Angus Robertson

OpenSSL has released new versions of the three active branches.

These fix a low severity security issue which is a possible denial of service when checking long DH parameters which ICS does no longer uses, but could potentially be used in certificates for malicious web sites.

Windows binaries are available in SVN and the overnight zip file (tomorrow) and separately from

https://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp

Separately, YuOpenSSL has released 3.0.10 and 1.1.1v as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.

Angus

My latest JVCL re-installation from GetIt after installing Delphi 11.3 failed somehow, missed all the paths necessary, had to add a path for JclBase manually. 

Angus

I would store them in files, but not thousands of small files, a few larger files, with a database indexing their location in those large files.  At least assuming they are not randomly being deleted.  Easier and faster to back up. 

Angus

ULONG_PTR should not have been declared in the SSPI unit, we have a Types unit that collects together backward compatible types and already had ULONG_PTR.

Angus

Thanks, I'll fix it next week.

Angus

OK, if you are moving away from C++ please don't worry about testing. 

Angus

Sorry, I updated various definitions from the 'latest' JWA file and that is also missing the semicolons. 

I'll update it again, should be in SVN tomorrow. 

In about a week, can you please check for other C++ errors in the overnight zip, the next release will be the last to support these old compilers, and maybe C++. 

Angus

Although we distribute OpenSsl.exe, it is not something we support, there are numerous online resources devoted to OpenSSL scripts, which many people use, but Delphi users normally write code with the APIs. 

You can test signing text and streams with the OverbyteIcsJoseTst sample, and the OverbyteIcsPemtool sample has some very old encryptions functions on the Extras menu, but there has never been demand for encryption using OpenSSL since there are native Delphi packages around.

Angus

I suggest you build the OverbyteIcsHttpRestTst and OverbyteIcsXferTst samples and test your HTTPS downloading with those, the TIcsHttpMulti component in the latter downloads gigs of files daily here. 

I'll need to know a lot more about why you need to use TMultipartHttpDownloader to bring it up to date with HTTPS, etc, no point if no-one needs to use it.

Angus

TMultipartHttpDownloader is a very old component designed in the days of slow dial-up internet to speed up downloads by doing several parts at once.  But very few applications need that since broadband downloads are so far.

What happens when you use a modern component like TSslHttpRest which includes saving to a file and repeat partial failed downloads?

Angus

SVN and the overnight zip include changes that allow ICS SSL servers to use certificates from the Windows Certificate Store instead of using disk files. 

Apart from rebuilding, no code changes are needed, simply add one line to the server configuration file. 

The HTTP Rest sample will be updated shortly to use a client certificate from the Windows Store. 

There is now a simple method LoadOneFromStore that creates a bundle in a TX509Base with certificate, private key and intermediates that can be used in any ICS projects, it can be tested in the PemTool sample. 

Angus

I only work with Delphi and Windows platforms, any support for C++ or other platforms in ICS is dependent on other developers, and such contributions are very rare. C++ support will cease unless someone comes forward to take responsibility for it. 

I have no commercial need for mobile platforms, and my own requirements are the driving force behind my contributions to ICS over the last 20 years. 

Angus

ICS does not support any mobile platforms, only Mac OS-X now and Linux Ubuntu with the next major release next year.

Angus

The debug output I see daily with internet applications and Windows 11 is:

onecore\net\netprofiles\service\src\nsp\dll\namespaceserviceprovider.cpp(550)\nlansp_c.dll!
708884C8: (caller: 76C0E326) LogHr(10) tid(4f74) 8007277C No such service is known. The service cannot be found in the specified name space.

Guess Microsoft does not run it's own applications under a debugger.

Angus

If the connection is closed prematurely, you have no idea how much data the remote client successfully read. 

So your high level protocol needs some method of confirming how much data was received and what to send.  The FTP and HTTP protocols allow such thing, in different ways.

A few months ago, I was debugging the ICS FTP client and server handling resumed transfers of 50GB files over the public internet, which was fun.  They always worked on a LAN, but the FTP control connection was being closed by some horrible router somewhere after an hour or two of inactivity.  But it alll works now.

Angus

Sorry, no more suggestions, there is no reason to get all those OpenSSL errors. 

Can PemTool open existing P12/PFX files with a password?  My PemTool built last week with Delphi 2007 works fine. 

I'll test PemTool on Delphi 7, but it won't be for a couple of weeks until I do the final new release.

Angus

Do you actually have legacy.dll in the same directory as the other OpenSSL DLLs?

PemTool About should say:

SSL Version: OpenSSL 3.1.1 30 May 2023
Dir: C:\DelphiComp\ics\Samples\Delphi\SslInternet\libcrypto-3.dll
Legacy Provider Loaded OK
Compiler: Delphi 11.3 Win32

Angus

Before I spend any time looking at this, can you reproduce it using PemTools. 

I know this all works since all my Let's Encrypt p12 files use 3DES so they can be loaded by old versions of Windows, in the SslX509Certs unit:

     { V8.67 is 3DES available, prefer that so older versions of Windows will load our PFX file }
        if (ICS_OPENSSL_VERSION_MAJOR < 3) or ICS_OSSL3_LOADED_LEGACY then
            P12KeyCipher := PrivKeyEncTripleDES

Angus

Sure some versions of Delphi have SHA-256, but the current version of ICS has to work back to Delphi 7, so rarely do we use new language features.

I've fixed the original problem with OpenSSL not being loaded, it was for some hash functions, but not all. 

Angus

Not looked at the code, but such a change could mean data being sent twice, since it's already in the transmit buffer and will get sent the next time TryToSend is called.

We avoid low level changes unless there is a very good reason. 

Angus

You need to set GSSLEAY_LOAD_LEGACY := True in formcreate so OpenSSL loads the legacy provider that has obsolete cryptography that old versions of Windows still require.  Making those PKCS12 functions backward and forward compatible was a nightmare.

Angus

All the SSL demos illustrate this, it is reported in the Handshake event.

You should be using TSslHttpRest when it is logged automatically.

Angus

Fixed back in February, in SVN.

Angus

Because ICS does not have a native SHA-256 implementation, it now uses OpenSSL for digest operation. 

But there is no check in those digest functions to ensure OpenSSL is loaded, I'll add a new specific exception for that. 

To fix the problem, you just need to call LoadSsl or IcsLoadSsl before using the component and make sure the DLLs are available.

Angus

Far too little useful information to make any proper comment. 

Angus