Jump to content

Angus Robertson

Members
  • Content Count

    1888
  • Joined

  • Last visited

  • Days Won

    33

Everything posted by Angus Robertson

  1. ICS includes an TIcsInetAlive component to check for IPv4 and/or IPv6 internet connectivity, using Ping and/or HTTP, to the same Microsoft servers that Windows uses to detect the internet, www.msftconnecttest.com and ipv6.msftconnecttest.com. Angus
  2. Angus Robertson

    ICS V9.1 announced

    Thanks, please try to get the IcsCommonCBNew and IcsVclCBNew packages in SVN to build in 10.4 or later, not concerned about fixing older packages now. Then please email them to me with any other units that need fixing, hopefully none. Angus
  3. Angus Robertson

    ICS V9.1 announced

    I'm planning the V9.3 release this month, so really would appreciate users trying to get the C++ packages installable. I spent a lot of time fixing the Mscrypt problems so C++ does not use it. Angus
  4. OpenSSL has released new versions of the active versions, 3.3.2, 3.2.3 and 3.0.15 which include a moderate priority security fix that may cause applications verifying a specially designed SSL/TLS certificate to crash. Windows binaries are available in SVN and the overnight zip file and separately from https://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp In addition to the three DLL files, the zips include compiled RES resource files that contain the same DLLs, text files and version information, see the RC file. The RES file may be linked into application EXE files and code then used to extract the DLLs from the resource to a temporary directory to avoid distributing them separately. ICS V9.1 and later optionally support loading the resource file. These OpenSSL versions are included with ICS V9.3 due for release within two weeks, but available from SVN and the overnight zip. Separately, YuOpenSSL has released 3.0.15 and 3.3.2 as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Note: OpenSSL also released 3.1.7, but this ceases support in less than a year and has two newer releases, so we've stopped building binaries for it. 3.0.15 is a long term support release so is still being built. Angus
  5. Angus Robertson

    451-Error during read from data connection

    Your email server is incorrectly configured, it uses an invalid SSL/TLS certificate, so no-one can send you email securely. Connection to 202.164.22.101:25 from 217.146.102.137:55591 succeeded (Id: 1) RSP: 220 pleskhosting.webclick.com.au ESMTP Postfix CMD: STARTTLS RSP: 220 2.0.0 Ready to start TLS Certificate name mismatch. Expected Hostname: mail.justdata.com.au, Certificate Information: Subject=CN=*.webclick.com.au Issuer=CN=Sectigo RSA Domain Validation Secure Server CA Angus
  6. Angus Robertson

    451-Error during read from data connection

    My email was sent 24 hours ago, and did not bounce. I'll send you a direct message as well. Angus
  7. Angus Robertson

    451-Error during read from data connection

    I asked you to email the log to me, not post it here, since no other forum users will have any interest in it. It looks like a server error, try a different server. I've emailed the ics.ftptest.org login. Angus
  8. Angus Robertson

    451-Error during read from data connection

    My mail server does not block domains, but IP ranges used by spammers and hackers, about 800 at the moment, three emails this morning trying to get my email account password, so two more hosting companies in Italy and South Africa now blocked, third was from a Google user account, sad that Google allows hackers to send faked emails. If it's my server blocking you, which is rare, please send the log as a message via this platform. Angus
  9. Angus Robertson

    ICS V9.1 announced

    All the old references to specific Delphi versions like 110, 104, 120 etc should be replaced by New. I thought I'd done that, but seems I missed a few, and since I don't do C++ it needs to be tested by someone else. Angus
  10. Angus Robertson

    ISC 9.1 as a library events not firing

    I've made a change to TSslHttpRest adding a new way for applications to check SSL certificate chains themselves, ignoring OpenSSL bundle checks, usually for self signed private certificates. if CertVerMethod = CertVerOwnEvent, during OnSslHandshakeDone the component calls a new event OnSslCertVerifyEvent where the application can check the chain and change the verify result appropriately. Maybe checking certificate serials, names or public key. Not tested yet, need to update the sample with the new event and some sensible code to check a self signed certificate, not until next week. Supportng the new OpenSSL for raw public keys will take longer, need to do the server stuff first so I can test clients. Angus
  11. Angus Robertson

    451-Error during read from data connection

    Error 451 is not something I often see, not using my servers. So please email logs generated by the component showing all FTP commands in a session, to the email you'll find in the source. I'd also recommend you test against other FTP servers to see if it's a client or server problem, you can upload to ics.ftptest.org which is the ICS FTP server, but you'll need a login I'll send you when I have your email address. Angus
  12. Angus Robertson

    ISC 9.1 as a library events not firing

    Effectively, when validating the chain, OpenSSL and ICS are checking the chain is signed by a public key in a certificate in the store, you are just trying to skip the certificate overhead. I've found the new OpenSSL APIs to make the server use a raw public key instead of a certificate, and likewise the client to check it, now need the time to test it all. Angus
  13. Angus Robertson

    ISC 9.1 as a library events not firing

    The best way to handle self signed certificates is the way ICS does it, the server components use an ICS intermediate certificate to create CA signed certificate if a real one is missing. ICS includes two intermediates signed by the ICS root, a short 200 day intermediate version for which the private key is distributed, and a two year one for our use only. You can use these or create your own versions with ICS samples or components, create your own CA signed server certificates, or if using our servers let it happen automatically, and ensure your clients have the root certificate in the store, only that certificate no others are necessary. The ICS root gets loaded automatically for all ICS applications. If you want to use real self signed certificates, TX509Base has a method X509PubKeyTB that gives you the public key, save it on the server and distribute to your clients in some way (instead of a root), extract the public key from the certificate in the OnHandshakeDone event and compare it with your saved version. The only catch when using the high level components with built in chain checking is there is no chain if you disable checking, but if you enable it, our checking can not be skipped. I'll need to fix this somehow when I add public key checking. Angus
  14. Angus Robertson

    451-Error during read from data connection

    I do have a couple of intermittent FTP bugs on my pending fix list, but since my downloads and uploads always work after retries, not got around to investigating them yet. The github report relates to the socket being closed too early, ICS normally waits until all data is processed before closing a socket using the CloseDelayed method, But I'll look at the code, next week. Angus
  15. Angus Robertson

    ISC 9.1 as a library events not firing

    You are trying to do something unusual, I'll need to look at the code before I can make any suggestions, may be a day or two. This has been done before for light weight clients. Also OpenSSL now supports RFC7250 to check certificates by raw public key, which I plan to support. Angus
  16. Essentially your code is ok, except the first parameter of AnswerStream is var Flags : THttpGetFlag; so can not be left blank. There is a an extra parameter to pass a last modified date which is friendly for so applications that do a HEAD first to check if the file is newer. You should free DocStream before creating it, and the server should free it when the request completes. Angus
  17. Angus Robertson

    ISC 9.1 as a library events not firing

    CertVerifyMethod := CertVerNone is how you bypass internal chain verification. TSslWebSocketCli is derived from TSslHttpRest which has an internal TSslContext, and it's that component that does all the SSL stuff. You can use an external SslContext, see the notes in the rest component, for instance if you are using a hundred rest component instances to download lots of stuff in parallel. If you are using the real WebSocket protocol, it exchanges frames between client and server, and vice versa, and there are several methods WSSendText, WSSendBinary, WSSendFrame, etc, with the OnWSFrameRcvd event being received frames, which you need to check the data type and then process. IsWSConnected does as it says. If you want to send raw data without using WS frames, you are using the wrong component. Angus ,
  18. Angus Robertson

    TIcsFtpMulti failing... (Version 8.65)

    As I said before, the option 'no temp file for xfers' magftpNoTmpFile will avoid the rename issue. you tried that and it did not fix the missing file name issue. The component will zip files before upload, old versions used VclZip, new versions on new versions of Delphi use Delphi native zip. Angus
  19. Angus Robertson

    OverbyteIcsFtpTst Version: 8.01

    That non-SSL sample is no longer part of the main distribution, the SSL version was last updated two weeks ago in SVN. But the FTP commands have not changed in many years. Angus
  20. Angus Robertson

    TIcsFtpMulti failing... (Version 8.65)

    I've tested the FtpUpOneFile function against my FTP server, and it works are expected. The only explanation for the missing file name in the logs is the parameter RemTarFile not being passed to the function, but unfortunately it is not logged other than when being used for FTP commands which all show blank in your log. So the only way to further diagnose the problem would be to add logging with RemTarFile at the top of FtpUpOneFile and FtpCheckFile. No point in my doing it in the current version since you are using an older version. Angus
  21. Angus Robertson

    ISC 9.1 as a library events not firing

    The purpose of the Websocket is to exchange data with a server, so it opens a connection and does a GET to the path you specify, just as HTTP does, if you don't want that it's not Websockets. I suggest you try using the OverbyteIcsHttpRestTst sample I mentioned, if that does not work you would appear to be using a custom protocol. In a console application, you need to call the message pump after every line that accesses IP functions, ICS is fully event driven. The sample I mentioned makes a single HTTP command, waitis for it to finish and exits. If you are making a series of commands, the console applications gets more complicated. Angus
  22. Angus Robertson

    OverbyteIcsFtpTst Version: 8.01

    V8.01 is 14 years old, unsupported. Angus
  23. Angus Robertson

    How to limit ciphers and groups in tls connection?

    Thanks for the comments, not all features get fully tested provided they don't break anything, I'll see what I can do improve matters, but it may be a couple of weeks. Angus
  24. Angus Robertson

    TIcsFtpMulti failing... (Version 8.65)

    Don't believe it's a server issue, nor was there a timeout issue, it failed due to the client sending too many bad commands without the file name as an argument. You can always try uploading to my public FTP servers which are ICS based, the Snippets sample does FTP uploads and downloads, but you'll need a login for uploads which I'll email. If you do upload something, let me know the time so that I can check the server log, there is a lot of traffic each day. But I expect it to show the same issue. To try the latest ICS version, you can download the compiled Xfer sample, https://wiki.overbyte.eu/arch/icsdemos-clients.zip Angus
  25. Angus Robertson

    How to limit ciphers and groups in tls connection?

    If you are using IcsHosts, you can not set any SslContext options, they are set by the component according to the SslSrvSecurity level you set, which uses internal cipher lists with Mozilla recommended cipher suites according to how much backward compatibility you want with older clients on ancient versions of Windows of Android. For TLS/1.3, it always adds the sslCipherTLS13 constant ciphers, which include CHACHA20. So perhaps the answer to your problem is one or more SslSrvSecurity levels that only have AES ciphers? Meanwhile, you could edit that constant to remove the first cipher in the list to fix your problem. Beware the TLS/1.2 ciphers also include CHACHA20. I probably have to revisit ciphers again since newer OpenSSL versions are adding newer ciphers, which we currently ignore. Angus
×