Angus Robertson

X509 certificates never have a password or encryption, by definition they are public. The private key used to sign an X509 certificate or use it in a server may be protected, so I assume you are opening a bundle file that contains both a certificate and a protected private key. For a PEM bundle file, the certificate and private key are separate blocks of text, so you only need the certificate and can get the public key from that. A PFX/PKCS12 bundle, is a binary blob, and OpenSSL will try and read everything in it, and fail if the key is protected and you don't have the password. I believe there are PKCS12 parsers to extract the contents of the file separately, but never looked for one. The wincrypt API to read PKCS12 is the same, reads the lot and needs a password. Angus

ICS has new classes TMsCertTools and TMsX509List to write and read SSL/TLS certificates to and from the Windows Certificate Store, including private keys. This is primarily so Let's Encrypt certificates can be installed automatically for use with the IIS web server. The PemTool sample includes new buttons to list all the Windows certificate and private key stores and allow old items to be deleted. Most of this was straight forward, but Microsoft seems to have messed up the APIs when adding CNG support for ECDSA keys in Vista, keys and certificates are held in separate stores and the way they are linked together is badly documented and flaky, trying to set IIS site bindings often gives an error that means the key can not found. I was only able to add certificates and private keys that can not be exported from Windows, the NCrypt functions fail. Angus

The ftpFixPasvLanIP fix is finally in SVN, sorry for the delay. Angus

Two new zips for Win32 and Win64 versions of OpenSSL 1.1.1i can now be downloadable from the Wiki at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp . The latest 1.1.1 DLLs are also included in the ICS distribution SVN and overnight zip. There are two security fixes, one rated high relating to decryption using SM2 (which standard ICS does not offer) and rated moderate relating to ASN.1 strings used in X509 certificates and the confusing conversion between fixed length strings and C null terminated strings that may cause a crash, this was mainly a problem display certificate content. YuOpenSSL has a new version with OpenSSL 1.1.1l. Angus

I added a web socket server implementation to ICS last year, There is a new sample OverbyteIcsWebSocket and web page websocketclient.html that accesses the server. Note there are no plans for an ICS Websocket client component, the normal ICS server/client components can be used for sending data outside the browser environment. Angus

Woops, will be fixed early next week. Angus

I suggest you build the OverbyteIcsHttpRestTst,dpr sample and it will become obvious how it is of benefit to you. Angus

If you use the newer TSslHttpRest instead of TSslHttpCli, you don't need TSslContext and can simplify your application considerably. Angus

You are probably using an old version of ICS, similar functionality was added a couple of years ago in V8.63, provided you set ftpFixPasvLanIP in Options. Angus

Getit is better than our manual install instructions, it builds the packages and sets the path to the obscure unique directory where it gets installed, over which you have no control. I prefer to keep my components no more than two directories lower than root, so I can find them easily. Angus

I attempt to keep the C++ packages up to date with each new release of ICS and Delphi, but can not test them, and get virtually no feedback from C++ users. The GetIt installers are done by Embarcadero, I just provide a zip with the Delphi and C++ packages, and again don't test C++. Never used CodeGuard, no idea how it interferes with ICS. I've been using TSslHttpCli in Windows services on my public servers for 15 years, it just works. Angus

Any API that requests system time is dependent on the computer clock being set correctly and with the correct time zone. Windows will then use NTP to keep it correct. Relying on NTP time is dangerous since the internet is not reliable, nor are NTP servers, nor DNS to reach them. Relying on a single NTL server is also dangerous, unless it's hosted across distributed hosts, like time.google.com or time.cloudflare.com, nist.gov has at least 15 different host names, don't know if they are distributed. Angus

GetSystemTime function (sysinfoapi.h) Retrieves the current system date and time in Coordinated Universal Time (UTC) format. To retrieve the current system date and time in local time, use the GetLocalTime function. https://docs.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-getsystemtime Angus

function IcsGetUTCTime: TDateTime; var SystemTime: TSystemTime; begin GetSystemTime(SystemTime); with SystemTime do begin Result := EncodeTime (wHour, wMinute, wSecond, wMilliSeconds) + EncodeDate (wYear, wMonth, wDay); end ; end; Angus

TSslWSocketServer has a property SslCliCertMethod which determines whether a client certificate is required or optional, you check the certificate in the OnSslHandshakeDone event and close the connection if invalid, it is documented on the wiki page, http://wiki.overbyte.eu/wiki/index.php/TWSocketServer. Note I've not tested this for a while. Angus

Those commands are there due to OverbyteIcsTnOptFrm.pas needing the dfm in the same directory as the library is built. But neither unit is used that often, they are the user interface for the TnEmulVT component, a telnet terminal. Angus

Currently ICS only uses the Certxx APIs to extract certificates from the Windows store and to validate certificate chains, I'm just adding bits to put certificates into the store, but won't be done this week. My reading suggests CryptAcquireCertificatePrivateKey is how you get the private key for a certificate you find in the store, but not tried it yet. ICS has classes TX509Base and TX509List which allow certificates and bundles to be created, read and saved in various formats, there is sample OverbyteIcsPemtool that illustrates everything, and another OverbyteIcsX509CertsTst that acquires certificates from Let's Encrypt. including multi-domain wildcards. Sorry, never used THTTPRIO so no idea what it does, but the ICS HTTP client supports client certificates. You can use ICS synchronously, there are methods for that. Angus

Flagged by whom? TLS 1.2 is perfectly good provided you disable a lot of weak ciphers and hashes. Most IIS sites are still only TLS 1.2, Microsoft does not support TLS 1.3 until Windows Server 2022. Angus

I'm just adding import and export for certificates to and from the Windows store, for ICS. PFXImportCertStore and PFXExportCertStoreEx seem to be preferred solution to convert to and from a PFX/PCKS12 blob containing a certificate, private key and intermediates. Beware you won't be able to export from TPMs, only certificates saved with exportable private keys. But since you have PFX and PEM files, not sure why you are using the Windows store. Angus

SVN has been updated with a new OverbyteIcsHttpAppServer adding support for PUT and DELETE verbs, also OverbyteIcsDDWebServiceSrv.pas now uses TUrlHandlerRestApi instead of as a virtual page, little simpler. Angus

Result := GetEnumName (TypeInfo (TEnum), Ord (FEnum))); Angus

Beware the ICS web server samples include a lot of code for dynamic demonstration pages, which you can mostly remove to give yourself the basis of a commercial web server service listening on multiple IP addresses. ordering SSL certificates and with request logging. However the REST sample page is implemented as a virtual page not a URL handler, other pages are URL handlers. The main issue with the current ICS web server being a single thread, so blocking SQL calls can reduce performance. My experience over 10 years is my SQL calls mostly take 10ms or less, so the performance hit is minimal, it can still support 50 requests a second (but not new SSL connections). The long term ICS wish list has a heavy web server, that will be configurable to allow x connections per thread, down to one if they are effectively blocking. Angus

I'll look at adding the missing handlers in the next week or so. You may want to look at a new SSL sample, OverbyteIcsDDWebService.dpr which is very similar to OverbyteIcsSslMultiWebServ.dpr, but designed as a Windows service, although it will also run as a GUI for debugging. It requires DDService service framework to be installed from https://www.magsys.co.uk/delphi/ddservice. asp. It also includes a REST server with simple lookup responses from a SQL database, which optionally requires DISQLite3 to be installed from http://www.yunqa.de. Note this sample in not in the project groups due to these pre-requisites. This sample is part of the next release, in SVN and the overnight zip. It is effectively a working REST server, very similar to a commercial server I've written at https://api.telecom-tariffs.co.uk/ but you need a login to do actual REST requests. Angus

The relocation fix is now in SVN. The repository server is working fine, but wiki.overbyte.eu with the overnight zip has been down for two days, probably due to the flooding in Liege, but ICS can also be downloaded from https://www.magsys.co.uk/delphi/magics.asp Angus

You were correct, a fragment/anchor/bookmark in the URL should never be sent to the server, it is purely an instruction to the browser on how to display the page. The ICS unit did attempt to remove # during relocation, but relocation has many different paths in the code, and it was not always being done. I've corrected in my master, won't be in SVN for a day or two, but in the latest SVN version add these lines to the function EncodePathOnly: I := Pos('#', OldPath); if I > 1 then Result := Copy (OldPath, 1, I - 1); My issue with the SSL/TLS certificate was me using an old sample application. Angus