Jump to content

Angus Robertson

Members
 View Profile  See their activity

  • Content Count

    2063

  • Joined

  • Last visited

  • Days Won

    38

Posts posted by Angus Robertson

  1. Posted

    A lot of my applications have what I call triggers, there is a single timer firing every few seconds, and within that are Int64 triggers set for the required internal and tested against GetTickCount64 or GetTickCount.  There is a small library of functions to set triggers for minutes or hours and check them. 

     

    Angus

     

  4. Posted

    That code is creating a digital signature using a private key and Sha-256. 

     

    Windows does have various old high level APIs for signing, using Capicom or Mssign32.dll, I use Capicom to check the digital signatures on EXE files.  There must be low level APIs for signing as well, but I've never looked for them or used them, OpenSSL is so simple, albeit a large overhead since there is so much you don't need.  YuOpenSSL links it's into your application to avoid DLL hell.

     

    Angus

     

  5. Posted

    Which ICS version were you using? 

     

    As I said earlier, there is a limit to the number of new SSL/TLS connections per second due to socket server being a single thread. 

     

    I've previously said in this forum there is a plan for a heavy socket server, which will be configurable for x clients per thread, two threads in theory would double the number of new connections per second, but it could be one thread per client.  This will need a new web server as well. 

     

    But I really need ICS end users with server applications involving thousands of clients to justify the effort developing it.  Would that be of interest? 

     

    Angus

     

  6. Posted

    It is important to handle the onBgException exception event, and Application.OnException.  Recent ICS releases have improved BgException messages to help track the origin.

     

    I log the errors, send an admin email and then stop the service, so Windows can immediately restart it. Unfortunately, some SSL problems do not trigger any events and just crash the program, but it does restart. 

     

    Angus

     

  7. Posted

    I was having a problem with one of my servers not listening under some circumstances, so implemented an internal watch dog that made a connection attempt every minute, very simple using TSslHttpRest;, just a few lines of code triggered from the maintenance timer.  Worked well, but showed the server was still listening. 

     

    The problem turned out to be two services using the same named firewall rule updated each time they started to the current EXE name, so dependent upon the order in which the servers started.

     

    Angus

     

  8. Posted

    My previous SSL/TLS testing shows there is a limit to the number of new connections per second, due to time taken to setup SSL/TLS and all the handshaking involved. 

     

    There is a server setting ListenBackLog which defaults to 15, that means Windows will only queue 15 new connections before rejecting any further attempts. 

     

    You could also try increasing your timeout beyond 60 seconds, to reduce the number of new connections.  An established connection is low overhead, new one high overhead, provided you have sufficient handles and resources to open the total number. 

     

    TLS/1.3 has faster setup than TLS/1.2, if you can use it.  You may also be able to optimize certificate chain checking, the less the faster. 

     

    Angus

     

  9. Posted

    Thanks, my issue does seem to be OpenSSL DLL related, although the same ResetSslSession function may have been called dozens of times during the FTP session, twice for each file uploaded or downloaded, or not once if the session fails due to authentication. 

     

    I should really try with older DLLs and 3.0 built elsewhere.  Although none of this explains why the same program built with Delphi 2007 has worked fine on all my servers for 15 years, with various OpenSSL releases, maybe that is PE header related.

     

    Angus

  10. Posted

    Logging works before SSL_free is called, but nothing afterwards.  This function is called for every SSL connection in ICS, there is no way anything is getting corrupted on a platform basis.  During a normal close down, the ResetSslSession function gets called a second time with all the various pointers nulled, and behaves itself. 

     

    Setting up remote debugging will be tedious, and I doubt would be productive.   It's only the FTP server that seems unhappy, the D10/D11 web server has been running for over a year. 

     

    Angus

     

  11. Posted

    I added syslog logging to the sample so now have logs up to the point of crashing, which is in our function ResetSslSession while closing various handles.  The crash happens after a call to SSL_free(FSsl), but the exception handler does not catch it. 

     

    But this still only happens for a remote connection to the server, not locally.   The remote connection does raise an earlier abort network error, but this is ignored.

     

    So ultimately the problem does not seem to be anything to do with our Delphi code, but with the runtimes in the OpenSSL DLL. 

     

    Angus

     

  13. Posted

    I've been using an ICS FTP server on several of my servers for 15 years or so, compiled using Delphi 2007, although the server component is compatible with all compilers.  I'm now trying to convert more of my applications to D11.

     

    But when built with D11, the FTP server application crashes with a Windows heap corruption exception upon completion of any SSL FTP session, irrespective of what commands were processed during the session.  


    The crash only happens when the application uses OpenSSL DLLs, win32 or Win64, if I build it with YuOpenSSL which links the C code into the app, it does not fail.  

     

    Despite all my error handling efforts including Madexcept, the application is unable to catch the error, just got lots of Windows Error Reporting and Application Error events.

     

    The application itself logs activity, but the last thing logged is the FTP QUIT command, the application crashes before the log writes anything more to disk.

     

    What is strange, this crash only happens on server operating systems, specifically Windows Server 2012 and 2022, and only when accessing the server from another computer, not locally. 

    The same problem has been reproduced in two different server applications, running interactively or as a Windows service.  

     

    The SSL code is well tested and widely used, it's strange the crash only happens on Windows servers in such rare conditions, and that Madexcept can not catch the error, although it is not reported as being in the DLL.  

     

    Faulting application name: magfserver.exe, version: 2.0.0.7, time stamp: 0x62f69268
    Faulting module name: ntdll.dll, version: 10.0.20348.803, time stamp: 0xbee6f04c
    Exception code: 0xc0000374
    Fault offset: 0x00000000001044a9
    Faulting process ID: 0xe00
    Faulting application start time: 0x01d8ae7494fc7fe2
    Faulting application path: C:\magenta\fileserver\magfserver.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll

     

    Any thoughts on why an application can fail in such rare but very specific circumstances? 

     

    Angus

     

  14. Posted

    I also have units with underscores, but this was a form so perhaps different rules apply, did not think much of it at the time since I was skipping past the hundreds of modal dialog box errors Delphi gives when opening a project with components that are not currently installed, why no 'ignore all' button and why no logging of all the errors?   It's so frustrating when you migrate projects or update Delphi. 

     

    Angus

     

  18. Posted

    We build IcsCommonD110Run almost daily during development of ICS.  Many others have installed it without any errors reported. 

     

    This would suggest you either have a corrupted version of ICS, unlikely since GetIt also failed, or something is strange about your installation.

     

    Angus

     

  19. Posted

    The content of the ICS packages has not changed in over 10 years or longer, since Delphi XE2 except for new units being added.  

     

    If you want only VCL you install only the two  OverbyteIcsDxx packages, if you want FMX as well you only install the three IcsCommonDxx packages, as explained in the readme8 file.

     

    Using the install groups is much easier, DxxInstall or DxxInstallVclFmx.  There is a Build Group in modern compilers, so a couple of clicks builds all the packages for Win32 and Win64.

     

    GetIt is the same, VCL only or VCL/FMX. 

     

    Angus

     

  20. Posted

    Did Sectigo also ask you for a selfie with your passport?

     

    On a general note, worth mentioning that buying Code Signing certificates will become more expensive and difficult from this autumn when software private keys are banned, you'll need to buy your certificate on a physical dongle probably adding $100 or more to the price, plus shipping and customs hassle for those outside the country where the certificate is sold.  This was the reason I bought a three year certificate earlier this year. 

     

    Angus

     

  22. Posted

    K-Software support is almost non-existent, totally automated, probably how they are able to offer code signing certificates vastly cheaper than anyone else. 

     

    I bought a three year certificate in January, it all worked, they resell Sectigo, you should get an email from certs@ksoftware.net with a link that starts the process, which is fun since it requires Internet Explorer that has now been discontinued.  Eventually Sectigo will contact you to confirm your personal identity using your passport and the certificate will be issued, that is why I paid $188 for three years ($500 from Sectigo) to put off doing it all again. 

     

    Good luck.

     

    Angus

     

  23. Posted

    I have the same opinion of Github, it's fine for complex projects with lots of contributors, but far more complicated than SVN for projects with a small number of trusted contributors. Github may be safer, but at the expense of extra time for project owner merging contributions. 

     

    I only contributed to a Github project once, it was so tedious I now just email the project owner who is welcome to ignore my contributions. 

     

    That is why ICS still uses SVN, which I host on my own public servers (mostly runs itself).  But I'm also retired and not willing to spend much time learning new technology.

     

    Angus

     

  24. Posted · Edited by Angus Robertson

    The log shows a single un-authenticated request resulting in a 401 response, no attempt to send authentication or repeat the request.  The sample would have brought up a dialog box asking for a password to be entered and repeated the request.  

     

    Sorry, but there is no point in posting logs that don't illustrate any real activity or problems. 

     

    BTW, beware of posting real authentication details in an open conference. 

     

    Angus

     

  25. Posted

    The IcsLogger is designed for low level SSL development, not application protocol debugging. 

     

    Try reproducing the problem using the OverbyteIcsHttpRestTst sample with debug logging set to HTTP headers and set a log directory, then send the complete log, not selected extracts, indicating where it fails.  If you can not reproduce the bug in that sample in V8.69, the problem is your code.

     

    Angus

     

×