Jump to content

Angus Robertson

Members
 View Profile  See their activity

  • Content Count

    1733

  • Joined

  • Last visited

  • Days Won

    33

Posts posted by Angus Robertson

  1. Posted

    Done a little more research, to connect to this site needs literal SslOpt2_LEGACY_SERVER_CONNECT adding to SslContext.SslOptions2. With OpenSSL 1.1.1 this defaulted set, but with 3.0 is not set due to:

    Quote

    Setting the option SSL_OP_LEGACY_SERVER_CONNECT has security implications; clients that are willing to connect to servers that do not implement RFC 5746 secure renegotiation are subject to attacks such as CVE-2009-3555.

     

    Angus

     

  2. Posted

    I'm now seeing the same 'unsafe legacy renegotiation disabled' error on both sites with OpenSSL 3.0, but that error did not happen with 1.1.1.  So better, but not really fixed unless it really is an OpenSSL error that few other sites show up.

     

    Angus

     

  3. Posted

    I added the TSslHttpRest REST component four years ago, to speed up application development by combining several other ICS components needed for HTTPS applications together and building parameters in various ways.  It is used for OAuth2 authentication, TIcsTwitter, TIcsRestEmail (Gmail and Outlook), TDnsQueryHttps, TIcsSMS, TIcsInetAlive and SSL/TLS certificate ordering TSslX509Certs.

     

    The last ICS TSslHttpRest release added various file downloading strategies, including resuming failed partial transfers, the next TSslHttpRest release will add various file uploading strategies using POST including multipart MIME with metadata content. 

     

    Ideally, there will be new components to simplify access to various cloud services, ie TIcsMsAzure, TIcsGoogleCloud, TIcsAmazonCloud, TIcsOSSwift (Open Stack), TIcsMsDrive,  TIcsDropbox, perhaps TIcsWebDAV if still used.

     

    I'm old-fashioned, I don't use any cloud facilities, I just have hosted Windows servers in a rack running the ICS FTP server for all my own upload and download needs. 

     

    So supporting these various cloud protocols needs research and accounts, and a lot of reading and testing, and decisions of which specific APIs need support from a component. 

     

    But I guess various ICS users are already using one or more of these cloud providers with their own applications, perhaps also with non-ICS components.  Ideally I'd like  such users to take ownership for developing and testing the component for a specific cloud service, based on a common template, while I update TSslHttpRest to support the extra features like multipart MIME needed,

     

    So is anyone using ICS for cloud storage?

     

    Angus

     

     

     

     

     

     

     

    • Like 2

  4. Posted

    Sorry, I did say I was unable to connect to depatisnet.dpma.de with either version of OpenSSL, it was www.dpma.de that connects with 1.1.1 but not 3.0. 

     

    Not sure what this means, could be OpenSSL has improved security that now breaks the site.  depatisnet.dpma.de appears to be configured differently, so always fails. 

     

    Someone using Wireshark may be able to interpret the handshaking, but that won't fix anything.  It's frustrating that the browsers work, why?

     

    You could try looking for a proxy that works, but they are often based on OpenSSL.

     

    Angus

     

  5. Posted

    Currently, the ICS REST component sample does not include file uploading, only building, sending and parsing parameters. 

     

    There is an old non-SSL sample \WebDemos\ OverbyteIcsHttpPost.dpr that illustrates four different methods for uploading a file using POST, including multi part MIME, which may be tested against the ICS web server samples to receive files. 

     

    It really needs combing with the OverbyteIcsHttpRestTst.dpr sample for modern use.

     

    Angus

     

  7. Posted

    Done a little more research.  SSL Labs tests www.dpma.de okay, but it warns does not support Secure Renegotiation. 

     

    Using ICS and OpenSSL 3.0.2 I get a different error to depatisnet.dpma.de, 'unsafe legacy renegotiation disabled', but I can connect OK using OpenSSL 1.1.1.  There is an OpenSSL issue about this, but it seems OpenSSL is removing support for unsafe negotiations which some older servers try to use. The ICS REST component specifically disables renegotiation, but even enabling it does now allow connection to either web site. 

     

    So I'm afraid my earlier comment stands, misconfigured web server.

     

    Angus

     

  8. Posted

    In technical terms, depatisnet.dpma.de is a crap web site! 

     

    Just run an https://www.ssllabs.com/ test and it says 'Assessment failed: No secure protocols supported' which is very rare, normally poor sites scrape through with a D or E assessment for old protocols. 

     

    As you say, normal browsers seem to display the page OK, perhaps there is some scripted magic relocation going on or the server does not like our Agent string, but that should only be checked once SSL is negotiated. 

     

    Rather than using TSslHttpCli, you should start new projects with TSslHttpRest which handles all the SSL and logging for you, look at the OverbyteIcsHttpRestTst.dpr sample.  Unfortunately OpenSSL does not provide explanation for protocol errors, they just fail. 

     

    Angus

  9. Posted

    The old download page exists, http://vclzip.bizland.com/v4src.htm but all the source downloads are password protected and you can not buy a new license.  But maybe someone not using theirs would sell it?  I still use VCLZip.   Not sure if Kevin is still around, would have been good if it had been made open source. 

     

    Angus

     

     

  10. Posted

    Ditto, I use Delphi 2007 (and 10.4 and 11.1) on Windows 11. 

     

    Learnt 10 years ago that I needed a backup of the four NET target files, and have restored them numerous times since after Windows Updates. 

     

    Sort of related, I also have a workaround that brings the old Windows Help 32 system back to life, as used by Delphi 7 and many other applications from 20 years ago,  but which was removed from Windows Vista and later  https://www.magsys.co.uk/apps/

     

    Angus

     

  13. Posted · Edited by Angus Robertson

    VLCZip was commercial software sold with Delphi source, last release was about 15 years ago, but I still use it in my applications.  It never became open source.  So really need to replace it, but adding a DLL to my projects is a non-starter. 

     

    ZipMaster should ideally build the C code into a DCU so that it can be linked directly, but this would be needed for all compilers. I still use Delphi 2007 for some of my historic projects, too much work to update them. 

     

    Or built to OBJ files like ZLIB that can just be inserted into a PAS unit?

     

    Angus

     

  14. Posted

    Bottom line is testing multiple variants of authentication and proxy settings is a nightmare, takes a long time to setup all the testing environments locally, so if you want this investigated we will need access to the proxy and server to which  ICS is failing to connect.  But won't have time to look for at least a week. 

     

    The change three years ago was done by a user accessing a Windows domain with single sign on, but I guess not via a proxy, which I can not test.

     

    Angus

     

  16. Posted

    It's unclear to me from the readme and help whether ZipMaster is a linkable Delphi component or a DLL with a Delphi interface. 

     

    The documentation seem to assume you are familiar with the component and not migrating from something like VCLZip.   

     

    Angus

  17. Posted

    The Ansi warnings relate to my updated version of AsyncPro adport.pas unit that allows named COM ports to be opened, but this is for 4.06, not recent Unicode versions, you'd need to update whatever Async Pro you are using with my very minor changes.

     

    Strange the component did not find one of your modems, although it did find 18 other COM ports you've previously installed.  Can only guess Samsung has installed it using keys, you'd need to check what they are and update the component. 

     

    Angus

     

  20. Posted

    OpenSSL has released new versions of the two supported branches, 3.0.2 and 1.1.1n, Windows binaries are available from

     

    http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp .

     

    OpenSSL 3.0.2 fixes a high security risk relating to specifically formed SSL/TLS certificates using elliptic curve public keys which can cause OpenSSL to enter an infinite loop and cause denial of service by freezing. The attack can be caused by clients processing bad server certificates, or by servers that request bad client certificates, and many other cases where these bad certificates are processed,  The attack has not been seen in the wild, it was identified by Google.

     

    3.0.2 also allows PCKS12 private keys without a password to be opened.

     

    OpenSSL 1.1.1n fixes the same bug.  The bug is also in 1.0.2 and 1.1.0 but these are no longer supported and users should upgrade.  

     

    Note the binaries are now digitally signed by 'Magenta Systems Ltd' instead of 'Open Source Developer, François PIETTE' due to the massive cost of renewing the open source certificate.  Developers can always resign the DLLs with their own signing certificate to remove the Magenta name.

     

    Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.

     

    Angus    

    • Thanks 1

  21. Posted

    The ICS web server sends binary data from a stream.  If you want to send UTF-8, you need to make sure that stream is loaded with 8-bit data as UTF-8.  Can not be more specific since there are many ways to build the response page with several helpers.

     

    ICS 8.41 is ancient, it only supported OpenSSL that are no longer supported.  You should be using ICS V8,.68 and OpenSSL 3, new version today.

     

    Angus

     

     

     

  22. Posted

    The ICS proxy component is not designed for use in threads, it listens in the main thread and all clients use the main thread. 

     

    Testing has shown single threaded ICS servers can handle hundreds of simultaneous clients, although using SSL/TLS takes an appreciable time to setup a new connection and is a limiting factor in how many new connections can be accepted each second. 

     

    Exactly how many clients are accessing the proxy simultaneously, using what protocols, and for how long. 

     

    Quote

    response of the main window is very slow.

    Does your proxy have a GUI?  That will almost certainly be the reason for the slow down. 

     

    Angus

     

    • Like 1

  23. Posted

    Microsoft makes it difficult to completely disable Windows Firewall on Windows 10, even if it's disabled you may find the task is still running.  The Services GUI does not allow you to disable Windows Defender Firewall, it can only be done by changing the registry and rebooting.  Also, doing so can upset applications that attempt to add firewall rules and assume it's always running.

     

    Not saying this is the reason for your problem, I'd check if you can connect to other servers first.

     

    Angus

     

  25. Posted

    TICsIpStrmLog can be configured as a server or client, it is a much easier to use version of TWSocket/TWSocketServer, and supports SSL/TLS.  The sample application I mentioned can run as both client and server at the same time, sending data to itself.  Or you can run two instances on separate PCs sending data to each other. Once connected, there is one event to send a string of data, and another event that receives strings, very simple to use.   Unfortunately, the sample looks complicates because it illustrates all the features of the component.

     

    Angus

×