Jump to content

Angus Robertson

Members
 View Profile  See their activity

  • Content Count

    2070

  • Joined

  • Last visited

  • Days Won

    38

Posts posted by Angus Robertson

  2. Posted

    The USP of LZMA in 7Zip was higher compression size and better decompression speed, against a slower compression speed, which is usually done rather less frequently. 

     

    ZLIB deflate as used by ZIP and HTTP compression is speed, not minimal size, with options for both.  The ZLIB library in Delphi is optimised C code which will be faster than the Pascal conversion of LZMA, I'm sure the DLL version will be faster, but then we are into DLL hell. 

     

    Angus

    • Like 1

  3. Posted

    ICS V8.70 has been released at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download

     

    ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0 and C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11. ICS supports VCL and FMX, Win32, Win64 and MacOS 32-bit targets. The distribution zip includes the latest OpenSSL 3.0.7 win32, with other versions of OpenSSL being available from the download page.


    Major Changes in ICS V8.70 include:

     

    1 - V8.70 has various minor improvements providing better compatibility with modern compilers such as more unicode overloads to avoid ANSI string warnings and casts, and more use of TBytes to avoid ANSI strings. Updated various samples to use TIcsRestEmail to support OAuth2 authentication for GMail and Outlook that no longer allow old authentication protocols.

     

    2 - The TIcsFileCopy, TIcsFtpMulti and TIcsHttpMulti file transfer components now support file zipping and unzipping using System.Zip in recent Delphi compilers, instead of the obsolete VclZip which is no longer available. Before a file copy or FTP upload, files may be automatically zipped, useful for large log files, after a file copy, FTP or HTTP download, files may be unzipped in various ways.

     

    3 - Added support to TIcsFileCopy to copy file names longer than 259 characters by adding \\?\ to the start of long names passed to Windows APIs, if supported by the disk file system, unicode APIs only. Fixed a problem deleting empty directories after copying. Fixed a problem with BuildDirList2 with COMPILER16_UP.

     

    4 - The OverbyteIcsXferTst sample has a new tabs, 'Single File Copy' to test the CopyOneFile method and 'Zip/Unzipping Files' to test zipping and unzipping that has always been supported by the components but not this demo.

     

    5 - Allow content compression for HTTP and FTP using System.Zlib in newer versions of Delphi instead of the OverbyteIcsZLibObj unit to avoid duplication. Only Delphi 11.1 and later have the same ZLIB 1.2.12 as ICS, so will automatically used System.Zip.  Beware a new version of OverbyteIcsDefs.inc is required to allow ZLIB to work correctly, otherwise it will default to using the DLL which is unlikely to be available, it is not in the distribution.  So either install the new inc file and customise it, or copy the ZLIB changes to your own inc file.

     

    6 - In TWsocket, added ReceiveTB(var Data : TBytes; MaxLen : Integer = -1): Integer; where MaxLen is optional, to receive TCP data into a TBytes dynamic array of bytes. Also ReceiveFromTB and ReceiveFrom6TB for UDP datagrams. The last release added similar SendTB functions, so buffer pointers and ANSI strings can now be avoided.

     

    7 - Added UTF-8 support to TIcsIpStrmLog, to convert received lines from UTF-8 to Unicode with unicode compilers (as String) and converts sent data to UTF-8. Changed FRxBuffer to TBytes, use SendTB and ReceiveTB methods with TBytes.

     

    8 - Updated OpenSSL to 3.0.7 and 1.1.1s.  OpenSSL 3.0.6 was withdrawn shortly after  release, we never distributed it.

     

    9 - In OverbyteIcsSslHttpOAuth, added an OAuth2 and Rest Email Microsoft User Authority property to access different user authorities, defaults to 'consumers' but can be changed to 'common' or an Azure Active Directory tenant GUID for corporate accounts.

     

    10 - Added TIcsRestEmail to support OAuth2 authentication to the OverbyteIcsSslMultiWebServ, OverbyteIcsSslMultiFtpServ and OverbyteIcsDDWebService samples, since GMail and Outlook that no longer allow old authentication protocols.

     

    11 - In the TIcsInetAlive component, added a new method AliveMethEither so internet alive checking works if either ping or HTTP works, instead of one
    or the other.

     

    More detailed release notes are at http://wiki.overbyte.eu/wiki/index.php/ICS_V8.70

     

    Angus

     

    • Like 5
    • Thanks 4

  4. Posted

    OpenSSL has released new versions of the two supported branches, 3.0.7 and 1.1.1s, Windows binaries are available from

     

    http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp .


    OpenSSL 3.0.7 fixes two serious security bugs in 3.0.0 and later relating to verifying X509 certificates with email punycode (non-ASCII characters) name constraint checking, that can cause a crash.  These bugs can only happen after a certificate chain has been successfully checked, mainly in client applications (or servers that request and verify client certificates) so should not happen with self signed certificates.  Another security bug fixed related to using null encryption, which ICS doesn't use. Also, the RIPEMD160 hash no longer requires the legacy provider.
     
    OpenSSL 1.1.1s has general bug fixes.


    Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.

     
    Angus

     

    • Like 1
    • Thanks 1

  6. Posted

    SendHeader is really an internal function, it is called during most of the other Send/Answer methods, and will send any PersistentHeader property lines, together with headers specified by the Send/Answer functions, that may also add their own headers.  Only use SendHeader if you are using low level functions like Send and SendStream.

     

    You can use the onRespHdr event to log the headers actually being sent, to check they are correct.

     

    Angus

     

  9. Posted

    ICS attempts to extract a private key from the Windows store, but I don't recall it working on any of my servers or PCs, so untested. 

     

    So if it works, good, if not, as expected.  I don't plan on testing this again since it is not a core ICS function, not needed for any samples. 

     

    Personally, I would not distribute an application that relies on extracting a private key from the Windows Store, you have to hope that whoever imported it ticked the correct box to allow export, and Microsoft has not changed the rules again.  I would tell the customer you need the PFX. to use with OpenSSL. 

     

    But you easily test if your FSslCertX509 object has a matching key and can be used as a server certificate.  If you are using the recommend IcsHosts server properties, the certificate gets checked and reported before the server starts, so you know if it's going to work.

     

    Angus

     

  10. Posted

    We are going in circles here, even if you load the certificate into the context a subsequent error will happen since there is no private key with the certificate.  

     

    The TX509Base and TMsX509List classes can hold a private key, but if you use PemTool to list a store you'll see it reports 'Private key in User Store, Could not export private key - The requested operation is not supported'.  Only the Microsoft crypto functions can access the private key store, and OpenSSL does not use them.

     

    For your own code, you don't show a definition for lMsX509List nor how you are indexing into the list, but it should be something like FSslCertX509 := MyList{x]. or MyList.Items[x]

     

    Angus

     

  11. Posted

    No, the question is why if you already have a PFX file with a private key, you are installing it into the Windows Store in the first place, then reading it again without the private key and expecting it to work as a server certificate.  Why not use the PFX directly. 

     

    The ICS pemtool loads certificates into the windows into the Windows Store correctly, I do it all the time to use Let's Encrypt certificates with IIS.  

     

    The exception will be an error in your code.

     

    Angus

     

  12. Posted

    So you are attempting to use a certificate from the Windows store as a server certificate? 

     

    How did you set the private key for this certificate. You can not extract private keys from the Windows store?  Server certificates are useless without a private key.

     

    Private keys are kept by Windows in a different store and linked to certificates, but not stored together.  Windows itself provides a means to export certificates with a private key, if allowed, but this is not implemented by ICS, not sure if the APIs allow it.  Most certificate have key export blocked to stop them being stolen. 

     

    Angus

  18. Posted

    Just done some testing using the D11.2 TRESTClient component on Windows 11 Enterprise 22H2  fully updated,

     

    It seems all TLS protocols are still available to the client.  I have servers built with the ICS web server component that can report the TLS client hello packet that tells the server what protocols the client can accept.  The URL is https://api2.telecom-tariffs.co.uk/serverinfo.htm  which returns an information page about the server and client connected, for the TRESTClient with all TLS boxes ticked the Hello starts with:

     

    Client Hello: Server Name: api2.telecom-tariffs.co.uk, ALPN: , Versions: TLSv1.2, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1.0, TLSv1.3 Key Share Data

     

    which means all four protocols are accepted, ticking just TLS12 and only that protocol appears in the Hello, and works.  Windows 11 also connects with TLS/1.3 if requested, without registry patches.  However, I may have previously done the patches two years ago when first testing TLS/1.3.  I do hack the PC a lot, currently Edge and Windows File Explorer are dead with exceptions.

     

    Angus

     

  20. Posted

    In theory, you can do this with the ICS JOSE functions like IcsJoseJWKPubKey and IcsJoseJWSComp that are used to implement the ACME protocol for Let's Encyrpt certificate ordering,

    which work with the ICS REST component.  But often these JWT implementations have little tweaks or special features that might mean minor changes to these functions. 

     

    ICS may be installed from GetIt or http://wiki.overbyte.eu/wiki/index.php/ICS_Download.

     

    Angus

     

  24. Posted

    The Bookmarks docking window is not in Delphi 2007, so new some time since then, I've never looked for it before since the old way of using bookmarks worked perfectly, until Delphi 11.2.  There are probably numerous other IDE features I've missed as well! 

     

    I do like conditional lines being (sometimes) greyed in 11.2, very useful when working on projects with vast amounts of conditional code.  Did not need to search for that, just worked.

     

    Angus

  25. Posted

    Delphi 11.2 seems to have new IDE bookmarks behaviour, which I understand is an IDE Bookmarks addin from Parnassus. 

     

    In the IDE I have dozens of tabs open with different units, with bookmarks in a few of those units.  If I right click to show the Bookmarks menu it lists bookmarks in the current unit, but if I select one the editor cursor jumps to a random bookmark in a different unit instead of the current unit. 

     

    Just discovered there is a new docktable Bookmarks window that seems to work for the current unit, but the right click menu bookmarks I've used for 20 years are still useless.

     

    Angus

     

×