCSP for withdrawn certificates. Angus

That particular code segment is only used if you send a blank message, there are lots of lines just above it relating to setting FTransferEncoding to that specified in DefaultEncoding based on checking the actual text. So it's more likely you are not setting DefaultEncoding to smtpEnc8bit and Allow8Bit to true before sending email. Angus

OpenSSL 3.0 and 3.1 are reasonably compatible with 1.1.1 for TLS, although a number of older algorithms have moved to legacy.dll which has to be loaded if you need MD5 and such stuff. SSL_get_peer_certificate is now SSL_get1_peer_certificate, and there are some other similar changes with 0 or 1 to make clear whether memory should be freed. 3.0 also added providers instead of engines and deprecated a large number of functions with better versions, but they still work for now. Angus

Looks like a compiler funny, when the same error occurs in different random units. There are a lot of Win64 fixes in V8.71, mostly stability, but no C++ packages yet, about two weeks away. Angus

OverbyteIcsAvlTrees is unchanged for 10 years, not aware any C++ users have previously reported a problem with it. It is only used in two places in ICS, for an SSL session cache in user applications, very rarely, and for the TThreadLocalStore class in WSocket which I don't believe is used by any ICS units and is undocumented and uncommented as to use. Angus