Jump to content

Angus Robertson

Members
 View Profile  See their activity

  • Content Count

    1733

  • Joined

  • Last visited

  • Days Won

    33

Posts posted by Angus Robertson

  2. Posted

    If by SFTP you mean secure FTP rather than Simple FTP (a UDP protocol), ICS has a sample OverbyteIcsSslMultiFtpServ.dpr which is really designed to be a Windows service application. It supports multiple SSL hosts with multiple listeners, can order it's own SSL certificates and will create self signed certificates for any missing, and will email status information and errors to an administrator.  This sample is really a commercial FTP server and just needs the addition of user accounts. 

     

    Angus

     

  4. Posted

    As we explained previously, you need to design a protocol with a header to explain what type of data you are sending and how much.  One well known such protocol is HTTP which ICS supports, and is much easier to use than designing your own.  

     

    One standard in most protocols is that text is terminated with CRLF at the end of each command or line, which your SendStr does not do, but which can be useful to know that a complete line has arrived for processing and potentially to recognize that text is being sent, although binary files may potentially include CRLF. 

     

    Angus

     

  8. Posted

    We don't test ICS on MacOS, since the developers don't have access to any Apple hardware.  So we are dependent upon contributors here to test ICS on MacOS and fix any bugs, which we then incorporate in the distribution. 

     

    You may find using a much older version works better, except for obsolete OpenSSL versions.  And we don't provide OpenSSL for MacOS either.

     

    I'll fix the TMsCertTools error, that is Windows only so should not build on MacOS.  I'll look at the others, but they are not Windows specific.

     

    Angus

     

  9. Posted

    Magenta Hardware Components is a set of six main components for Delphi 2007 to Delphi 11.0 and later, as follows:

     

    1 - Magenta Serial Port Detection Component which contains serial COM port enumeration functions, using several methods which can identify different ports depending on how they are installed, all are combined and a sorted array returned with friendly names and install information.

     

    2 - Magenta Hardware Events Component that listens for Windows hardware event messages and calls events handlers for device changes such as serial ports, disk volume changes, low disk space events and power events.

     

    3 - Directory Changes Monitoring Component, that notifies changes in a directory such as file or directory Create/Delete/Modify/Rename.

     

    4 - Magenta GPS and Location Component is designed to process GPS location data from various sources with an event triggered when movement is detected. GPS sources supported include Windows Location API, NMEA 0183 sentences, GT02 GPS Tracker Protocol, TK102/103 Tracker Protocol and WondeX/TK5000 Tracker Protocol. Sample shows movement track on a Google map.

     

    5 - Magenta Firewall Component has functions to search and list selected Windows Defender Firewall rules and settings, and to add and remove such rules.  There is also some code that may be used in Inno Setup scripts to set-up firewall rules during application installation.

     

    6 - Magenta Check Disk and Format Disk component used to format fixed or removable disk drives and perform disk checks on Windows NT4 and later.

     

    More details and download from: https://www.magsys.co.uk/delphi/maghardware.asp

     

    Or SVN: https://svn.magsys.co.uk/svn/maghardware/

     

    Magenta Hardware Components are freeware, but are still copyrighted by Magenta Systems Ltd who may change the status or withdraw it at any time, without notice.

     

    Angus

     

    • Like 4
    • Thanks 3

  10. Posted

    The onDataAvailable event is called repeated as more data arrives, you need to keep adding data to the receive stream until the connection is closed or your protocol signals the stream has received all that intended (why there are headers in HTTP).  

     

    TWSocketThrdClient and TWSocketClient relate to ICS server components and won't help in this case. 

     

    Angus

     

  11. Posted

    As François has said, to send binary files you should really be using a high level protocol like HTTP or FTP. 

     

    If you really want to invent your own protocol, you will save a lot of time and effort by using the newish TIcsIpStrmLog component that can be configured as a client or server, and is really a much easier to use version of WSocket.  There is a sample application OverbyteIcsIpStmLogTst.dpr that has a local mode, where the sample runs as both a client and server sending and receiving lines of data to itself. 

     

    The component has a simple method SendStream that sends a stream of any size read from memory or a file, your earlier example with Send assume Windows can buffer your entire image, which will only work for smallish files.  There is a onLogRecvEvent event that returns a string with received binary data you can write to a stream, but you will need to design a protocol to know the file name or type of data being received, it will be returned in variable sized chunks. 

     

    Angus

     

  12. Posted

    Let’s Encrypt / ISRG has today fixed a problem in the server software that issues certificates validated with the “TLS Using ALPN” method, that meant some existing certificates could have been incorrectly issued (they estimate 1%) and is therefore revoking those certificates at 16:00 UTC on 28 January 2022.   This will cause servers using these certificates to display untrusted warnings in most browsers and applications that check for revocation. 

     

    ICS applications using servers with Hosts that automatically order SSL certificates using CertChallenge with ChallAlpnApp will be using these soon to be revoked certificates.  Although ICS servers check the validity of SSL certificates, they do not currently check for revocation, mainly since this is the first time in 20 years of my using SSL certificates it has happened.

     

    So manual intervention is needed in the next two days, simply delete the certificate file specified in the host property SslCert and restart the server.  Upon startup, the server will create a self signed certificate to allow it to start, then immediately order a new Let’s Encrypt certificate which should be downloaded and automatically installed within about 15 seconds.

     

    If the server application implements regular certificate checking with the RecheckSslCerts method (the OverbyteIcsSslMultiWeb/Ftp samples do that every two hours), the new certificate will be ordered without restarting the server. 

     

    ICS client application are not directly effected by these certificates being revoked, unless they access servers that have not replaced the revoked certificates and implement certificate chain checking using the Windows store with the SslRevocation property set true. 

     

    Because checking revocation slows down connection time, many applications don't do it.  But I will look at implementing it in ICS for use with our PEM CA bundles and servers in particular.

     

    Anyone whose applications have ordered Let's Encrypt certificates that are about to be revoked should have received an email warning already.

     

    https://community.letsencrypt.org/t/2022-01-25-issue-with-tls-alpn-01-validation-method/170450

     

    Angus

     

     

     

     

     

     

     

     

     

    • Thanks 1

  13. Posted

    You should be using the OverbyteIcsSslMultiFtpServ.dpr sample which was introduced with V8.65, supporting implicit and explicit connections at the same time using multiple listeners, the FTP server hosting ics.ftptest.org has 10 listeners for various services.  It also orders Let's Encrypt SSL certificates automatically, although not the multi-domain wild card one shown earlier which was done using another sample. 

     

    It seems I did not update the old  OverbyteIcsSslFtpServ sample for V8.,65, so perhaps the server changes were not backward compatible (we try to avoid that) and I never tested it.  I'll put it on my list to check, but won't be making your suggested change since that will break new servers.

     

    Angus

     

     

     

  14. Posted

    To clarify, you are reporting a problem in the ICS FTP server relating to SSL port 990 connections relating to changes made in V8.65 a year ago? 

     

    What is your actual problem, the code change works fine in my testing with implicit FTP, you can try itself by accessing my public server ics.ftptest.org with anonynous login:

     

    Connect/Logon to FTP Server: ics.ftptest.org:990
    ! SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD
    ics.ftptest.org SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD
    ics.ftptest.org SSL Chain Verification Succeeded
    ics.ftptest.org 3 SSL Certificates in the verify chain:
    #3 Issued to (CN): *.ftptest.co.uk
    Alt Domains (SAN): *.ftptest.co.uk, *.ftptest.org, *.ftptest.org.uk, *.ftptest.uk
    Issuer (CN): R3, (O): Let's Encrypt
    Expires: 2022-03-21T16:06:48, Signature: sha256WithRSAEncryption

    < 220-ics.ftptest.org

    < 220-ICS TFtpServerW (c) 1998-2021 F. Piette V8.67
    < 220 Server: MAGPUB5 at 2022-01-16T13:52:52
    FTP Session Connected OK to: [2a00:1940:2:2::142]:990
    > HOST ics.ftptest.org
    < 220 HOST Ok, FTP Server ready.

     

    Angus

     

  16. Posted

    Please stop sending your comments as private messages as well, I do read this forum, when I'm in the office.

     

    Why do you specifically want to use OnDataSendTar and OnDataRevcTar events, they are very low level.

     

    If you want to modify headers and/or body, you should be using onHttpReqBody, onHttpRespBody, onHttpReqHdr, onHttpRespHdr, which have a simple String property you can update.  

     

    If you change the body length, you map also need to change header fields.

     

    Angus

     

  17. Posted

    Also, our recent OpenSSL DLLs no longer work on Windows XP either, and ICS has removed support for unsupported OpenSSL versions that might still work on XP.   We also digitally sign the OpenSSL DLLs and older versions of Windows XP do not recognise the root certificate used today. If you want to support the latest security standards, you need Windows 10.

     

    Angus

     

  18. Posted

    530 5.7.0 Must issue a STARTTLS command first. - this simply means the server requires an SSL/TLS connection, and you have not sent the command to start it.  You are using the old sample that does not support SSL, you should be using OverbyteIcsSslMailSnd.dpr or OverbyteIcsMailQuTst.dpr (but that may not be in old versions).

     

    The ncrypt.dll missing error means new versions of ICS are no longer supported on Windows XP, sorry.  I recently added some functions to access SSL certificates and private keys that needed newer Windows APIs not in Windows XP.  ICS V8.66 is probably the last that supported Windows XP, I'll update the documentation.

     

    Angus

  19. Posted

    Since XP has been obsolete for several years, we don't test ICS against it, only Windows 7 and later, and that will be dropped soon.  But there shouldn't be anything specific in ICS to stop it installing. 

     

    What specific errors did you get with V8.58, and with V8.68?

     

    Angus

     

  21. Posted

    ICS V8.68 has been released at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0 and C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0. ICS supports VCL and FMX, Win32, Win64 and MacOS 32-bit targets. The distribution zip includes the latest OpenSSL 3.0.1 win32, with other versions of OpenSSL being available from the download page.


    Major Changes in ICS V8.68 include:

     

    1 - V8.68 is a minor release, mainly HTTP client and server improvements including new request and response headers to assist browser caching and conditional requests, improved error reporting to help diagnose failed HTTP requests, and improvements in the HTTP REST component allowing it to save files including resuming failed downloads and download files of any size.  There are minor fixes in various components, and updates to installing on MacOS and C++ Builder. There is also a new File Clean-Up demo ideal for deleting the old log files that many applications (including some ICS samples) leave on systems.

     

    2 -The HTTP client TSslHttpCli now keeps the Etag response header as ResponseEtag, allowing applications to save it with the page content, and when requesting a refresh to add the request method ReqIfNoneMatch or ReqIfMatch to avoid downloading the page again. Improved RequestDoneError to give more information than a simple abort, added httperrOutOfMemory and httperrBgException which happen while receiving and processing data in the OnDocData event and httperrSslHandShake. For range downloads, added the ContentIfRange request header which can send an RFC1123 date or Etag so a partial download only happens if the file is unchanged.

     

    3 - Previously, the HTTPS REST client TSslHttpRest always downloaded content to a TMemoryStream with content size being limited to MaxBodySize (default 100 MByte), and generally restricted by memory to less than 250 MByte.  To remove this limitation, added the HttpMemStrategy property with THttpMemStrategy on how to handle downloads: HttpStratMem only TMemoryStream; HttpStratTemp uses a work file in the system temporary directory for sizes larger than MaxBodySize; HttpStratFile always writes a named file HttpDownFileName (with .part extension during download); HttpStratResume is similar to HttpStratFile but supports resume of failed partial downloads (with .http extension for resume information). Property ResumeMinSize defines the minimum sized partial file that should be resumed, rather than start again (default 64K). Added ShowProgress property that causes download information to be sent to the OnHttpRestProg event.

     

    4 -The HTTP server TSslHttpServer now supports the If-Range, If-Match and If-None-Match request headers for conditional pages using Etag or last modified date, and sends 304 not modified for  matches, to help with caching.  Added an ETag header to responses in AnswerStream and AnswerPage when we can create one from a file modification date and size (base64 CRC32), or if the EntityTag property is specified in the client onGetDocument event before using hgSendDoc or hgSendStream, perhaps a CRC32 of the entire content from a cache. The 304 not modified response now includes more recommended headers. Also add a Date: header to AnswerStream and AnswerPage responses to help with caching.

     

    5 - The Multi HTTPS client TIcsHttpMulti has been updated to a fix a problem that meant large files failed download with only an abort error if too large for TMemoryStream, now downloaded to TFileStream with .part extension and renamed up successful completion.

     

    6 - The previous ICS release added support for the OpenSSL 3.0 release. Now it's been available for three months it has been added to the main distribution, the samples SslInternet directory now has both OpenSSL 1.1.1m and 3.0.1. ICS now supports YuOpenSSL 3.0 and 1.1.1 versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.

     

    7 - In TIcsFileCopy, the DeleteFiles method now supports a new Zipped property so files are zipped with .zip extension before being deleted, useful for cleaning up old logs to save space (requires VCLZip).  The OverbyteIcsXferTst,dpr sample has a new File Clean-Up tab to test the multiple DeleteFiles method, it allow files older than x days or a specific date range to be archived/zipped (to save space) or deleted, ideal for deleting the old log files that many applications (including some ICS samples) leave on systems.

     

    8 - In the FTP client TSslFtpClient, using the PORT command to set Active mode now prevents other FTP clients sharing the same port number and address, usually only a problem with a small port pool (which is not recommended).

     

    9 - Updated the trusted root certificate bundle files, lots of changes from Microsoft since June, Google is now issuing it's own certificates. Updated the build-in sslRootCACertsBundle, few gone, now total 59 certificates commonly used.

     

    10 - ICS should now build with C++ for RAD Studio 10.4 and 11.0, fixed the 11.0 packages and various Windows API related units, including for  Win64.

     

    More detailed release notes are at http://wiki.overbyte.eu/wiki/index.php/ICS_V8.68

     

    • Like 2
    • Thanks 3

  22. Posted

    Did a quick Google search for the error, seems the developer has messing with this 'security feature' for years causing a lot of problems, and recently with TLSv1.3  that changed how sessions are created. and in fixing 1.3 probably broke 1.2.  What is really needed is the tick box to turn off the feature, which seems to have gone. 

     

    I'm removing the port from the session cache name anyway, since conceptually it is wrong even if it does not fix this particular bug, it should save one TLS session set-up.

     

    Angus

     

  24. Posted

    Okay, I can reproduce it by forcing ICS to use TLSv1.2.  So not sure if this is really a FileZilla bug given it works on the older versions that did not support TLSv1.3. 

     

    The old version also has a configuration option 'require TLS session resumption of data connection when using PROT P' which sound like the error message, but I have that ticked on the old beta, and that setting and lots of other interesting and useful ones have disappeared from the new version. 

     

    Seems like users should go back to the reliable beta rather than the 'release' version <g>

     

    Angus

  25. Posted

    I can find no problem accessing my own FileZilla servers.  My hosted server had v0.9.60 beta from a year ago:

     

    > PASV
    < 227 Entering Passive Mode (217,146,102,143,82,95)
    ! Passive connection requested to: 217.146.102.143:21087, control channel: 217.146.102.143
    > MLSD /webapps/telerest/templates/testing/
    Check for Old SSL Session
    Old SSL Session Found Cached
    < 150 Opening data channel for directory listing of "/webapps/telerest/templates/testing"
    ! SSL Connected OK with TLSv1.2, cipher ECDHE-ECDSA-AES256-GCM-SHA384, key auth ECDSA, key exchange ECDH, encryption AESGCM(256), message auth AEAD
    filezilla.ftptest.org SSL Connected OK with TLSv1.2, cipher ECDHE-ECDSA-AES256-GCM-SHA384, key auth ECDSA, key exchange ECDH, encryption AESGCM(256), message auth AEAD
    < 226 Successfully transferred "/webapps/telerest/templates/testing"

     

    It seems after a decade of beta releases, v1 finally came out this summer, so I installed v1.2.0 on my hosted server, unfortunately Windows Firewall blocks it, despite it being added manually, so installed it locally, and it also works. 

    15:05:41:693 > PASV
    15:05:41:693 Starting SSL Session
    15:05:41:693 Cache SSL Session: New
    15:05:41:693 < 227 Entering Passive Mode (192,168,1,105,251,19)
    15:05:41:693 ! Passive connection requested to: 192.168.1.105:64275, control channel: 192.168.1.105
    15:05:41:693 > LIST
    15:05:41:694 Check for Old SSL Session
    15:05:41:695 Old SSL Session Found Cached
    15:05:41:695 < 150 Starting data transfer.
    15:05:41:697 ! SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD
    15:05:41:697 pc21-web5.magenta SSL Connected OK with TLSv1.3, cipher TLS_AES_256_GCM_SHA384, encryption AESGCM(256), message auth AEAD

     

    So no idea why you are seeing error 425, is there something more useful in the FileZilla server log? 

     

    If this is something to do with re-using SSL sessions, when ICS caches a session it adds the port number to the IP address when saving it, to prevent different services being accessed by the same session, but this is effectively what happens with the FTP data channel.  So in TIcsFtpMulti you could try removing  FtpCli.ControlSocket.PeerPort from xxNewSession and xxGetSession and see that improves matters.  I'm not going to change this until I find out how FileZilla is configured to cause the error.

     

    Angus

     

     

×