Angus Robertson

Sorry for the delay, ICS V8.69 is now available for automated install from GetIt for Delphi 10.4 and 11.

Once installed, you should find the SSL demo sample group in a directory similar to:

C:\Users\angus\Documents\Embarcadero\Studio\22.0\CatalogRepository\ICS_FMX-8.69-11\Samples\Delphi\SslInternet\SslDemos.bpg

Angus

YuOpenSSL is supplied as dozens of compiled DCUs for Delphi 6 and later, with Win32 and Win64 versions. 

I'm told a lot of preprocessing of the original OpenSSL code is required before it will compile, for instance there is heavy use of macro expansion statements that need converting into pure C.  But this is automated, and new versions of YuOpenSSL usually appear within hours of a new OpenSSL release, one is due next week. 

The original OpenSSL can be built for multiple platforms, but I guess doing so for Delphi is a commercial decision, depending on demand.  

BTW, I'm just a YuOpenSSL user, it's not my project. 

Angus

There is a commercial solution to statically linking OpenSSL with three different Delphi internet components from https://www.yunqa.de/delphi/products/openssl/index

But they don't support OpenSSL 1.0.2 which is long obsolete and has no recent security fixes.  But YuOpenSSL includes a new Indy OpenSSL 1.1.1 IOHandler so it can handle TLSv1.3 and YuOpenSSL supports OpenSSL 3.0 for ICS. 

Angus

RFC 9114 for HTTP/3, aka QUIC/UDP has only just been released.  Earlier versions of QUIC are supported in various browsers, but are really only beneficial for complex web pages with
hundreds of elements, not sure how relevant to the users of ICS, no-one has ever asked for HTTP/2.  

There is a fork of OpenSSL by Google, Microsoft and Akamai supporting QUIC, but the committee did not like the design and refused to merge it, instead starting a fresh QUIC design:

https://www.openssl.org/blog/blog/2021/12/03/starting-the-quic-design/

No specific news about a release date, although lots of activity on GitHub, so probably months away from release.  Waiting for OpenSSL is probably the safest long term solution for HTTP/3.

Angus

What are you wanting to achieve?

Angus

Sorry, downloading from GetIt is after the web sites, and even longer when I forget to notify them. 

Angus

SVN has been updated with a fix to create period decimal points instead of commas, using a simple version of TFormatSettings, thanks for finding this and the fix suggestions. 

When I change the test app locale to Hungarian, I noticed the strange date formatting with spaces, fortunately ICS uses it's own masks and functions for internal date formats. 

Angus

Unfortunately, ICS claims to still support Delphi 7, and I did build V8.69 on it last week to check, so any fixes need to be backward compatible, although there are one or two features not supported on D7.  I'll look at this next week, long holiday weekend in the UK.

Angus

35 minutes ago, PizzaProgram said:

V8.65 ... Replaced gcvt with FloattoStr

That change was to allow the unit to be used on non-Windows systems, gcvt is a Windows API. 

The dirty way to fix this is to replace a comma with a period immediately after the FloatToText statement, I'll investigate if there is a non-localized FloatToText alternate.

Angus

If I improve the JSON sample, I'll explain the improvements. 

Angus

Thanks, 2023 might appear in one or two other units, as well. 

The JSON visual parser is quite useful, keep meaning to add a backwards button to make it faster. 

Angus

Whoops, the file is in SVN but missing from the zips, they will be updated shortly.

Angus

The trick I believe Windows itself uses is to allow one or two failures of the hardware IDs that are collected and compared, to allow for replacement components.  Assuming you store and compare each ID separately, rather than hashing them all together. 

Also beware that some Ethernet MAC addresses are deliberately random, most new phones and Windows 10 (unless disabled), in an attempt to stop some web sites tracking you.  There is a bit in the MAC that indicates it is random.   Random IPv6 addresses often include the MAC, so are not really random atall.

Angus

ICS V8.69 has been released at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download

ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0 and C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0. ICS supports VCL and FMX, Win32, Win64 and MacOS 32-bit targets. The distribution zip includes the latest OpenSSL 3.0.1 win32, with other versions of OpenSSL being available from the download page.

Major Changes in ICS V8.69 include:

1 - V8.69 has a lot of minor improvements, more HTTP client and server features, better built-in authentication, and added built in file uploading to the REST client component. Also continuing improving all the HTTP samples so they now hopefully test all the features of the ICS HTTP server, specifically adding POST and PUT file uploading,  and a new client login window for interactive authentication with servers.  Also added OCSP (Online Certificate Status Protocol) to ICS, which is used to check SSL/TLS certificates are legitimately issued and not revoked.

2 - In the HTTP client, added new methods RequestAsync and RequestSync which start a specified request by parameter, useful to repeat the last request from an event (such as should be trust the certificate and repeat). When using a proxy, make sure Path is not blank which will break proxies, change to / as for non-proxy requests.  GetRequestDoneErrorStr now handles TWsocket errors. Fixed NTLM authentication which got broken in V8.61.  Added a new THttpAuthType of httpAuthDigest2 for Digest with the modern SHA-256 algorithm instead of MD5 used by httpAuthDigest, only with USE_SSL. Added new property WWWAuthInfos array filled after 401/407 failure by parsing AuthorizationRequest headers for AuthType and Realm that may be presented to select an authentication option, get login and repeat request. Remove # fragment anchor rom the URL unless the new Option httpoAllowAnchor is set.

3 - In the HTTP REST client, added built in file uploading using POST or PUT. The file name is specified in HttpUploadFile using type HttpUploadStrat ofHttpUploadSimple with parameters in the URL or HttpUploadMIME for multipart with parameters in the first MIME part. Note the applications needs to supply parameters like FileName so the server knows what to do with the file. This may be tested against the ICS web server samples.  Upon request completion, ReasonPhrase now also has status, so OK becomes 200 OK, etc.  Previously the SslRevocation property was only effective when checking the windows certificate store, now it also works with bundle files using the new TOcspHttp component and OCSP stapling if available.

4 - In the HTTP server component, now converting FLastModified to UTC/GMT time for the response header.  Added new authentication type atDigestSha2 with a SHA256 hash instead of MD5 with atDigest only supported with USE_SSL. Note: Mozilla Firefox supports Digest SHA-256, Chrome and Edge do not. Added a new client connection OnHttpRespHdr event to allow response headers to be logged, previously only request headers could be logged.  Cleaned up AnswerStream functions so separate lines don't go into send buffer. Added OcspSrvStapling property which should be set to enables OCSP checks and stapling only with AUTO_X509_CERTS define since it adds extra HTTP client code. A revoked certificate will be auto ordered.

5 - In TWSocket, added new method SendTB(const Data: TBytes; Len: Integer=-1) where Len is optional, also similar SendToTB and SendToTB6 with TBytes, as an alternative to casting such types to use Send(). Restored the TlsExtension_cb callback for client debugging since ClientHelloCallback only works with servers.

6 - In TSslWSocketServer added OCSP (Online Certificate Status Protocol) support with IcsHosts using the TOcspHttp component to confirm server SSL/TLS certificates are legitimate and not revoked for security reasons. The certificate OCSP response is also stapled to the initial SSL/TLS HELO handshake and sent to the client to avoid it needing to lookup OCSP using HTTP itself. OCSP responses are cached and saved to a file for reloading later, but are refreshed every time the certificate is validated, at least once a day. The new server property OcspSrvStapling enables OCSP checks and stapling only with AUTO_X509_CERTS define since it adds extra HTTP client code. A revoked certificate will be auto ordered.  OCSP checking is done in LoadOneCert and the stapled response sent in TriggerSslServerName when checking SNI.  The same OCSP support is available in all ICS servers that use IcsHosts, including FTP, HTTP and TIcsIpStrmLog.

7 - All three main HTTP SSL client sample applications FrameBrowserIcs, OverbyteIcsHttpsTst and OverbyteIcsHttpRestTst now support interactive authentication with a new Login window that displays the different methods the server will accept (from the new property WWWAuthInfos array) allowing one to be selected from Basic, Digest MD5, Digest SHA256 and NTLM logins. This window is displayed after an 401 error and the request then repeated.

8 - The OverbyteIcsHttpsTst SSL sample now has all the missing features from the non-SSL samples, Content Encoding Gzip tick box to support compression, persistent cookie support, POST/PUT support to either send simple data or upload files in various ways (from OverbyteIcsHttpPost1 sample), may be tested against the ICS web server samples.

9 - The OverbyteIcsDDWebService SSL web server sample now builds on unicode compilers. Added authentication for POST requests and new 'Password protected page (POST)' button on the demo menu to test authentication using POST. Fixed web logging to log correct multiple listener.  Builds on unicode compilers. Added Digest SHA-256 authentication page DemoDigest2Auth.html and DemoDigestsAll.html that does both digests.  DemoAuthAll.html no longer does NTLM, use the separate page. Now displays server response headers if box ticked, only displayed request headers before. File Upload Form and Email Form pages now work without exceptions.  The OverbyteIcsSslMultiWebServ SSL web sample has similar new authentication features and logging fixes.

10 - Updated OpenSSL to 3.0.3 and ZLIB (HTTP compression) to 1.2.12, sorry for long delay in updating zlib, now including some important bug fixes, although never saw  any issues with the minimal use ICS makes of it.  Updated the various ICS CA Trusted Stores.

11 - The OverbyteIcsPemtool SSL sample now does OCSP checks when examining certificate files.  There is also a new Test Host Certificates tab that tests SSL/TLS handshake and certificates (using TIcsIpStrmLog) for a list of host names and  ports, building a list of host and intermediate certificates that may be further checked and saved as files or added to an intermediate bundle. This new tester should prove useful for debugging sites that return SSL or certificate errors.

More detailed release notes are at http://wiki.overbyte.eu/wiki/index.php/ICS_V8.69

He originally posted the question in the ICS forum, but the issue is not with ICS, but with a Javascript web page implementation to display data from the websockets server.

Angus

You know ICS is sending the data, so the issue here is your Javascript to receive the data.  You say you are using the ICS sample HTML page, why do you think it is designed to receive data from the server? 

Angus

I've been using Axolot Data XLSReadWrite to read and create XLS and XLSX spreadsheets for almost 20 years.  Not free, but just works. 

http://www.axolot.com/

Angus

Sorry, I did not write the WebSockets component, and only minimally tested it.   Perhaps someone who actually uses WebSockets will have a suggestion.

Angus

Sorry, other sample not in the main project group that is a victim of functions moving between units to ease linkage.

Please just add  OverbyteIcsUtils to the OverbyteIcsWebSockets uses clause.

Angus

This is now fixed, should be in SVN tomorrow with a lot of other HTTP improvements. 

There is a new option to skip removing the # fragment anchor where users are deliberately using # as a parameter without escaping it.  But this is likely to be so rare the option has to be set to leave it, so technically not backward compatible which is our development philosophy.

Angus

# is an anchor, an instruction to the browser on how to display the page, it is never sent to the server as part of the URL by a browser.  Your application should create a valid URL by removing the #.  ICS does not validate the URL for illegal content. 

Angus

OpenSSL has released new versions of the two supported branches, 3.0.3 and 1.1.1o, Windows binaries are available from

http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp .

OpenSSL 3.0.3 fixes a moderate security risk relating to the OCSP_basic_verify function but using an option ICS does not use, a low risk problem with an incorrect MAC key used in the RC4-MD5 cipher suite but which would never be used on modern connections, and a low risk problem with resource leakage when decoding certificates and keys and clients and servers configured to accept client certificate authentication, which might eventually run out of memory.

Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.

Angus

ICS does make increasing use of TBytes internally, so adding an overloaded Send would make sense, a few days.

You can always pass a code page to SendStr, that is another overload. 

Angus

I am still seeing those debug lines in my main web server application, but not in two other ICS sample web servers. 

But this is purely something I see under the Windows 11 debugger, the server itself on two Windows Server 2018s is handling tens of thousands of requests daily and one Windows Server 2022.

My other Windows 11 DNS problem turned out to be no gateway on one of the two network adapters.  

Angus

ICS includes an updated version of THTMLParser from Dennis Spreen 20 years ago, very simple, just works. 

https://svn.overbyte.be/svn/ics/trunk/Source/OverbyteIcsHtmlPars.pas

Angus