Angus Robertson

I'll update the types unit with the new include emits shortly. I can only build C++ packages not use them, since the ICS C++ samples are too old to build with modern compilers, it really needs someone to update two or three C++ samples so I can test that they build with new versions of ICS. The C++ Win64 packages build with release for me, but not debug, someone will need to look at that. The common package builds for Win64x, but not the run package which imports conmon, because currently D12.2 can only import Delphi packages and not C++ due to missing symbol files, due to fixed in a future release. Angus

SVN now has much improved C++ packages for Delphi 10.4 and later, although they should work with earlier versions by manually adding a specific compiler suffix. All C++ Win32 packages build and install for release, bugs need fixing for debug and Win64. Will be in the overnight zip tomorrow, if any C++ users wants to try to install them. I tried to build some C++ samples, but they are looking for .h files we now have .hpp, and that is beyond my zero C++ skills. Angus

Thanks, fix will be added for the next release shortly. Angus

The concept of certificate revocation is changing due to the slow down it causes and the massive databases needed. OCSP seems to be dead with browsers no longer using it (CRL instead), Let's Encrypt is stopping it's OSCP servers service soon. The industry wants certificate life to be shorter so they are replaced regularly (monthly) rather than being revoked. But this is not really relevant to code signing, since expired certificates are usually trusted provided they are time stamped signed, Azure issues code signing certificates that expire within two days or something. You can only revoke unexpired certificates, and our signed applications need to run for years or decades, thus the time stamp. In theory, the OS or scanners could try and check old signing certificates being revoked, but it would not be easy. Angus

It is up to the FTP client to decide whether to start passive mode with a PASV or EPSV command, the former has worked with IPv4 for decades, the latter is required for IPv6 so no check for availability is needed. None of this has changed in ICS in 15 years or more. I've never seen a server refuse a PASV request, even if it supports EPSV as well. It would need changes to the FTP client to prioritise EPSV over PASV, and I'm not likely to get to that for a few weeks. Angus

I started a new thread about C++ 21 October, you replied and agreed to test the new version. All the cbproj packages and some cpp and pas files changed in October, so any comments relating to C++ in V9.3 are irrelevant to building the overnight beta version. Angus

There have been other CVEs in Zlib over the years, and we were slow to update our version, which is why ICS now uses the Delphi version, at least for those using recent Delphi versions. Angus

Extended Passive mode (EPSV) is for IPv6 connections, I'm not aware it has any purpose for IPv4 if that is what you are using. Never heard of active passive mode, can you please show the ICS FTP log. Angus

ICS V8.70 and later come with Zlib 1.2.12 for old Delphi releases, but automatically users the System.Zlib for Delphi 11.1 which had the same release, and newer releases hae newer Zlibs. Not planning to update the built-in version for old compilers, unless there is a serious issue. Angus

{$IF Declared(RTLVersion121)}Result := '12.1';{$IFEND} {$IF Declared(RTLVersion122)}Result := '12.2';{$IFEND} {$IF Declared(RTLVersion123)}Result := '12.3';{$IFEND} // guessing Angus

ICS has a function IcsBuiltWith that uses a lot of defines to get the version, ie 12.2, but not patches. Not much code, but it does need an insert file that does most of the version checking. Several ICS samples report the Delphi version, which is useful. Angus

I mentioned here in October that the beta version of ICS in SVN and the overnight zip now builds (mostly) correctly for C++ and D12.2, V9.3 does not! But I've had zero feedback from C++ users, despite at least three users agreeing to test it. So please stop reporting C++ problems with ICS versions known not to work, and help test the official version. Angus

The Code Sign check is probably failing due to Windows 2008 not understanding the cryptography used, specifically the SHA-256 algorithm. You may have the same problem using other modern signed applications. I don't plan to change anything, we can not support old compilers and operating systems forever. Angus

It is not unusual for applications developed on newer versions of Windows to be used on older versions, Windows 2008 did not even support TLSv12 so using OpenSSL was a way to keep it running, that's what I did for some years. The original problem here loading OpenSSL DLLs can probably be fixed by the method used by all the samples until this year, disable all the new SSL DEFINES and set GSSL_DLL_DIR to the directory for the DLLs, usually that of the application, then load OpenSSL. This is explained in readme9, search for GSSL_DLL_DIR. Angus

I would recommend you use the TIcsIpStrmLog streaming log component, look at the doSocketRemoteClick function in the Snippets sample which is TCP so needs a one line change for UDP, then data just arrives in an event. Angus

OpenSSL loading was totally rewritten in the last year. Angus

I'll look at the logs later, but ICS is not tested on Windows 2008 which is years beyond end of life. My first public server was Windows 2008, but I closed it down in 2019. It was based on Vista, which we don't support either. Windows 2008 R2 was much better, based on Windows 7 which I do still test, since I have a VM with all the old compilers. The problem might be file paths, c:\ProgramFiles did not exist 20 years ago. Windows 2008 was the last Win32 server OS Microsoft sold, only Win64 onwards, which is why some people still use it, on ancient hardware. Angus

Indeed, the EmbeddedWB component wraps the old Internet Explorer stuff which is long obsoleted by Edge, it still works for Microsoft APIs, but not for Google APIs, you need to use Edge. Angus

False virus alarms are a way of life due to the different ways of attempting to detect malicious files. You could try updating to the latest OpenSSL files to see if the problem goes away. I believe I have Windows Defender running on my servers, since Sophos now refuses to run on servers, and I've not seen any reports or issues, nor has anyone else reported problems with OpenSSL for many years. Goggle once decided a five year old OpenSSL DLL on my web site was malicious and immediately flagged my entire web site as malicious when anyone visited it, took a few days to get the block removed, but that is why downloading files from my site now requires a password, to stop Google accessing them with it's flaky detection techniques. Angus

Testing your own client against your own server makes debugging harder. You should test your client against the ICS multi web server sample, specifically post to https://localhost/postinfo.html which logs all URL or POST parameters passed to it, and returns them as a web page, so you know exactly what the client is sending. The server code is in OverbyteIcsSslMultiWebUploads.pas and illustrates how to untangle parameters. For the client, you should be using the TSslHttpRest component which requires less code, look at the doHttpSimpleUploadClick function in the snippets sample, you build your parameters and then simply POST them. SslHttpRest.RestParams.PContent := PContUrlEncoded; SslHttpRest.RestParams.AddItem('FileTitle', mytitle); StatCode := SslHttpRest.RestRequest(httpPOST, myurl, False, ''); You can test all this against your server using the OverbyteIcsHttpRestTst sample. Angus

You need a data centre hosted server, either a physical machine you rent or own, or a virtual private server running on data centre hardware, you then have complete control over what applications are installed, not sure why you want FMX unless for Linux. I have a hosted Dell rack server in one data centre, and a secondary VPS in another, running all my Delphi servers. But many companies just order virtual servers from Azure, AWS and others, which have the benefit of scaling, but can be horribly expensive. Azure seems easy to buy, I've been getting spam emails from 50 or more Azure VPSs in India, USA, Netherlands and the UK, Microsoft seems to sell VPS to anyone. Angus

But that low end testing may also be done in a virtual machine with minimal resources, at least for applications that don't need specific hardware resources. I still have my ancient Windows 7 development PC that I mainly use for burning DVD off-site backups. But also for some backward testing, don't power it up very often. Angus

There are several ways to use the HttpRest component, it is possible events may sometimes be called more than once. Is it a problem? Angus

I integrated YuOpenSSL into ICS three years ago and alternate using it and OpenSSL for testing. ICS also allows the OpenSSLs to be compiled into applications as resources to ease distribution and DLL hell, all three variants work identically. But applications are larger with YuOpenSSL or resource files. Using SChannel may seem simpler, but your cryptography and updates are then locked to the OS, Microsoft only reluctantly support TLS/1,2 With Windows 2008 but did not support EC certificates, and TLS/1.3 took a long time to arrive. In ICS, I've worked with many of the Windows crypto APIs, and they are horrible. Angus Angus

This was a bug I introduced in V9.3 attempting to reduce the amount of string casting by avoiding AnsiStrings which normally give compiler warnings, but not in the case of bad pointer casting, and the SMTP unit is unique in building strings using pointers. The AnsiString cast mentioned earlier fixes the problem, not in SVN yet. Angus