Jump to content

Angus Robertson

Members
  • Content Count

    1731
  • Joined

  • Last visited

  • Days Won

    33

Posts posted by Angus Robertson


  1. The error is that your local web server can not be accessed at 2003:e3:efff:1972:de39:6fff:fe45:4515, did you setup port forwarding for that IPv6 address and is the web server listening on that address?   If you don't want Let's Encrypt to use an IPv6 address, it should not be listed in DNS.

     

    Let's Encrypt is not really designed to offer certificates for dynamic DNS domains. 

     

    Angus

     

     


  2. ICS V8.67 has packages for Delphi and C++ 11.0, currently only available from SVN and the overnight zip, with a final release due next week. 

     

    http://wiki.overbyte.eu/wiki/index.php/ICS_Download

     

    There was a major new OpenSSL 3.0 release this week, just finishing testing and integration with V8.67.

     

    Currently, many older ICS icons appeared incorrectly with a magenta background in Delphi 11.0 due to transparency being ignored, these will be fixed for the final release. 

     

    Angus

    • Thanks 5

  3. X509 certificates never have a password or encryption, by definition they are public.  The private key used to sign an X509 certificate or use it in a server may be protected, so I assume you are opening a bundle file that contains both a certificate and a protected private key. 

     

    For a PEM bundle file, the certificate and private key are separate blocks of text, so you only need the certificate and can get the public key from that.  A PFX/PKCS12 bundle, is a binary blob, and OpenSSL will try and read everything in it, and fail if the key is protected and you don't have the password.  I believe there are PKCS12 parsers to extract the contents of the file separately, but never looked for one.   The wincrypt API to read PKCS12 is the same, reads the lot and needs a password. 

     

    Angus

     


  4. Quote

    I'm just adding import and export for certificates to and from the Windows store, for ICS. 

    ICS has new classes TMsCertTools and TMsX509List to write and read SSL/TLS certificates to and from the Windows Certificate Store, including private keys.  This is primarily so Let's Encrypt certificates can be installed automatically for use with the IIS web server. 

     

    The PemTool sample includes new buttons to list all the Windows certificate and private key stores and allow old items to be deleted.

     

    Most of this was straight forward, but Microsoft seems to have messed up the APIs when adding CNG support for ECDSA keys in Vista, keys and certificates are held in separate stores and the way they are linked together is badly documented and flaky, trying to set IIS site bindings often gives an error that means the key can not found.  I was only able to add certificates and private keys that can not be exported from Windows, the NCrypt functions fail. 

     

    Angus


  5. Two new zips for Win32 and Win64 versions of OpenSSL 1.1.1i can now be downloadable from the Wiki at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp . The latest 1.1.1 DLLs are also included in the ICS distribution SVN and overnight zip.

     

    There are two security fixes, one rated high relating to decryption using SM2 (which standard ICS does not offer) and rated moderate relating to ASN.1 strings used in X509 certificates and the confusing conversion between fixed length strings and C null terminated strings that may cause a crash, this was mainly a problem display certificate content.

     

    YuOpenSSL has a new version with OpenSSL 1.1.1l.

     

    Angus

     

     

    • Like 2

  6. I added a web socket server implementation to ICS last year, There is a new sample OverbyteIcsWebSocket and web page websocketclient.html that accesses the server. Note there are no plans for an ICS Websocket client component, the normal ICS server/client components can be used for sending data outside the browser environment.

     

    Angus


     


  7. I attempt to keep the C++ packages up to date with each new release of ICS and Delphi, but can not test them, and get virtually no feedback from C++ users.  The GetIt installers are done by Embarcadero, I just provide a zip with the Delphi and C++ packages, and again don't test C++.

     

    Never used CodeGuard, no idea how it interferes with ICS.  I've been using TSslHttpCli in Windows services on my public servers for 15 years, it just works. 

     

    Angus

     


  8. Any API that requests system time is dependent on the computer clock being set correctly and with the correct time zone.  Windows will then use NTP to keep it correct.

     

    Relying on NTP time is dangerous since the internet is not reliable, nor are NTP servers, nor DNS to reach them. 

     

    Relying on a single NTL server is also dangerous, unless it's hosted across distributed hosts, like time.google.com or time.cloudflare.com, nist.gov has at least 15 different host names, don't know if they are distributed. 

     

    Angus

     

     

     


  9. function IcsGetUTCTime: TDateTime;
    var
        SystemTime: TSystemTime;
    begin
        GetSystemTime(SystemTime);
        with SystemTime do begin
            Result := EncodeTime (wHour, wMinute, wSecond, wMilliSeconds) +
                                                  EncodeDate (wYear, wMonth, wDay);
        end ;
    end;

     

    Angus

     


  10. Quote

    Is it possible to use ICS to build a HTTP server where clients authenticate themselves using client certificates?

    TSslWSocketServer has a property SslCliCertMethod which determines whether a client certificate is required or optional, you check the certificate in the OnSslHandshakeDone event and close the connection if invalid, it is documented on the wiki page, http://wiki.overbyte.eu/wiki/index.php/TWSocketServer.  Note I've not tested this for a while.

     

    Angus

     

    • Like 1

  11. Currently ICS only uses the Certxx APIs to extract certificates from the Windows store and to validate certificate chains, I'm just adding bits to put certificates into the store, but won't be done this week.  My reading suggests CryptAcquireCertificatePrivateKey is how you get the private key for a certificate you find in the store, but not tried it yet. 

     

    ICS has classes TX509Base and TX509List which allow certificates and bundles to be created, read and saved in various formats, there is sample OverbyteIcsPemtool that illustrates everything, and another OverbyteIcsX509CertsTst that acquires certificates from Let's Encrypt. including multi-domain wildcards. 

     

    Sorry, never used THTTPRIO so no idea what it does, but the ICS HTTP client supports client certificates.  You can use ICS synchronously, there are methods for that.

     

    Angus

     

     


  12. Quote

    I need to get higher than TLS 1.2.  My websites are being flagged as having too weak of encryption.

    Flagged by whom?  TLS 1.2 is perfectly good provided you disable a lot of weak ciphers and hashes. 

     

    Most IIS sites are still only TLS 1.2, Microsoft does not support TLS 1.3 until Windows Server 2022. 

     

    Angus

     


  13. I'm just adding import and export for certificates to and from the Windows store, for ICS. 

     

    PFXImportCertStore and PFXExportCertStoreEx seem to be preferred solution to convert to and from a PFX/PCKS12 blob containing a certificate, private key and intermediates. 

     

    Beware you won't be able to export from TPMs, only certificates saved with exportable private keys.

     

    But since you have PFX and PEM files, not sure why you are using the Windows store.

     

    Angus

     


  14. Beware the ICS web server samples include a lot of code for dynamic demonstration pages, which you can mostly remove to give yourself the basis of a commercial web server service listening on multiple IP addresses. ordering SSL certificates and with request logging. However the REST sample page is implemented as a virtual page not a URL handler, other pages are URL handlers.

     

    The main issue with the current ICS web server being a single thread, so blocking SQL calls can reduce performance.  My experience over 10 years is my SQL calls mostly take 10ms or less, so the performance hit is minimal, it can still support 50 requests a second (but not new SSL connections). 

     

    The long term ICS wish list has a heavy web server, that will be configurable to allow x connections per thread, down to one if they are effectively blocking.

     

    Angus

    • Like 1

  15. I'll look at adding the missing handlers in the next week or so.

     

    You may want to look at a new SSL sample, OverbyteIcsDDWebService.dpr which is very similar to OverbyteIcsSslMultiWebServ.dpr, but designed as a Windows service, although
    it will also run as a GUI for debugging.  It requires DDService service framework to be installed from https://www.magsys.co.uk/delphi/ddservice. asp.

     

    It also includes a REST server with simple lookup responses from a SQL database, which optionally requires DISQLite3 to be installed from http://www.yunqa.de.  Note this sample in not in the project groups due to these pre-requisites.

     

    This sample is part of the next release, in SVN and the overnight zip.  It is effectively a working REST server, very similar to a commercial server I've written at https://api.telecom-tariffs.co.uk/

    but you need a login to do actual REST requests. 

     

    Angus

    • Like 1
×