Jump to content

Angus Robertson

Members
 View Profile  See their activity

  • Content Count

    1731

  • Joined

  • Last visited

  • Days Won

    33

Posts posted by Angus Robertson

  6. Posted

    Quote

    I forgot there was somethings else I also did to fix this - install the new intermediate certificates on the servers.

    This is all down how you install new certificates into the Windows Store, which has always been a black art.  You can double click on a PFX/P12 file, or do it from IIS Server Certificates which is better.  Both should install intermediates into the correct store, but may not, and won't remove old intermediates with the same name, that may still be sent with requests.

     

    Which is one reason why ICS now has a new TMsCertTools class that allow installation of certificates to the Windows store. 

     

    Angus

     

    • Thanks 1

  8. Posted

    After investigation, the main issue today was with the Windows IIS web server using Let;'s Encrypt certificates. 

     

    The Windows Intermediate Certificate Authorities store had old certificates that it was still sending out with each request, according to the excellent SSL Labs test site.  Essentially, you only install new certificates in the store and old ones remain until removed manually using Admin Tools, Manage Computer Certificates, or the latest version of the ICS PemTools sampl;e which also allows deletion of certificates, which can now be done from applications as well.  IIS then sends any intermediates it finds matching for the server certificate. 

     

    Browsers seem cleverer than OpenSSL in ignoring unwanted certificates, so the problem may not be that visible.  My IIS server has IPv4 and IPv6 binding on several IP addresses, and the issue did not appear on all bindings, possibly due to caching.  I had to reboot the server after deleting the unwanted certificates to stop IIS sending them, even after restarting IIS itself.

     

    So if you have installed Let;'s Encrypt certificates into the Windows store, I'd recommend you deleted these old intermediates:

     

    Issued to CN: R3, (O): Let's Encrypt

    Issuer (CN): DST Root CA X3, (O): Digital Signature Trust Co.

    Expires: 29/09/20213  

     

    Issued to (CN): Let's Encrypt Authority X3, (O): Let's Encrypt
    Issued by (CN): DST Root CA X3, (O): Digital Signature Trust Co.
    Expires: 17/03/2021 16:40:46,

     

    Issued to (CN): ISRG Root X1, (O): Internet Security Research Group
    Issuer (CN): DST Root CA X3, (O): Digital Signature Trust Co.
    Expires: 2024-09-30T18:14:03,


    The last one is still being distributed by Let's Encrypt with new orders, and needs a change to ICS to remove it, but does not seem to give an error with OpenSSL.

     

    Angus

     

     

     

     

    • Thanks 1

  10. Posted

    For the last few years, Let;'s Encrypt issued free certificates whose intermediate was signed by an old root issued by Digital Signature Trust Co, that expires today.   In the ICS root bundles and certifica\te chain logs, it appears as follows: 

     

    Issued to (CN): DST Root CA X3, (O): Digital Signature Trust Co.
    Issuer: Self Signed
    Expires: 2021-09-30T14:01:15, Signature: sha1WithRSAEncryption
    Valid From: 2000-09-30T21:12:19, Serial Number: 44afb080d6a327ba893039862ef8406b
    Fingerprint (sha256): 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
    Public Key: RSA Key Encryption 2048 bits, 112 security bits

     

    Let;'s Encrypt distributed it's own root certificate,  Issued by (CN): ISRG Root X1, (O): Internet Security Research Group a few years ago, but older applications might not have been updated with it, so since then certificates issued by Let;'s Encrypt have two intermediates so that either root was acceptable.  Unfortunately not all application verify the chain correctly, including OpenSSL,  there was a blog about this two weeks ago, https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

     

    There are implications for servers running Let;'s Encrypt certificates and clients verifying the chains, last night one of my ICS client applications started giving chain verification errors on some of my servers, specifically those using Let;'s Encrypt certificates issued in July and due to expire in two weeks, but not those with certificates issued from mid August,  I'm still investigating what changed, I did make changes to the ICS functions that build certificate bundles, and Let;'s Encrypt periodically change the intermediates they issue. 

     

    So this message is really a warning to watch out for failure to connect to web sites using Let;'s Encrypt certificates today.  More later.

     

    Angus

  12. Posted

    I only support Delphi Windows platforms, I have no Apple hardware so can not build MacOS, and have no commercial interest in doing so, ditto mobile platforms.  I have added the odd contributed fix for MacOS and C++, and made sure ICS builds on Linux, but Linux requires more low level work.  All of this requires help from others, which is never forthcoming.

     

    Angus

     

  13. Posted

    ICS V8.67 has been released at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download

     

    ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0 and C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0. ICS supports VCL and FMX, Win32, Win64 and MacOS 32-bit targets. The distribution zip includes the latest OpenSSL 1.1.1i win32, with OpenSSL 3.0 and Win64 versions of OpenSSL being available from the download page.

     

    Changes in ICS V8.67 include:

    1 - Added support and packages for RAD Studio 11.0.  Updated SSL/TLS root certificate bundles, old certificates gone, new ones added, nothing major.

     

    2 - Added support for OpenSSL 3.0 which is a major new release, primarily a lot of internal changes to ease long term support. There is an optional FIPS module with 3.0 but not available here since our DLLs are not built to the standards required for certification. The old engines for special extensions are replaced by new more versatile providers of which the FIPS module is one, a provider legacy.dll has obsolete ciphers and hash digests, including MD2, MD4, Blowfish, DES, IDEA, RC2, RC4, SEED, that most applications no longer need and which needs to loaded by the application by setting global variable GSSLEAY_LOAD_LEGACY to true before loading OpenSSL.

     

    3 - OpenSSL 3.0 does not offer any specific new features of benefit to ICS at present, although HTTP/3 support is planned for 3.1 or later, so the main ICS distribution retains OpenSSL 1.1.1i which is fully supported until September 2023. OpenSSL 3.0 may be downloaded from the download page. There are two global variables to restrict which OpenSSL version is loaded, GSSLEAY_DLL_IgnoreNew set true will ignore 3.0, while GSSLEAY_DLL_IgnoreOld will ignore 1.1.1, if both sets of DLLs are available in the same directory. The main SSL samples all set these globals, which can be changed for  testing one version or the other, or set by the application, but must be before OpenSSL is initialised.

     

    4 - The main implication for ICS with OpenSSL 3.0 is for SSL/TLS certificate private keys saved with password protection, which is required for PKCS12 certificates for importing into the Windows certificate store. The new PKCS12 default password encryption AES256 is not recognised until Windows Server 2016 v1709  and Windows 10 v1709, so Server 2012, Windows 10 RTM and earlier won't load AES passworded keys, only 3DES, for which the legacy.dll must be loaded.

     

    5 - The TX509Base class has various improvements. The ValidateCertChain method reports CA roots for multiple certificate verification paths with two or more intermediate certificates, rather than only the last. The CertMainInfo method provides a single line with the main certificate information.

     

    6 - There are two new classes to write and read SSL/TLS certificates to and from the Windows Certificate Store, including private keys. This is primarily so Let's Encrypt certificates can be installed automatically for use with the IIS web server.  TMsX509List descends from TX509List adding a method LoadFromStore to load the list from a Windows certificate store by store name TMsCertStore and location MsCertLocation. For My/Personal store, attempts to load private keys if they are allowed to be exported unencrypted. TMsCertTools descends from TSslCertTools adding methods SaveToStorePfx and LoadFromMyStore to access Windows certificate stores. Note access to the Local Machine Store for web server certificates requires administrator rights.

     

    7 - Various improvements for the OverbyteIcsPemTool sample.  It includes new buttons to list the  contents of Windows certificate and private key stores and allow old items to be deleted.  This may be useful for cleaning up old certificates and private keys from the Windows stores. Added ResavePrivateKey and Resave Private Key menu option which prompt for a PFX or PEM file containing an encrypted  private key with a new cipher, renaming old file to .oldpem/pfx.  Specifically for files saved with old ciphers than OpenSSL 3.0 does not support as standard if required for older versions of Windows.  Displaying certificates and bundles is no longer a new modal window, but updates the existing log window. Improved import certificates from Windows certificate store to use TMsX509List instead of Windows API calls, and to access all Windows store locations instead of just user, specifically the Local Machine store where server certificates are located.

     

    8 - For the TX509Certs component, the default cipher for encrypting PFX/P12 files is now PrivKeyEncAES256 with 3.0 unless the legacy DLL is loaded when still PrivKeyEncTripleDES so older versions of Windows can load them. Changed extraction of download PEM bundle so that main certificate does not need to be first in file, log them all, and ignore any self signed root certificates. If testing dns-01 challenge fails, rotate to next public server and three retries (previously only happened on timeout). When saving files with private keys, log encryption type used. Added more certificate output formats, OutFmtPwPem and OutFmtPwP12 specify whether to password PEM and P12/PFX private keys. Note Windows always needs passworded P12/PRX files, while Apache web server only accepts PEM files without a password. Allow automatic installation of new certificates to the Windows Certificate Store so they can be used by IIS web sites, by setting output format to OutFmtWinStore.  Note application must have administrator rights to do this.

     

    9 - Fixed two problems in the FTP client, support option ftpFixPasvLanIP for PUT/APPE uploads as well as  downloads, and support IPv6 for PUT/APPE uploads as well as downloads.

     

    10 - Fixed a problem in TIcsMailQueue with sequential number generation to avoid file locking errors and unicode BOM corrupting file, generate large random number for errors instead of reverting to 1.  Don't save BOM withunicode compilers.

     

    11 - In the Application Web Server TSslHttpAppSrv, added an optional LastModified parameter to the AnswerStream, AnswerPage, and AnswerString methods to avoid adding a custom header line with the date.  Added NO_CACHE_EX and NO_STORE_EX literals. Added PUT and DELETE verb handlers, similar to GET and POST.

     

    12 - For the HTTP client TSslHttpCli, fixed a relocation problem where the Location: header included a path with a space, encode the space. Fixed another relocation problem where HEAD sometimes stalled. Remove # fragment or anchor from URL in relocation, only used by browsers and not by servers.

     

    13 - In the TIcsBlackList component, Internally use BlockedFlag instead of setting attempts to 9999 once the actual maximum failed attempts is reached, so we can keep counting attempts.

     

    14 - Added a new SSL sample, OverbyteIcsDDWebService.dpr which is very similar to OverbyteIcsSslMultiWebServ.dpr, but designed as a Windows service, although it will also run as a GUI for debugging.  It requires DDService service framework to be installed from https://www.magsys.co.uk/delphi/ddservice. asp. It also includes a REST server with simple lookup responses from a SQL
    database, which optionally requires DISQLite3 5.36.5 or later to be installed from http://www.yunqa.de. Note this sample in not in the project groups due to these pre-requisites.

     

    15 - Moved TRestParams from the OverbyteIcsSslHttpRest unit to OverbyteIcsUrl to ease circular references. Added a new method AddItemNULL to add a null, in Json this will be unquoted. Added a new TRestParamsSrv component which provides methods for creating REST server Json responses from a SQL database resultset, one or more rows, also error responses. Note this is only compiled if DATABASE is defined in OverbyteIcsDefs.inc to avoid bringing in database units that are not available on all Delphi editions.  There is a REST server sample OverbyteIcsDDWebService.dpr that illustrates SQL lookups.

     

    16 - In the proxy component TIcsHttpProxy, don't send an HTTP request header until after HTTP body has been processed in case the body length changes. HTTP Forward Proxy using HTTP works again, broken in V8.65. Using HTTP Forward Proxy, convert absolute URL to path only since some servers can not process an absolute URL and sulk.

     

    17 - In the Jose unit, rewrote the functions converting private keys to and from Json Web Keys with new OpenSSL 3.0 provider functions. Use AnsiStrings and functions when dealing with binary data to avoid possible issues with string conversions and nulls.  Json now created with TRestParams.

     

    18 - Added two new sample project groups, OtherDemos64 and SslDemos64 which include Win64 versions of all the main active samples with 64 added to the project name, so they can be regularly built alongside the Win32 versions without changing platforms and overwriting executables.

     

     

    • Like 2
    • Thanks 3

  16. Posted

    Quote

    Can you show a screenshot? 

    Nothing to see, the project tree disappears, the toolbar remains, but the pane goes blank, but the right click menu shows the actions for the build pane, like new group.  I've used Build Groups in D11 many times over the two months including RTM, it only disappeared last week when I was trying to get rid of extraneous windows. 

     

    Angus

     

  17. Posted

    From the projects window, when I click Show Build Groups pane, the projects tree view disappears but no new pane appears, it worked when I first installed D11.0, but I must have done something to make it disappear.  The tree view is supposed to shrink and another pane appear.  The build groups still exist because I can not create a new one with the old name.

     

    Angus

     

  19. Posted

    The zip is available now. 

     

    I find Github massively more complicated to use than SVN, it also runs on my own servers not in the cloud, so SVN is here to stay for now.  I use TortoiseSVN which is simple to install and use.

    But it's rare for SVN to have files not in the nightly zip, usually only during beta testing new compilers. 

     

    Angus

  21. Posted

    Two new zips for Win32 and Win64 versions of OpenSSL 3.0.0 can now be downloadable from the Wiki at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/ma?g?ics.asp .

     

    ICS V8.67 from SVN or the overnight zip is required to use 3.0 and later, due for final release in a few days. The ICS distribution will continue to include OpenSSL 1.1.1 for a while until 3.0 becomes better tested. Beware the ICS Jose unit currently gives errors with the Win64 platform, being investigated, Win32 plafform is ok.

     

    OpenSSL 3.0 is a major new release, primarily a lot of internal changes to ease long term support. There is an optional FIPS module with 3.0 but not available here since our DLLs are not built to standards required for certification. The old engines for special extensions are replaced by new more versatile providers of which the FIPS module is one, a provider legacy.dll contained in the distribution has obsolete ciphers and hash digests that most applications no longer need and which needs to loaded by the application.

     

    For details of the changes in 3.0.0, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html

     

    Highlights are:

     

    * Implemented support for fully "pluggable" TLSv1.3 groups
    * Added support for Kernel TLS (KTLS), Linux only
    * Changed the license to the Apache License v2.0.
    * Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2, RC4, RC5, and DES to the legacy provider.
    * Moved the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 to the legacy provider.
    * Added convenience functions for generating asymmetric key pairs.
    * X509 certificates signed using SHA1 are no longer allowed at security level 1 or higher.
    * Added a Certificate Management Protocol (CMP, RFC 4210) implementation.
    * Added a proper HTTP client.
    * Changed our version number scheme, major, minor, patch, so 3.0.0 (no patch letter)
    * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
    * TLS 1.3 FFDHE key exchange support added

     

    Angus

     

    • Like 1
    • Thanks 2

  23. Posted

    The logs on your own PC will tell you why it worked, probably Let's Encrypt tried the IPv4 address first, or both, not sure about the rules for checking multiple IP addresses in DNS records.

     

    The TSslX509Certs component accesses your local web server using DNS before starting the order to make sure it's available from the public internet, but ICS prefers IPv4 so would not check IPv6 first.  Also, the check may not work when using NAT, I use a proxy server for such checks so I know access is from the internet. 

     

    Angus

     

  24. Posted

    Never really saw the point of 4K monitors for development (except for image applications), for I have two 2560x1440 monitors, the main 32in at 100%, the 28in at 125% so text is the same size on both.  I run Delphi on the larger screen, browsers and text editors on the side screen.  Done that for 15 years, with varying sized monitors.

     

    So no scaling issues. 

     

    Angus

     

  25. Posted

    Is it really RAD Studio 11 Alexandria? 

     

    The version in Help/About just says Embarcadero® RAD Studio 11.0 Version 28.0.42600.6491, no mention of a name.  Nor is anything displayed on the splash during startup.

     

    The only place I see Alexandria is for the license key. 

     

    Alexandria was also the beta code name, and every 10.x release had a different code name to release name.  The main web site does not mention Alexandria either, except buried in two pages. 

     

    I'm planning on calling it 11.0 unless I hear otherwise. 

     

    Angus

×