Angus Robertson

You still need   {$IF Declared(RTLVersion122)}  if you want the component to also work on 12.0 and 12.1.   And $IF is not supported on earlier compilers, if that matters.

Angus

There are several ways of fixing the TList change, your conditional check would not work for Delphi 7 or Delphi 12.1, as has been explained earlier in this topic, and I prefer not to have too many special types in libraries, makes them harder to understand.  You also need to change the setters,

Angus

Quote

I got compilation errors, not in the declaration but when using the TObjectList descendent. 

I only updated two ICS components derived from TList, not TObjectList with NativeInt, by creating a new {$DEFINE TListNatInt} for 12.2 and later, and then using conditional code, tested in 1.2 and 11.3, TObjectList may need a different approach. 

Angus

The new certificate chain checking event is now in SVN, look at the OverbyteIcsHttpRestTst sample.

Angus

Assuming the warning relates to TList,Items[Index] changing from Integer to NativeInt, I created alternative versions of the SetItem and GetItem functions with NativeInt.

Our library needs to support older versions like 12.1 without warnings so DEFINES for 12.2 and later complicate it, you can probably just change a few Integers to NativeInt.

Angus

I have the same problem with two units in ICS, so have added alternative NativeInt versions of the Items property for D12.2 and later.  

Angus

I'm getting the FmxLinux DLL missing error as well, can we not just install it manually, or was it only ever installed by GetIt?

Angus

The OverbyteIcsSslMultiWebServ sample serves both web and websocket pages, since all websocket requests start with an HTTP request to port 80/443.

But you can remove all the code relating to creating web pages from the sample, the OverbyteIcsSslMultiWebxx units, etc, leaving just the default page and websocket handlers ClientWSxx and WSxx which do the websocket events. 

I will look at a new simple web server sample, similar to the client snippet samples, but unlikely to be ready for the next release. 

Angus

Quote

It would be nice to have a benchmark between esegece HTTP/2 vs ICS HTTP 1.1.

I would expect the difference downloading a 100M file to a tiny percentage difference, likewise making 100 sequential short 1M requests, or 1,000 sequential API JSON requests.

http/2/3 might be faster if you are doing 20 parallel API requests, if the application supports that. 

I added a Websocket API interface to one of my servers recently to allow thousands of requests on the open socket, I tested 50/sec, but my customers were using scripts that only managed two WS requests a second.

What specific application do you need http/3 for?

Angus

I looked at MSQuic when it came out with a view to supporting it for ICS.  For Linux, MSQuic uses a forked OpenSSL version, but SChannel for Windows.  So MSQuic requires the latest Windows OS. 

From a Delphi perspective, MSQuic does not include HTTP/2 or HTTP/3 protocol support, and I'm not aware of any Delphi native implementations of either, only the nghttp2 DLL solution, and external DLLs are less than ideal for Delphi applications.

I'd like to write a Delphi HTTP/2 implementation for ICS, but it really needs to be sponsored.  I can not justify the time myself, rather work on more useful projects. 

To my knowledge, there are no functional benefits to HTTP/2 except performance with complex web applications with hundreds of elements on a page, and Delphi is not usually used for complex pages. 

The OpenSSL committee declined to accept the complex QUIC fork and instead added QUIC in a different way, the client version is available now, the server version has just started alpha testing.  But without HTTP/2 for client and server, there seems little point in adding QUIC to ICS.

Angus

ICS includes an TIcsInetAlive component to check for IPv4 and/or IPv6 internet connectivity, using Ping and/or HTTP, to the same Microsoft servers that Windows uses to detect the internet, www.msftconnecttest.com and ipv6.msftconnecttest.com.

Angus

Quote

I'd be happy to help.

Thanks, please try to get the IcsCommonCBNew and IcsVclCBNew packages in SVN to build in 10.4 or later, not concerned about fixing older packages now.  Then please email them to me with any other units that need fixing, hopefully none.

Angus

I'm planning the V9.3 release this month, so really would appreciate users trying to get the C++ packages installable.

I spent a lot of time fixing the Mscrypt problems so C++ does not use it. 

Angus

OpenSSL has released new versions of the active versions, 3.3.2, 3.2.3 and 3.0.15 which include a moderate priority security fix that may cause applications verifying a specially designed SSL/TLS certificate to crash.

Windows binaries are available in SVN and the overnight zip file and separately from https://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp

In addition to the three DLL files, the zips include compiled RES resource files that contain the same DLLs, text files and version information, see the RC file. The RES file may be linked into application EXE files and code then used to extract the DLLs from the resource to a temporary directory to avoid distributing them separately.

ICS V9.1 and later optionally support loading the resource file.

These OpenSSL versions are included with ICS V9.3 due for release within two weeks, but available from SVN and the overnight zip.

Separately, YuOpenSSL has released 3.0.15 and 3.3.2 as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.

Note: OpenSSL also released 3.1.7, but this ceases support in less than a year and has two newer releases, so we've stopped building binaries for it. 3.0.15 is a long term support release so is still being built.

Angus

Your email server is incorrectly configured, it uses an invalid SSL/TLS certificate, so no-one can send you email securely. 

Connection to 202.164.22.101:25 from 217.146.102.137:55591 succeeded (Id: 1)
RSP: 220 pleskhosting.webclick.com.au ESMTP Postfix
CMD: STARTTLS
RSP: 220 2.0.0 Ready to start TLS
Certificate name mismatch. Expected Hostname: mail.justdata.com.au,
Certificate Information: Subject=CN=*.webclick.com.au Issuer=CN=Sectigo RSA Domain Validation Secure Server CA

Angus

My email was sent 24 hours ago, and did not bounce.  I'll send you a direct message as well. 

Angus

I asked you to email the log to me, not post it here, since no other forum users will have any interest in it. 

It looks like a server error, try a different server.  I've emailed the ics.ftptest.org login. 

Angus

My mail server does not block domains, but IP ranges used by spammers and hackers, about 800 at the moment, three emails this morning trying to get my email account password, so two more hosting companies in Italy and South Africa now blocked, third was from a Google user account, sad that Google allows hackers to send faked emails. 

If it's my server blocking you, which is rare, please send the log as a message via this platform.

Angus

All the old references to specific Delphi versions like 110, 104, 120 etc should be replaced by New. 

I thought I'd done that, but seems I missed a few, and since I don't do C++ it needs to be tested by someone else.

Angus

I've made a change to TSslHttpRest adding a new way for applications to check SSL certificate chains themselves, ignoring OpenSSL bundle checks, usually for self signed private certificates.
if CertVerMethod = CertVerOwnEvent, during OnSslHandshakeDone the component calls a new event OnSslCertVerifyEvent where the application can check the chain and change the verify result appropriately. Maybe checking certificate serials, names or public key.

Not tested yet, need to update the sample with the new event and some sensible code to check a self signed certificate, not until next week.  Supportng the new OpenSSL for raw public keys will take longer, need to do the server stuff first so I can test clients.

Angus

Error 451 is not something I often see, not using my servers.  So please email logs generated by the component showing all FTP commands in a session, to the email you'll find in the source. 

I'd also recommend you test against other FTP servers to see if it's a client or server problem, you can upload to ics.ftptest.org which is the ICS FTP server, but you'll need a login I'll send you when I have your email address. 

Angus

Effectively, when validating the chain, OpenSSL and ICS are checking the chain is signed by a public key in a certificate in the store, you are just trying to skip the certificate overhead. 

I've found the new OpenSSL APIs to make the server use a raw public key instead of a certificate, and likewise the client to check it, now need the time to test it all.

Angus

The best way to handle self signed certificates is the way ICS does it, the server components use an ICS intermediate certificate to create CA signed certificate if a real one is missing.   

ICS includes two intermediates signed by the ICS root, a short 200 day intermediate version for which the private key is distributed, and a two year one for our use only. 

You can use these or create your own versions with ICS samples or components, create your own CA signed server certificates, or if using our servers let it happen automatically, and ensure your clients have the root certificate in the store, only that certificate no others are necessary.  The ICS root gets loaded automatically for all ICS applications.

If you want to use real self signed certificates, TX509Base has a method X509PubKeyTB that gives you the public key, save it on the server and distribute to your clients in some way (instead of a root), extract the public key from the certificate in the OnHandshakeDone event and compare it with your saved version. 

The only catch when using the high level components with built in chain checking is there is no chain if you disable checking, but if you enable it, our checking can not be skipped. I'll need to fix this somehow when I add public key checking.

Angus

I do have a couple of intermittent FTP bugs on my pending fix list, but since my downloads and uploads always work after retries, not got around to investigating them yet. 

The github report relates to the socket being closed too early, ICS normally waits until all data is processed before closing a socket using the CloseDelayed method,  But I'll look at the code, next week.

Angus

You are trying to do something unusual, I'll need to look at the code before I can make any suggestions, may be a day or two.

This has been done before for light weight clients.  Also OpenSSL now supports RFC7250 to check certificates by raw public key, which I plan to support.  

Angus