Angus Robertson

The relocation fix is now in SVN. 

The repository server is working fine, but wiki.overbyte.eu with the overnight zip has been down for two days, probably due to the flooding in Liege, but ICS can also be downloaded from https://www.magsys.co.uk/delphi/magics.asp

Angus

You were correct, a fragment/anchor/bookmark in the URL should never be sent to the server, it is purely an instruction to the browser on how to display the page. 

The ICS unit did attempt to remove # during relocation, but relocation has many different paths in the code, and it was not always being done. 

I've corrected in my master, won't be in SVN for a day or two, but in the latest SVN version add these lines to the function EncodePathOnly:

        I := Pos('#', OldPath);
        if I > 1 then
           Result := Copy (OldPath, 1, I - 1);

My issue with the SSL/TLS certificate was me using an old sample application.

Angus

It would help if your application had better logging, you would then have seen the real error:

www.w3.org SSL Handshake Failed - error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed, State: error

This only happens if ICS is set to check the certificate chain, which is normal, but means you need to keep the root store up to date to allow verification to work.  I updated the ICS root stores last week but not in SVN yet, and the root certificate 'USERTrust RSA Certification Authority' seems to be different to the one the site is using, I'll look into this next week.

Angus

Neither Firefox nor ICS redirect to w3.org, using the ICS Frame Browser sample:

FrameBrowser Get: https://www.htmlvalidator.com/help.php?h=aria-atomic&m=6

[0] > GET /help.php?h=aria-atomic&m=6 HTTP/1.1
[0] < HTTP/1.1 302 Found
[0] < Location: help.php?m=2&h=html
Redirected to: https://www.htmlvalidator.com/help.php?m=2&h=html
[0] > GET /help.php?m=2&h=html HTTP/1.1
[0] < HTTP/1.1 200 OK

Angus

Just created VMs with Windows 11 and Windows Server 2022 versions to see what the real internal versions are, and it seems still major version 10. 

Windows 11 has a raw version of 10.0.22000 and DisplayVersion 21H2.

Windows Server 2022 preview is a little older and says 10.0.20348 and DisplayVersion 21H2.

So it looks like build 20000 and higher are the new versions, not major version 11. 

Also, for a year or so they seem to have been using DisplayVersion (20H2) from the registry instead of ReleaseID ( last was 2009), and Windows 11 still says 2009. 

Angus

On 6/30/2021 at 2:12 AM, Nigel Thomas said:

tpm.msc lists Manufacturer information, including Specification Version, which should show 1.2 or 2.0.

This is an Intel firmware Trusted Platform Module in the PC BIOS, using Intel Platform Trust Technology built into many Intel processors. 

In my Asus BIOS, I  found PCH-FW Configuration, then Enable PTT, not very clear what PTT meant, so I never set it, they should spell out Trust to make it clearer.

Now WMI says:

Win32_Tpm, instance 1 of 1
IsActivated_InitialValue = True
IsEnabled_InitialValue = True
IsOwned_InitialValue = True
ManufacturerId = 1229870147
ManufacturerIdTxt = INTC
ManufacturerVersion = 500.14.0.0
ManufacturerVersionFull20 = 500.14.0.0
ManufacturerVersionInfo = Intel
PhysicalPresenceVersionInfo = 1.3

My older Asus PC says ManufacturerIdTxt = IFX which is Infineon Technologies AG who make the chip in most TPM modules. 

Angus

Quote

I used PowerShell with WMI to get the version 

Or use Computer Management, Device Manager, Security devices, and it should say Trusted Platform Module 2.0 with a very old driver. 

Angus

A UEFI BIOS is something you have, or an old fashioned BIOS.  TPM is hardware, but sometimes needs to be enabled in the BIOS.

I built a new PC six months ago, had an Asus MB choice between five SATA ports and a TPM slot, or six SATA ports, but I needed all six for a lot of flash and spinning rust, with RAID.

Unfortunately, TPMs do not seem to come on PCIe cards, only special slots. had one in my old PC.

Angus

It is possible to patch the Windows 11 installer to skip the TPM check. 

Has anyone tried Windows Server 2022 yet, does it also require a TPM?  Presumably based on W11 rather than W10.

Angus

I know Git is much better than SVN, but I would rather spend my limited time improving ICS than learning Git and migrating our systems built around it.

Whoever finally takes over as ICS maintainer will need to start again since SVN runs on my hosted servers.

Angus

TCustomTimeoutWSocket is only built if BUILTIN_TIMEOUT is defined, although that has been the default for a few years. 

Server client sockets do descent from that class, and the timeout settings could be set in code when the client is created.  But you would then have one ICS thread timer per client, rather than a single timer monitoring all clients as happens with the high level servers. 

Angus

How would a Git repository be more beneficial than the existing SVN repository? 

I'm afraid I dislike Git, my past experience of it is very poor, very time consuming to make contributions and I do not have the time to learn any more about it. 

There are very few contributors to ICS, maybe one external fix a month, easily handled by SVN. 

Angus

Not strictly an ICS issue, but this topic is read by others as well. 

Reverse DNS lookup with IPv4 generally works well, most proper providers at least provide their main name even if the IP is not specially allocated, ie msnbot-157-55-39-2.search.msn.com. 

But IPv6 rDNS is much less useful, mainly because most addresses include 64-bit of effectively random data, which are added to the 64-bits of public address. So my public ranges are 2a00:1940:1:2 and 2a00:1940:2:2, but my remote address is today seen as 2a00:1940:1:2:ed4c:1a97:12fa:c6e7.   I have reverse DNS for my public server addresses like 2a00:1940:2:2::139, but not the random ones. 

Some DNS servers seem able to look-up IPv6 addresses using just the public part of the address, like btcentralplus.com in the UK, but most don't. 

You can find the public name using Whois, but this is not designed for heavy use by a server looking up each new client that connects. 

One solution would seem to be a simple text file with the public names, even just the first 32-bits are enough, 2a00:1940 is Merula my hosting company, 2a02:c7f is BSkyB Broadband,  2a00:1450 is Google, etc.  Has anyone found such a file?

Any other thoughts on reverse DNS for IPv6?

Angus

Sorry, there has been insufficient interest in webhooks to justify any further investigation with ICS.

Presumably you want to write a webhook client?  Exactly what webhook server do you want to access?

Angus

Good, as ICS has developed over 20 years there are local functions like DirExists in various units, often duplicated and not always kept up to date, which I'm slowly concentrating in OverbyteUtils.

Angus

The quick solution is to replace DirExists with SysUtils.DirectoryExists which is available in Unicode compilers, and which is already used in OverbyteUtils for IcsDirExistsW. I'll fix this in SVN shortly.

Angus

Thanks, I'll try and test this next week.  The API is documented as returning INVALID_FILE_ATTRIBUTES for failure, which we assume is -1, but maybe it's not.

Angus

Easiest solution is to put a breakpoint in the CommandRNTO procedure and step through under the debugger to see which statement fails. There is nothing obvious that would fail on Win64.

Angus

Probably a firewall on your cloud server, although it may be IIS is already listening on all IP addresses so traffic goes there instead.  Generally better to listen on specific IP addresses, not all.  If IIS needs to run, you need a registry patch so it only listens on specific IP addresses.  Mind with modern cloud servers, you may only get one IP address. (mine has 30).

Angus

The low level socket server does not include any timers, but the higher level HTTP and FTP server component do include various timeouts.  TWSocket itself includes a TWSocketCounter class which descendents can check periodically with a timer to close idle connections, depending on activity.

For HTTP, the procedure HeartBeatOnTimer checks whether a request is being processed and disconnects according for KeepAliveTimeSec or KeepAliveTimeXferSec.  You could add something similar including checking whether SSL has been negotiated. 

If you are concerned about hacking attempts, I find it's actually better to leave connections open for a long time, doing nothing, which stops the remote robot doing anything else with that connection, close it immediately and it moves on to the next attack attempt.  

The OverbyteIcsSslMultiWebServ sample includes various hacking tests, and sends a response after a one minute delay.  One test I added to my public web server is any access by IP address instead of host name, immediately onto the hackers list.

This is also in a new sample I added yesterday, OverbyteIcsDDWebService, which is similar to OverbyteIcsSslMultiWebServ but runs as a real Windows service or a GUI for debugging). and includes a new database REST server sample. 

Angus

And how is this relevant to your UDP problems, is it working yet. 

Angus

For your broadcast socket, see what replies you receive in the onDataAvailable event, if any.  Test it.  

The OverbyteIcsIpStmLogTst.dpr sample allows all this to be tested using the TIcsIpStrmLog component that does UDP client and server, only snag is a bug in the sample that meant UDP server alone did not listen correctly, fixed yesterday when I tested broadcasting, I'll put it in SVN shortly. 

Angus

LastError is generally set when a Windows API fails to that Windows error, but code is needed after every such function call, and was sometimes missing, for SendTo/6 in particular, now fixed. 

You must use Connect for broadcast to work.  You should use a separate socket for listening. 

Angus

II think our messages overlapped.

Angus

Further to my original message about using SendTo, for broadcasting or multicasting you must also set property Addr to the broadcast address before calling Connect, otherwise the socket will not be opened with the correct SO_BROADCAST flag.   Send should also work, as used in various components and samples, but SendTo is required for UDP servers to reply to the source address, and works as well for clients.

Angus