Angus Robertson

Looking at the code, this D7 bug was fixed back in February and has been in SVN since then, but I will test it again soon.

Angus

The main advantage of SvCom was being able to create dual GUI/service applications, so you can run your service in the IDE under the debugger, often with a few VCL controls, and also install it as a service and run it in the background. 

One of my applications runs as both a service and GUI at the same time, depending on how the client configures it, with the two instances communicating, so the GUI shows everything the service is doing, it has a very complex GUI.  

DDService can be used similarly, but is less forgiving about the controls and the service will not start when certain third party controls are used. 

Debugging an application using TService, etc means a lot of logging or generally have a GUI test application to debug the main code. 

Angus

Sorry, can not tell you that, I never bought a copy of SvCom that would run on modern compilers, no idea if they still issue updates for new compilers.  It was a good product in it's time, but despite coming with source code it still had some licensing magic that might never be updated for new compilers, so risky long term.

Angus

SVCom is better than DDService in it's support for interactive applications with lots of VCL components.  DDService fails to start if the form contains some third party components, but seems mostly fine with simple components, memo, edits, buttons, etc. So there is come magic going on in the modified forms unit that SVCom uses. 

But I was always concerned about long term support for new compilers, since SvCom has obscure licensing checks which is why I've been updating and supporting DDService for several years and now use it for all my server applications. 

Angus

In order to provide a timeout for async methods, the component would need to include a timer, using an extra handle and resources. When you have 100 components running in parallel, that is very inefficient, thus the design where the application is responsible for timing out unresponsive components.   Some server components do include a timer for that purpose, but rarely do applications need more than one server component. 

Angus

Quote

Using GetASynch is not triggering anything for me.

Correct, as designed, there is no timeout if you use the async methods, only sync.  

In my applications that use multiple components in parallel with async methods, and in the ICS servers, I use a single timer that loops through all active connections checking duration and cancels any taking too long.  

If you are using threads, you must have something in the Execute method looping waiting for an async result, so use a tick counter there.

Angus

The timeout property is for synchronous methods, wait x seconds for a reply, perhaps you are using async methods? 

ICS is mostly used async, so hundreds of parallel requests can be made without needing threads. The only issue will be DNS look-ups which are effectively blocking. 

Angus

Delphi 7 will get tested for the next ICS release which is running a month late, no point in testing until all the changes are complete and the packages updated, soon.

Angus

ICS has always had functions to read certificates from the Windows Certificate Store.  They have been significantly improved in the last year to import and export certificates and private keys into TX509Base so they can be used by other ICS objects.  More changes are due next week, once I've finished another new component.

Angus

TX509Certificate is part of Delphi DBX Framework, but most properties are documented as 'Virtual abstract method to be implemented in child classes' and the unit has exactly one line of code for the object. So effectively it's useless.  

You'll need to use a third party solution, like the one I mentioned.

Angus

I see at least two different companies have components called TX509Certificate, maybe more.  So which are you using and have you looked at it's documentation?

ICS has TX509Base that has methods to load certificates from various file types or text, and report them in various ways. 

Angus

I'll look into improving the error handling next week. 

But if this happens in a real application, you should have OverbyteIcsWSocket.LoadSsl much earlier so OpenSSL only gets loaded once, and you handle error before starting requests, see any of the SSL samples. 

Angus

Ultimately, if the DLLs are missing and you make an SSL request, you will get an exception sooner or later. 

Angus

I'd suggest if you call StartSslHandshake without previously loading OpenSSL or initialising an SslContext, you need to revise your code when using low level components.  The newer higher level components do all the OpenSSL set-up for you, so errors like this won't happen. 

This will only be fixed if you can reproduce it in an ICS sample, it really is not possible to check OpenSSL has been opened before every single OpenSSL function. 

Angus

The OverbyteIcsSslMailSnd1 email sample was improved to show when OnGetData is used and ignored.

OnGetData is really a historic event to get one line at a time, now it is more common to set an entire message at the start and let the component handle encoding, line endings, etc.

Angus

Thanks for the unit, should be in SVN next week with an updated PemTools sample.

Angus

Can you please email me the complete edited unit, pasting from this forum often leaves unicode characters where we don't want them.

Once you have the cert and key in a TX509Base object, that can be used for ICS servers, although less easily with IcsHosts which is designed to read files. 

Angus

There was a large SVN update yesterday, including SSL client certificate support in the proxy server, and improved logging in the REST client, so you know if a client certificates was requested by the server. 

Available from SVN and the overnight zip.

Angus

PemTool used to work for client certificates, but I broke it when adding international domain support, where spaces and @ are illegal.

Angus

This is working now, the proxy log says:

Http > 443/443 (3) Source 17 - Client SSL Connected OK with TLSv1.3, cipher TLS_AES_128_GCM_SHA256, encryption AESGCM(128), message auth AEAD
Client certificate received, should we trust client?
CN: angus@magsys.co.uk, Issuer: Self Signed, Expires: 09/04/2030

and the event can be adjusted to either check a common name or an issuer name for corporate certificates. 

The hardest part was testing, I had to correct PemTool to properly create client certificates before Firefox would send one, I'll include a new test client certificate with the samples since this keeps coming up.

Will be in SVN in a day or so.

Angus

Thanks, this was fixed last week when you reported it by email, it will be in SVN in a day or two.  However, ICS does not use DECRYPT_MESSAGE_FN .

Angus

<error linking to  "libssl-3.dll">  is not an ICS error message, we load the DLL once, not for each request.  So there is something else happening here...

<connection closed prematurely>  is usually the server saying go away for some reason, perhaps busy, might not like the SSL options offered. 

Angus

That error should be found by runtime range checking, probably enabled for release but not debugging.

Angus

voci[3] will cause an exception since its length is only 3, base 0.

No idea what this has to do with ICS.

Angus

Exceptions in OpenSSL are almost impossible to trace, but incredibly rare.  Nothing in the logs will be useful.  Does it happen to several different servers or just one specific servers? 

In server applications, OpenSSL errors are common when hackers attempt to access them using invalid protocols, I get dozens a day on my public servers, but rarely do they cause an exception.   I assume this is the REST client?

Before looking at the ICS code, always check the server actually works properly using https://www.ssllabs.com/ssltest/

Angus