Angus Robertson

We are going in circles here, even if you load the certificate into the context a subsequent error will happen since there is no private key with the certificate.  

The TX509Base and TMsX509List classes can hold a private key, but if you use PemTool to list a store you'll see it reports 'Private key in User Store, Could not export private key - The requested operation is not supported'.  Only the Microsoft crypto functions can access the private key store, and OpenSSL does not use them.

For your own code, you don't show a definition for lMsX509List nor how you are indexing into the list, but it should be something like FSslCertX509 := MyList{x]. or MyList.Items[x]

Angus

No, the question is why if you already have a PFX file with a private key, you are installing it into the Windows Store in the first place, then reading it again without the private key and expecting it to work as a server certificate.  Why not use the PFX directly. 

The ICS pemtool loads certificates into the windows into the Windows Store correctly, I do it all the time to use Let's Encrypt certificates with IIS.  

The exception will be an error in your code.

Angus

So you are attempting to use a certificate from the Windows store as a server certificate? 

How did you set the private key for this certificate. You can not extract private keys from the Windows store?  Server certificates are useless without a private key.

Private keys are kept by Windows in a different store and linked to certificates, but not stored together.  Windows itself provides a means to export certificates with a private key, if allowed, but this is not implemented by ICS, not sure if the APIs allow it.  Most certificate have key export blocked to stop them being stolen. 

Angus

Can you please explain the purpose of using a certificate from the Windows store?  Is this in your client or server application, as a server or client certificate. Is your server or client giving an exception? 

Angus

The ZLIB changes to use System.Zlib are now in SVN, considerably simplified so two defines are now only used once each in one unit, making it easier to support. 

But you do need to use the new OverbyteIcsDefs.inc or edit your own version, see the SVN notes.

Angus

Sorry, yes 21H1 is out of support in two months, 21H2 I guess has another eight months.

Angus

My Windows Server 2019 is version 1809, the long term support version of Windows 10, which Microsoft promises not to break with untested Windows updates. 

The TLS bug seemed to be 21H2 only, for both Windows 10 and 11, and 10 21H2 is out of support in two months anyway. 

Angus

To send custom error responses you can create overloaded versions of Answer404, etc, in your version of THttpConnection or THttpAppSrvConnection.

Angus

Just done some testing using the D11.2 TRESTClient component on Windows 11 Enterprise 22H2  fully updated,

It seems all TLS protocols are still available to the client.  I have servers built with the ICS web server component that can report the TLS client hello packet that tells the server what protocols the client can accept.  The URL is https://api2.telecom-tariffs.co.uk/serverinfo.htm  which returns an information page about the server and client connected, for the TRESTClient with all TLS boxes ticked the Hello starts with:

Client Hello: Server Name: api2.telecom-tariffs.co.uk, ALPN: , Versions: TLSv1.2, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1.0, TLSv1.3 Key Share Data

which means all four protocols are accepted, ticking just TLS12 and only that protocol appears in the Hello, and works.  Windows 11 also connects with TLS/1.3 if requested, without registry patches.  However, I may have previously done the patches two years ago when first testing TLS/1.3.  I do hack the PC a lot, currently Edge and Windows File Explorer are dead with exceptions.

Angus

It's possible that changing the SSL version tick boxes might require a reboot to be effective, that is certainly the case when you change SSL protocol settings such as ciphers in the registry or using Powershell. 

Angus

In theory, you can do this with the ICS JOSE functions like IcsJoseJWKPubKey and IcsJoseJWSComp that are used to implement the ACME protocol for Let's Encyrpt certificate ordering,

which work with the ICS REST component.  But often these JWT implementations have little tweaks or special features that might mean minor changes to these functions. 

ICS may be installed from GetIt or http://wiki.overbyte.eu/wiki/index.php/ICS_Download.

Angus

You probably have not initialised OpenSSL to load the DLLs with OverbyteIcsWSocket.LoadSsl

Angus

1 hour ago, Lars Fosdal said:

.bat is pretty stoneage. .cmd has replaced it.

But not in the GetIt scripts, and perhaps many other installers, which is why I brought it up.

Angus

Busy finishing off other things, but the System.Zlib implentation will be the most painless and backward compatible solution possible, as are most ICS changes, don't like breaking things.

Angus

The Bookmarks docking window is not in Delphi 2007, so new some time since then, I've never looked for it before since the old way of using bookmarks worked perfectly, until Delphi 11.2.  There are probably numerous other IDE features I've missed as well! 

I do like conditional lines being (sometimes) greyed in 11.2, very useful when working on projects with vast amounts of conditional code.  Did not need to search for that, just worked.

Angus

Delphi 11.2 seems to have new IDE bookmarks behaviour, which I understand is an IDE Bookmarks addin from Parnassus. 

In the IDE I have dozens of tabs open with different units, with bookmarks in a few of those units.  If I right click to show the Bookmarks menu it lists bookmarks in the current unit, but if I select one the editor cursor jumps to a random bookmark in a different unit instead of the current unit. 

Just discovered there is a new docktable Bookmarks window that seems to work for the current unit, but the right click menu bookmarks I've used for 20 years are still useless.

Angus

Yes, this is illustrated in the PemTool sample, on the Certificate Tools tab, select a Windows store and click Display Cert Store. 

This fills a TMsX509List using the LoadFromStore method, the sample displays the main information for all certificates found, but you can use the Find method to get the certificate with a specific SHA1 digest.  If you want the SHA256 digest you'll have to loop checking each.

Angus

No, the Win64 path issue is not fixed by the patch, you have to manually patch the registry or change the library path, just done it, so ICS packages can again be built.

Angus

6 minutes ago, Vincent Parrett said:

you create a certificate request which you send to the CA - they send back a certificate that can only be installed on the HSM that generated the certificate request.

That concept I can live with for a local dongle, the major problem I have is with shipping physical dongles around the world each year to be updated. customs do not like USB keys.

Angus

25 minutes ago, Vincent Parrett said:

Nice idea but will likely fail with hardware tokens - the private key stays on the token - so you need client software to allow the code signing tool to access it.

Yubico has a SDK for the ubiHSM 2 FIPS dongle which can be used with older OpenSSL releases using engines, then Osslsigncode updates the PE file authenticode signature.

TPM2 might be easier, not sure if Yubico supports it.

Angus

I signed the OpenSSL binaries with a Certum dongle for a while, that prompted for a password for each file which was a pain, then Certum told us the dongle was obsolete and we'd have to buy a new one, so gave up and now using my Comodo/Sectigo certificate.

One possible solution is to use OpenSSL to sign Windows PE files, there is project Osslsigncode intended to sign on Linux but can be built for Windows. Another project has a TPM2 provider for OpenSSL that should be able to read keys from dongles, although not checked if the Yubikey is a TPM2.  Not a trivial project, but might be a good solution.

Angus

Not sure the current Microsoft API information is correct, I thought gethostname goes back to the early days of Windows, and Microsoft simply no longer documents versions of Windows it does not support. 

Reporting bugs to Microsoft is hard work, a while back I did get one fix where a SQL ADO DLL was leaking a handle for each async call, but it took a lot of effort, I rewrote my application to use a thread instead.

Angus

The date for this change was 15 November 2022 but has now been postponed until June 2023.

One way to put off the inconvenience of buying a $200 dongle and shipping it around the world is to buy a multiyear certificate now. 

I've got a three year certificate from K Software for $209, SSL.com would be $330 for three years, they sell durations up to 10 years, not sure that is allowed now.

Angus

Did the German language post suggest an alternative API? 

gethostname is used by the ICS LocalHostName function, and from my reading there is no alternative API.  I guess the namespaceserviceprovider debug error is because the computer host name can come from several places, and internally an error on one location will cause it to look elsewhere. 

So it's something we just have to live with. 

A Stack Overflow suggests it's a Windows 11 bug:

The behaviour you're seeing seems to be due to Layered Service Providers being deprecated as of Win11 (and potentially an upcoming Win10 update).

GetHostByName is listed as deprecated, but GetHostName is not and also displays the same behaviour. In both cases the method queries any available namespace service providers first and then falls back to querying the NetBIOS name if none are found. As of Win11 it seems the call to enumerate the namespace service providers fails internally, generating the debug output you see.

Angus

No decision yet on how many old releases the next major version of ICS will support, partly down to age of old new language features, and partly because each time I add a new unit I have to update 100 to 200 .dpr, .dprog and .cprog files, something we should have automated a long time ago, but it's quicker to do it manually each time...

ICS V7 will still be supported for new compilers and OpenSSL versions (unless totally breaking) and major bugs, but no new components or features, unless another contributor takes over that support and testing, I've now migrated all my D2007 projects to D11 so don't need to use D2007 any longer. 

Angus