Angus Robertson

There would only have been C++ fixes if someone else found a problem and told me, I don't write or test C++. 

You should try ICS v9 which is released now and report any issues, ideally with fixes.

Angus

The usual way to ensure OpenSSL is only loaded once is to drop an SslContext on the form, or create it once when the program starts. 

Ideally you initialise it once as well, since that is when the DLLs are loaded, and check to see if the DLLs are actually available to report errors before requests start. 

The high level components and servers have multiple SslContexts so in that case you call OverbyteIcsWSocket.LoadSsl when the form is created, and OverbyteIcsWSocket.UnLoadSsl;  when it's destroyed, as illustrated in numerous samples. 

You normally set several global variables before calling LoadSsl depending on whether you want old or new OpenSSL versions to be loaded, or from a specific directory, whether you need the legacy DLL, or checking the code signing signature for malware, again in all those samples.

Angus

I never said MultiThreaded would solve your problem, I said it was a mis-use of ICS for threads not to use it, it might work in simple cases, but not in most applications. 

I've already answered most of your other questions with previous comments. 

ICS how no knowledge of threads.  It does reference count loading OpenSSL, but that only works if you free components correctly, so OpenSSL also gets unloaded correctly.

Clue: what happens with errors when there is a large amount of code in a try/finally/end, and when you don't close connections first. 

Angus

IOCP may have some benefits with threaded applications, but those are very rare with ICS. 

I did some FTP testing a few years ago, ICS was opening over 100 non-SSL connections each second, slower with SSL due to all the negotiation that goes on and IOCP would be irrelevant there. 

I thought IOCP with TCP was mainly for speeding up transmission, sending larger blocks or files or something. 

But ICS is quite fast already, I transfer files using ICS FTP between my two public hosted servers in different data centres each night, and file transfer is usually 300 to 400 Mbit/s, less than the gig ethernet port speed, but respectable for the public internet, via routers and firewalls. 

Angus

Why would you need IOCP with ICS?

Angus

Surely those headers are sent with the WebSocket Upgrade request?  Why send them again perhaps each second on the same TCP channel, what would the server do with them?

Angus

I guess the point is the WebSockets protocol is supposed to be lightweight, and not cluttered with unnecessary headers.  Why are you not sending the header information as WebSocket data packets. 

A configurable option would be needed to bypass that clean-up code.  I'll put it on the list, but taking a break from ICS for a couple of weeks.

Angus

ICS has various components for SMTP mail, all with the latest SSL/TLS., free from  https://wiki.overbyte.eu/wiki/index.php/ICS_Download

Look at the OverbyteIcsMailQuTst sample which can now be downloaded pre-built.

Angus

ICS V9.0 has been released at: https://wiki.overbyte.eu/wiki/index.php/ICS_Download

ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11 and C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11. ICS supports VCL and FMX, Win32, Win64 and MacOS 32-bit targets. The distribution zip includes the latest OpenSSL 3.1.2 win32, with other versions of OpenSSL being available from the download page.

ICS V9 is planned to be a long term support release with no new components or major features added, just bug fixes as needed, major changes will be for V10.  V9.0 has been tested with Delphi 7, but I had to make changes to several new components due to missing language features and TWebBrowser does not exist, so V9.0 will be the last tested with D7.  Delphi 2007 is easier to support for those building ANSI projects and will become the oldest version supported.

An overview of the new samples and components was posted in this group a few days ago, and is included in the download page.  

The full release notes for V9.0 are at https://wiki.overbyte.eu/wiki/index.php/ICS_V9.0

All ICS active samples are available as prebuilt executables, to allow ease of testing without needing to install ICS and build them all. There are four separate zip files split into clients, servers, tools and miscellaneous samples which can be downloaded from https://wiki.overbyte.eu/wiki/index.php/ICS_Samples

The Getting Started page at https://wiki.overbyte.eu/wiki/index.php/ICS_Getting_Started has also been updated with all the new components.

Angus

Thanks, fixed.

Angus

I bought a YubiKey 5 NFC recently to test, not spent much time with it yet, the documentation and tools are clear as mud, not managed to install an SSL certificate on it yet...

Angus

A little research showed Digicert was only supporting Safenet dongles. 

But at least the concept of allowing the end user to load the certificate into the dongle rather than shipping it removes that major obstacles for users outside major countries. 

Also surprised to find K-Software has updated it's web site for the first time in years, thought it was moribund, ignoring emails, etc.   But prices massively higher,  $313 for one year.  I paid $188 for three years which is now $657 for the same thing, some massive profiteering going on here.

Angus

Looking at the Digicert site, they offer:  

My own qualified hardware token - use the Code Signing certificate provisioning application to install your Code Signing certificate on your token.  'Qualified' might be a weasel word...

Also: DigiCert KeyLocker cloud HSM (USD $90.00 / year).  Seems there are more options around.

Angus

17 minutes ago, Kas Ob. said:

was there a UTF8String in Delphi 7

ICS defines Utf8String and Unicode string for old compilers.  We still support Delphi 2007 since I still support my own commercial applications using it, but I stopped using Delphi 7 15 years ago. 

The original poster is making life more complicated for himself by using old ICS components. 

ICS v9 has a new sample Snippets, with several examples of making REST requests, one of which is: 

SslHttpRest := TSslHttpRest.Create (self) ;
    try
        try
            SslHttpRest.RestParams.AddItem('username', myusername);  
            SslHttpRest.RestParams.PContent := PContUrlEncoded;      
            StatCode := SslHttpRest.RestRequest(httpGET, myurl, False, '');  // sync request, no extra parameters
            AddLogText ('HTTP Rest Request Response: ' + IntToStr(StatCode)) ;
            if StatCode = 200 then begin
                AddLogText (SslHttpRest.ResponseRaw);                  
                AddLogText ('Address: ' + SslHttpRest.ResponseJson.AsArray[0].S['address']);    
            end;
        except
            AddLogText ('HTTP Error - ' + IcsGetExceptMess (ExceptObject)) ;
        end ;
    finally
        FreeAndNil (SslHttpRest) ;
    end ;

You completely ignore SslContext, encoding, Json, input and output steams, in most circumstances.

There is a POST snippet, but it uploads a file.

Angus

ICS components could set the MultiThreaded property automatically, but the developer would still need to call IcsWndControl.ProcessMessages somewhere in the thread or the code would just stall, except in the simplest of applications.

Angus

Quote

SSL header always changes by goverment request, so SSL has to be re-re-re-initialized anyway. 

I was talking about loading the OpenSSL DLLs and initialising the environment, not making a request.   The SslContext should be initialised when the thread starts, once, I thought I made that clear before.

Your application is making no attempt to check you are actually communicating with the government servers, no certificate chain checking. 

SSL servers accept hundreds of requests a minute without needing to re-initialise anything. 

Angus

There are two fundamental misuses of ICS in the code snippets supplied.

1  - the code is said to be running in a thread, but the MultiThreaded property of TSslHttpCli is never set, so messages for the thread will be processed using Application.ProcessMessages in a different thread.

2 - More seriously, the ICS components are being created and perhaps destroyed for each HTTPS request made, which is probably the cause of the memory leak, and is also highly inefficient. 

Specifically, OpenSSL is being loaded automatically by the components when the SslContext is automatically iniitialised by the request starting, and perhaps being unloaded when the request ends.  The SslContext is designed as something to be shared by components, initialised once and then reused.  Or OpenSSL can be loaded once when the program starts, to allow use with multiple SslContexts, in servers for instance that use multiple certificates.  Many of the ICS samples show how to load OpenSSL early.

ICS v9 has various improvements relating to freeing and destroying components, particularly when exceptions happen during that process, to ensure that inherited destroys are still called and not skipped which can cause memory leaks.

Having said that, reports of memory leaks using ICS are very rare, and many ICS applications run for weeks or months without a problem.

Angus

Angus

ICS v9 is about to be released, see comments a week ago here,

Part of that release process is building ICS on Delphi 7 and I had to change several new components due to missing language features and components in Delphi 7.  I will not be doing that again, a waste of my time and potentially causing problems for newer compilers if I introduce new errors.

Angus

Current versions of OpenSSL do not work on Windows XP, nor is ICS supported on XP.

I would suggest you remove all the GUI interaction except to a log file, so you know if the problem is ICS or the GUI.

Angus

Delphi 7 is end of life, ICS support has now ceased, I won't be running it up again now ICS v9 has been tested on it.

Also, running TSslHttpRest in a thread is not tested heavily (or atall), being async you can download hundreds of files in parallel in the main thread.  

Angus

OK, seems easy enough, I'll add another TOAOption of OAopAuthBasic and check that in GrantAuthToken to set up basic authentication with the client id and secret.

Perhaps you can confirm the endpoint is content to ignore the client stuff as being part of the parameters, safer not to remove them. 

I'll send you a unit to test next week, but it's missed the next ICS release.

Angus

Unusual, what login data is the required to get the token, something unrelated to OAuth2? 

If you want this incorporated in the component, I'd need an end point and account to test it.  Which grant_type are you using?

Otherwise you could derive your own version of the component and override the method you are using with your own. 

Angus

I always download and install from an ISO image, and mostly write that image to a DVD as well for posterity and repeat installs.  Still got a lot of original CDs from Delphi 1 onwards, and the printed manuals.

Angus

A variation on invite only could be requiring an existing member as sponsor. 

Angus

You can always override the procedure with your own version omitting the MagWait function completely, as some other ICS units do, see TIcsHttpMulti.DoRequestSync in OverbyteIcsHttpMulti.pas,

Angus