Angus Robertson

GetIt has ICS V8.67, but only for the last couple of Delphi releases, they don't update for out of support releases. If you downloaded OpenSSL 3.0 separately, that is the version that would be reported, ICS no longer opens the 1.0 DLLs, so you are still picking up something ancient randomly installed on your PC. Angus

Thanks, updated my copy, should be in SVN in a few days. Angus

Something is very wrong, OpenSSL can not report 1.0.2 for the 1.1 DLLs. Make sure you have the latest libcrypto-1_1.dll and libssl-1_1.dll in the same directory as the exe, which can be fun with modern versions of Delphi that use lots of project sub-directories. Otherwise ICS may open random versions of OpenSSL that are in the Windows path. To avoid this, set GSSL_DLL_DIR to your application directory before loading OpenSSL, as happens in the OverbyteIcsHttpsTst sample. Angus

All those OpenSSL versions are very old, current versions of ICS don't even support 1.0.2. The long term support version is 1.1.1.12 which is correctly known as 1.1.1l., there is also 3.3.0 now but that it is very new. The ICS V8.67 download includes 1.1.1l so I'm guessing you are using old ICS as well. You really need to get up to date. The OverbyteIcsHttpsTst sample illustrates version logging, in this case whether we are using OpenSSL DLLs or statically linking a the YuOpenSSL DCU from https://www.yunqa.de/. LoadSsl; if NOT GSSLStaticLinked then begin if NOT FileExists (GLIBEAY_DLL_FileName) then DisplayMemo.Lines.Add('SSL/TLS DLL not found: ' + GLIBEAY_DLL_FileName) else DisplayMemo.Lines.Add('SSL/TLS DLL: ' + GLIBEAY_DLL_FileName + ', Version: ' + OpenSslVersion); end else DisplayMemo.Lines.Add('SSL/TLS Static Linked, Version: ' + OpenSslVersion); Your original problem appears to happen the moment OpenSSL is loaded so something is probably corrupted, changing SSLType should have moved the error elsewhere which is why the logs are important. Angus

What did the log show when you turned off SSL? The component would no longer be sending the AUTH TLS command where it currently stalls. It's best if applications log the OpenSSL version, although the FTP sample doesn't, because often it's not loaded since SSL is not used, and you can not get the version until it's loaded. But you should know what version you are distributing! Angus

It's not a firewall issue, the server is simply failing to negotiate SSL without any errors, so nothing to diagnose. You could try changing to sslTypeImplicitso it connects to port 990 instead, or reducing the SslCliSecurity level to see if any older protocol works. Are your other clients connecting to the same server with the same settings? Which version of OpenSSL? Angus

The onCopyEvent is specifically a logging event, with multiple outputs at different levels, fully illustrated in the OverbyteIcsXferTst sample where lots of stuff flashes past on the screen. All the new high level components I've added in the last two or three years have a single similar logging event, to avoid needing to add logging into different specific events and format the data. Angus

The IcsLogger is primarily for internal SSL development and testing, not for end user applications. I need to see the component log from the event handler I mentioned which probably has an SSL after the AUTH TLS is sent. BTW, it is quite hard to turn off the Windows Defender FIrewall, the service manager does not allow you to stop the service, you have to change a registry setting. Turning it off in the GUI may be ignored. If you email I'll send the firewall unit, the delay is writing documentation and web pages for a few pending components. Angus

You need to implement logging in the component, using onCopyEvent, see the sample application for an example, which logs all the FTP commands, responses and errors, that is only way to diagnose FTP issues. As Francois said, almost certainly Windows firewall or a network router blocking the FTP protocol. I wrote a unit MagFireWall a couple of years ago which lists and adds firewall rules (admin access required), should really put it on my web site, next month. Angus

The most affordable disk image solution is the one that comes with Windows 10/11, 'Backup and Restore (Windows 7)' which does full images every night here. Angus

Thanks again for the C++ changes, they are all now done and in SVN and the overnight zip, so ICS should install correctly on C++ Builder for 10.4 and 11.0. Angus

GetIt is also dead in Delphi 11.0, but was working last week, so probably just a temporary thing. Angus

Thanks for all the fixes, will do them tomorrow. Angus

The purpose of #pragma is a mystery to me lacking any C++ knowledge, but I'll fix it! Should be in SVN in a couple of days, thanks again. I don't get any errors building Delphi Win64 samples, I specifically created a lot of Win64 projects to allow more testing, but less sure about the Delphi 11.0 64-bit debugger, the IDE locked up on me. Angus

Thanks, Compiler15 would be Delphi XE, so still an early unicode version, will change it. Angus

WriteBOM is a TStringList method, I guess it was introduced some time after Delphi 2010, will have to investigate when. Angus

Thanks, OverbyteIcsSslThrdLock has gone, I'll fix the package problems, I can not build them so rely on others to test them. No idea how the C++ obj files are created, guess it needs to be rebuilt somehow. Angus

ICS V8.67 is now available from GetIt for RAD Studio 10.4 and 11.0. Angus

For the last few years, Let;'s Encrypt issued free certificates whose intermediate was signed by an old root issued by Digital Signature Trust Co, that expires today. In the ICS root bundles and certifica\te chain logs, it appears as follows: Issued to (CN): DST Root CA X3, (O): Digital Signature Trust Co. Issuer: Self Signed Expires: 2021-09-30T14:01:15, Signature: sha1WithRSAEncryption Valid From: 2000-09-30T21:12:19, Serial Number: 44afb080d6a327ba893039862ef8406b Fingerprint (sha256): 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739 Public Key: RSA Key Encryption 2048 bits, 112 security bits Let;'s Encrypt distributed it's own root certificate, Issued by (CN): ISRG Root X1, (O): Internet Security Research Group a few years ago, but older applications might not have been updated with it, so since then certificates issued by Let;'s Encrypt have two intermediates so that either root was acceptable. Unfortunately not all application verify the chain correctly, including OpenSSL, there was a blog about this two weeks ago, https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ There are implications for servers running Let;'s Encrypt certificates and clients verifying the chains, last night one of my ICS client applications started giving chain verification errors on some of my servers, specifically those using Let;'s Encrypt certificates issued in July and due to expire in two weeks, but not those with certificates issued from mid August, I'm still investigating what changed, I did make changes to the ICS functions that build certificate bundles, and Let;'s Encrypt periodically change the intermediates they issue. So this message is really a warning to watch out for failure to connect to web sites using Let;'s Encrypt certificates today. More later. Angus

ICS V8.58 added a new TSslX509Certs component allowing ICS servers to automatically order, download and install SSL/TLS certificates from various suppliers, including free certificates from Let's Encrypt, and commercial certificates for DigiCert, Comodo, Thawte and GeoTrust from CertCentre AG. It also acts as a private CA to issue local certificates. The TSslWSocketServer, TSslHttpServer, TSslHttpAppSrv, TIcsProxy and TIcsHttpProxy components can assign a TSslX509Certs component to support automatic certificate ordering of domain validated certificates with very little extra code. There is a new sample project OverbyteIcsX509CertsTst to demonstrate the TSslX509Certs component, which may be used as a standalone application to order X509 certificates from Let's Encrypt and CertCentre AG, and monitor the certificate orders database, and to issue own CA certificates. http://wiki.overbyte.eu/wiki/index.php/FAQ_Order_SSL_Certificates I'm about to revisit the TSslX509Certs component to support some Let's Encrypt changes like the new SSL challenge, so am interested in any feedback or suggestions from those that have used it, Even just the sample application which can be used to order certificates for other web servers or applications. Angus

ICS is not supported on Linux, yet. The FAQ at the top of this thread shows how to do it on Windows, there is a sample application with source code. Angus

This is all down how you install new certificates into the Windows Store, which has always been a black art. You can double click on a PFX/P12 file, or do it from IIS Server Certificates which is better. Both should install intermediates into the correct store, but may not, and won't remove old intermediates with the same name, that may still be sent with requests. Which is one reason why ICS now has a new TMsCertTools class that allow installation of certificates to the Windows store. Angus

Let's Encrypt started using R3 intermediates last December, there were three different versions since then, two signed by the expired root, which Windows IIS was still sending out, one expired this week but IIS still used it. Angus

After investigation, the main issue today was with the Windows IIS web server using Let;'s Encrypt certificates. The Windows Intermediate Certificate Authorities store had old certificates that it was still sending out with each request, according to the excellent SSL Labs test site. Essentially, you only install new certificates in the store and old ones remain until removed manually using Admin Tools, Manage Computer Certificates, or the latest version of the ICS PemTools sampl;e which also allows deletion of certificates, which can now be done from applications as well. IIS then sends any intermediates it finds matching for the server certificate. Browsers seem cleverer than OpenSSL in ignoring unwanted certificates, so the problem may not be that visible. My IIS server has IPv4 and IPv6 binding on several IP addresses, and the issue did not appear on all bindings, possibly due to caching. I had to reboot the server after deleting the unwanted certificates to stop IIS sending them, even after restarting IIS itself. So if you have installed Let;'s Encrypt certificates into the Windows store, I'd recommend you deleted these old intermediates: Issued to CN: R3, (O): Let's Encrypt Issuer (CN): DST Root CA X3, (O): Digital Signature Trust Co. Expires: 29/09/20213 Issued to (CN): Let's Encrypt Authority X3, (O): Let's Encrypt Issued by (CN): DST Root CA X3, (O): Digital Signature Trust Co. Expires: 17/03/2021 16:40:46, Issued to (CN): ISRG Root X1, (O): Internet Security Research Group Issuer (CN): DST Root CA X3, (O): Digital Signature Trust Co. Expires: 2024-09-30T18:14:03, The last one is still being distributed by Let's Encrypt with new orders, and needs a change to ICS to remove it, but does not seem to give an error with OpenSSL. Angus

The patch will not be used, there are no benefits or bug fixes, it's purely cosmetic with severe implementation issues. Angus