Angus Robertson

OverbyteIcsPemTool 'View Bundle File' button will list each certificate and key in the bundle file, so one of mine starts:

Certificate file C:\certificates\x_magsys_co_uk-bundle.pem
ISSUED TO (Subject)
Common Name (CN): *.magsys.co.uk
Alt Name (DNS): *.magsys.co.uk, *.magsys.uk, magsys.co.uk, magsys.uk

xxx

ISSUED BY
Common Name (CN): R3
Organisation (O): Let's Encrypt

xxx

!! Private key available for certificate: ECDSA Key Encryption prime256v1 256 bits, 128 security bits

!! Intermediate certificates: Total 1
#1 Issued to (CN): R3, (O): Let's Encrypt

If it does not say !! Private key available, the file can not be used for SSL/TLS client or server, the intermediate is required for most server applications, but probably not for clients. You may need to specify a password to read the private key. 

Angus

Quote

"c:\Program Files (x86)\Embarcadero\Studio\22.0\bin\GetItCmd.exe" -l= -f=installed

Thanks, useful, but it should also be a menu item somewhere so people can find it without resorting to documentation.

Angus

I built all the ICS FMX packages yesterday with 11.3, no problems. 

Updating GetIt installed components really needs some work, far too many errors and restarts required.  

Being able to print a list of what GetIt has installed and where would be really useful since we expected to repeat it all after a minor upgrade like 11.3.

Angus

The ICS github repository is unofficial and never updated, it should be removed to avoid confusion with https://svn.overbyte.be/svn/ where you will find the latest ICS.

Never tested ICS with jumbo packets, there are no special settings I'm aware of.  More likely to be an OS issue, what are you using?

Angus

While ReceiveStr may not have MaxLen, other similar functions do, so it's backward compatible.  Since it is defaulted, you can ignore it.

Angus

You get different errors as you correct each different problem.

ICS will raise an authentication window for a 401 error, at that point it has no idea what authentication scheme is needed.

You should build the ICS OverbyteIcsPemtool sample and try and open your PEM bundle with the View Bundle File button on the first tab, it should show the certificate details and whether there is a matching private key. 

Angus

SVN and the overnight zip add new client and server components for the MQTT protocol based on work at https://github.com/pjde/delphi-mqtt updated heavily for SSL support.

I notice the original Github repository has been forked over 70 times, so presumably at least that many people were interested in using MQTT, however I'm not sure a person, so while I can see the sample client and server sending data to each other, the new components really need to be tested in a better environment against other clients and servers.  Who can help?

Also, I used Geoffrey Smith's fork, after discussion in this forum, but wonder if any of the other 70 forks have useful additions? 

So if you use MQTT, please try and look at this new version, so any changes and improvements can be done in the new month before it released and becomes harder. 

I deliberately renamed TMQTTParser to TIcsMQTTParser, TMQTTClient to TIcsMQTTClient and TMQTTServer to TIcsMQTTServer to avoid conflicts if the original units are installed, otherwise the new units should be compatible with the original, but with added SSL/TLS if anyone uses that.

Angus

Okay, so the REST server does not want Json but POST with REST Content 'URL, Encoded Body'. 

Angus

I would fix the Json parameters first, that was the "Missing or invalid grant_type" error you received, then worry about headers, most of which are standard.

Angus

Because you have not shown most of the posted parameters, it's impossible to say exactly what is wrong. 

The postman page says there are nine headers necessary, some may be sent already by ICS, others may need adding using 'Extra Headers', where you have typed ExtraHeaders for some reason. it should be headername:headervalue. 

Also Json parameters need to be correctly encoded, if you look at the TRestOAuth.GrantAuthToken method in OverbyteIcsSslHttpOAuth.pas, you'll see that when adding the client Id and secret and other parameters they are added with the Raw option so they are not escaped as Json strings, in the GUI you should replace RPTypeStr with RPTypeObj so that the values are not quoted. 

Angus

ICS installation errors are usually due to the library paths not being updated to that of the packages and source files.   Installing using GetIt does all that automatically, although makes it harder to update to newer versions.

This would be better discussed in https://en.delphipraxis.net/forum/37-ics-internet-component-suite/

Angus

Quote

Options to ICS? It's free which is great but appears development has stopped?

Why would you think that?  The last release was in November 2022 which you can install from GetIt, and the latest SVN update was last week.  The latest OpenSSL DLLs are installed with the samples, updated this month. 

Angus

Yes, but the ICS download page is http://wiki.overbyte.eu/wiki/index.php/ICS

Once you have it installed run the SSLDemos OverbyteIcsHttpRestTst sample, it does everything you need.  However that sample expects your client certificate to be provided as a bundle file for ease of configuration, ie the certificate, key and intermediate in a single PEM or PFX file.  The PemTool sample does all that, although a text editor also works for PEM.

There is an ICS support topic here.

Angus

Quote

how to add the client certificate to the Delphi RestClient or RestRequest?

Client certificates are unrelated to REST, OAuth2 or tokens.  They are an alternate means of server authentication by HTTPS clients to HTTPS servers, not that common except for corporate VPNs and high security financial applications.  It is quite hard to buy a commercial client certificate, for email for instance, they are usually issued by corporates for employees and customers.

I don't use the TRestClient component, but I'm not aware it supports client certificates.  You need a proper component library like ICS that has full support for REST, Auth2, tokens and client certificates.

Angus

Quote

Can we also have function that returns TBytes? It is more convenient in many cases

This will be in SVN next week, seems simpler but needs an extra line of code to check the TBytes length.

Angus

COM tools of that sort from that era using type libraries were usually aimed at Visual Studio projects, specifically Visual Basic, even if written in Delphi.  It was a way of extending the language with features difficult to code in Visual Basic.  Also, VBScript used for ASP web applications. 

Not sure if that will help your searches for the product...

Angus

The old SSL FTP sample has buttons named Delete and Rename which send the FTP command to delete and rename files on an FTP server. 

But you should really look at the OverbyteIcsXferTst sample which uses more modern techniques so you don't need to worry about sending individual commands, you can ask it to sync a local and remote directory and it will delete old files while copying new or changed files 

Angus

You should be using the TIcsFtpMulti component then you can use the FtpUpOneFile and FtpDownOneFile methods (or process hundreds of files in FtpDownFiles).

Look at the OverbyteIcsXferTst.dpr sample. You only need a few lines of code in the application.

Angus

OpenSSL has released new versions of the two supported branches, 3.0.8 and 1.1.1t, Windows binaries are available in SVN and the overnight zip file and separately from

http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp

These releases fix several security issues in most versions of OpenSSL, one of which CVE-2023-0286 is rated high relating to processing badly formed X509 certificates and X.400 addresses but can only be exploited if CRL checking is enabled, whereas ICS uses OCSP instead. There are other moderate rated security issues which will mostly just crash the application if exploited.

Details of all fixed 3.0 security issues are at https://www.openssl.org/news/vulnerabilities-3.0.html

Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.

 
Angus

Guess I'm thinking primarily from the perspective of Windows VCL and FMX packages, don't get involved in any other platforms. 

Angus

The concept of taking the latest packages and modifying them to be acceptable to earlier versions of RAD Studio would seem rather faster and safer than generating all those packages from scratch using templates and rules.  

Or at least starting from minor modification of the latest packages, such as changing a version name to a macro. 

The tool would then strip out new XML for platforms according to hard coded rules, depending on when they were supported, and so on.  But I've no ideal how much the XML schema has changed over the years.

Angus

It was the MQTT protocol I was proposing to add to ICS, WebSockets is done and dusted.

Angus

Yes, as I said yesterday the Refresh Token will often stay valid for months or even years and can be treated like a password and kept securely, but unlike a password it can be revoked at any time if compromised forcing a new interactive login to get a new Refresh Token.  Note you have no idea about the life of the Refresh Token, so you must allow for it to be rejected.

Angus

The OAuth2 Access Token has a short life, for Google it is usually one hour, little point in saving it in a database, unless you are using that to share information between applications.  That is why you instead store the Refresh Token and use OAuth2 without interaction to get a new Access Token each time you send an email.

Angus

Should clarify my last message about the long lived refresh token, this is for a specific admin email account used by the server to call for help when it's unhappy. 

If the service application needs to send from multiple email accounts, you'll need to be more creative. 

Angus