Angus Robertson

SVCom is better than DDService in it's support for interactive applications with lots of VCL components.  DDService fails to start if the form contains some third party components, but seems mostly fine with simple components, memo, edits, buttons, etc. So there is come magic going on in the modified forms unit that SVCom uses. 

But I was always concerned about long term support for new compilers, since SvCom has obscure licensing checks which is why I've been updating and supporting DDService for several years and now use it for all my server applications. 

Angus

In order to provide a timeout for async methods, the component would need to include a timer, using an extra handle and resources. When you have 100 components running in parallel, that is very inefficient, thus the design where the application is responsible for timing out unresponsive components.   Some server components do include a timer for that purpose, but rarely do applications need more than one server component. 

Angus

Quote

Using GetASynch is not triggering anything for me.

Correct, as designed, there is no timeout if you use the async methods, only sync.  

In my applications that use multiple components in parallel with async methods, and in the ICS servers, I use a single timer that loops through all active connections checking duration and cancels any taking too long.  

If you are using threads, you must have something in the Execute method looping waiting for an async result, so use a tick counter there.

Angus

The timeout property is for synchronous methods, wait x seconds for a reply, perhaps you are using async methods? 

ICS is mostly used async, so hundreds of parallel requests can be made without needing threads. The only issue will be DNS look-ups which are effectively blocking. 

Angus

Delphi 7 will get tested for the next ICS release which is running a month late, no point in testing until all the changes are complete and the packages updated, soon.

Angus

ICS has always had functions to read certificates from the Windows Certificate Store.  They have been significantly improved in the last year to import and export certificates and private keys into TX509Base so they can be used by other ICS objects.  More changes are due next week, once I've finished another new component.

Angus

TX509Certificate is part of Delphi DBX Framework, but most properties are documented as 'Virtual abstract method to be implemented in child classes' and the unit has exactly one line of code for the object. So effectively it's useless.  

You'll need to use a third party solution, like the one I mentioned.

Angus

I see at least two different companies have components called TX509Certificate, maybe more.  So which are you using and have you looked at it's documentation?

ICS has TX509Base that has methods to load certificates from various file types or text, and report them in various ways. 

Angus

I'll look into improving the error handling next week. 

But if this happens in a real application, you should have OverbyteIcsWSocket.LoadSsl much earlier so OpenSSL only gets loaded once, and you handle error before starting requests, see any of the SSL samples. 

Angus

Ultimately, if the DLLs are missing and you make an SSL request, you will get an exception sooner or later. 

Angus

I'd suggest if you call StartSslHandshake without previously loading OpenSSL or initialising an SslContext, you need to revise your code when using low level components.  The newer higher level components do all the OpenSSL set-up for you, so errors like this won't happen. 

This will only be fixed if you can reproduce it in an ICS sample, it really is not possible to check OpenSSL has been opened before every single OpenSSL function. 

Angus

The OverbyteIcsSslMailSnd1 email sample was improved to show when OnGetData is used and ignored.

OnGetData is really a historic event to get one line at a time, now it is more common to set an entire message at the start and let the component handle encoding, line endings, etc.

Angus

Thanks for the unit, should be in SVN next week with an updated PemTools sample.

Angus

Can you please email me the complete edited unit, pasting from this forum often leaves unicode characters where we don't want them.

Once you have the cert and key in a TX509Base object, that can be used for ICS servers, although less easily with IcsHosts which is designed to read files. 

Angus

There was a large SVN update yesterday, including SSL client certificate support in the proxy server, and improved logging in the REST client, so you know if a client certificates was requested by the server. 

Available from SVN and the overnight zip.

Angus

PemTool used to work for client certificates, but I broke it when adding international domain support, where spaces and @ are illegal.

Angus

This is working now, the proxy log says:

Http > 443/443 (3) Source 17 - Client SSL Connected OK with TLSv1.3, cipher TLS_AES_128_GCM_SHA256, encryption AESGCM(128), message auth AEAD
Client certificate received, should we trust client?
CN: angus@magsys.co.uk, Issuer: Self Signed, Expires: 09/04/2030

and the event can be adjusted to either check a common name or an issuer name for corporate certificates. 

The hardest part was testing, I had to correct PemTool to properly create client certificates before Firefox would send one, I'll include a new test client certificate with the samples since this keeps coming up.

Will be in SVN in a day or so.

Angus

Thanks, this was fixed last week when you reported it by email, it will be in SVN in a day or two.  However, ICS does not use DECRYPT_MESSAGE_FN .

Angus

<error linking to  "libssl-3.dll">  is not an ICS error message, we load the DLL once, not for each request.  So there is something else happening here...

<connection closed prematurely>  is usually the server saying go away for some reason, perhaps busy, might not like the SSL options offered. 

Angus

That error should be found by runtime range checking, probably enabled for release but not debugging.

Angus

voci[3] will cause an exception since its length is only 3, base 0.

No idea what this has to do with ICS.

Angus

Exceptions in OpenSSL are almost impossible to trace, but incredibly rare.  Nothing in the logs will be useful.  Does it happen to several different servers or just one specific servers? 

In server applications, OpenSSL errors are common when hackers attempt to access them using invalid protocols, I get dozens a day on my public servers, but rarely do they cause an exception.   I assume this is the REST client?

Before looking at the ICS code, always check the server actually works properly using https://www.ssllabs.com/ssltest/

Angus

Sorry, a quick scan of the TIcsProxy code suggests that client certificate checking is not yet supported. 

It should be happening in TIcsProxy.ServerHandshakeDone which needs a new event onServerHandshakeDone which passes PeerCert to the application where you can check it and cause the client to be disconnected for an invalid certificate (see the web server).  

I'll try and do it next week.

Angus

OpenSSL has released new versions of the three active branches.

These fix a moderate severity security issue CVE-2023-2650, which is a possible denial of service translating ASN.1 object specially crafted very long identifiers in X509 certificates, OCSP responses, PKCS7/SMIME, CMS, CMP/CRMF or TS from malicious web sites.

Windows binaries are available in SVN and the overnight zip file and separately from

http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp

Separately, YuOpenSSL has released 3.0.9 and 1.1.1u as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.

Angus

Very rarely should you need to use SSL DebugLevel logging DebugSslLow, generally DebugSsl gives all the information you need. 

In this case, also set SslReportChain true and it will log the certificates in the chain, allowing you to see why verification failed, either the server is misconfigured and did not send an intermediate, or the intermediate is signed by a root CA that is not in the store you specified.  ICS has different CA stores with varying numbers of certificates, there are hundreds of CAs, but only a few dozen are common.

Angus