Angus Robertson

Two new zips for Win32 and Win64 versions of OpenSSL 1.1.1j can now be downloadable from the Wiki at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp . The latest 1.1.1 DLLs are also included in the ICS distribution SVN and overnight zip.

Beware SVN and the overnight zip for forthcoming V8.66 include is a major clean-up of OpenSSL functions, and may require end user application changes if low level OpenSSL functions have been used,
hopefully very rarely.   All OpenSSL functions have been renamed to their original names removing ICS f_ prefix so they now have the original OpenSSL names for commonality with other Delphi
applications.

OpenSSL 1.0.2 and 1.1.0 ceased security fix support over 12 months ago, so ICS now only supports 1.1.1, with 3.0 support due in the next few months. This removes a lot of legacy code and functions, and several old ICS functions needed for backward compatibility.  Two components only used for 1.0.2 have been removed, TSslStaticLock and TSslDynamicLock which may give an error loading forms, until they are removed.  SslContext SslOptions is now ignored, use SslOptions2 instead which has more modern options.  Can not remove SslOptions because it's saved on too many DFMs. Most modern
applications should not be using SslConext, but IcsHosts for servers or high level client components like TSslHttpRest.

If your application needs to use 1.0.2, you must keep using V8.65 or earlier.

Angus

Found the integer overflow in WSocketIsDottedIP, not sure why it was called, but fixed anyway. 

Had to write a little application to create fake web requests, should really improve it for server testing.

Angus

Yes, that logging line is built from the host header, RequestHost and Path properties.  I'll need to test this under the debuggger to see if the overflow was in my logging code or the server component.

Angus

The Whois result is always free text, and varies between registrars.  But usually you'll see something like:

One example:

   Updated Date: 2020-10-30T06:00:11Z
   Creation Date: 2020-10-30T06:00:08Z
   Registry Expiry Date: 2021-10-30T06:00:08Z
   Registrar: NameCheap, Inc.
  

My own domain (very old): 

    Relevant dates:
        Registered on: before Aug-1996
        Expiry date:  02-Sep-2022
        Last updated:  03-Aug-2020

so you just search for that expiry line and get the date, allowing for various formats.  You need to check several domains for different formats. 

If you manage to collerct all this information and parse it sensibly, we could add it to the component for others.  I'd particular like domain registered date, because most spam comes from newly registered domains.

Angus

So I guess a hacker testing IPv4 addresses sequentially, and too lazy to convert his numbers to a dotted IP address, except the server is http://3650250390/ which does work from Firefox, but may have been converted by the browser.

One of my hacking tests is for numeric IPs since no real visitor would use them, they go on an immediate 24 hour block list.

Angus

15:33:40 Request from 209.141.46.116 (), Host=TELECOM: http://2573636313/ GET

15:33:40 !!! Application Server Exception Big - Integer overflow
15:33:43 Restarting Server After Errors

Guess we need to validate silly URLs more carefully. 

Angus

14 minutes ago, Attila Kovacs said:

Are you sure? Never seen that.

Absolutely, I keep the four targets files that Microsoft deletes when it you re-install or patch framework v2, they are in a Microsoft folder atter all, so maybe it was Borland's error. 

Angus

There are subtle changes with new versions of windows.

Getting the actual windows version is much harder than it used to be since Windows now fakes old versions to keep old applications happy. 

Auto running from the registry is harder if your application has admin rights, since that is something hackers try to do to gain admin rights. 

There must be a list of these things somewhere, these are just two in the old application I'm maintaining today.

But generally, Delphi applications compiled 20 years ago still run today, as do new applications compiled with 20 year old compilers (mostly). 

Never used .net, but I know security holes are fixed every month, and Microsoft keeps breaking Delphi 2007 by regularly deleting the  Borland.*.Targets files from the Framework directory.  I would never sell an application that Microsoft can so easily break. 

Angus

The distribution does not include any .lib files, they are presumably built when you build the C++ packages.

Angus

Disabling Windows Update is an art, Microsoft does keep trying to restart it afer any updates are installed manually, and there are two services to stop.  I've not recently tried to stop Update, but Firewall has not run here for three years.

Angus

Surely disabling the Windows Update and Windows Update Medic Service services through the registry should be sufficient to stop them working.  That's the only way to stop Windows 10 Derfender Firewall interferrng with internet connections, even if turned off. 

Angus

I was updating the check alive capability of one of my applications to add IPv6 support this week, so created a new ICS component TIcsInetAlive to check for IPv4 and/or IPv6 internet
connectivity, using Ping and/or HTTP, defaulting to  www.msftconnecttest. com run by Microsoft for Windows 10 alive checking, online and offline check intervals may be set, event when online changes.   In SVN now.  There is a demo in OverbyteIcsHttpRestTst.dpr.

It is also a sample for using TSslHttpRest, needing only a few lines of code for HTTP requests. 

Angus

I've just written a new TIcsInetAlive component, will be in SVN shortly, it measures the round time for ping and HTTP requests, and these are my results from Windows 10 over FTTC to a London data centre where Microsofts hosts this domain. 

08:31:24  Check Alive Ping to www.msftconnecttest.com (13.107.4.52) took 5 msecs
08:31:24  Check Alive to http://www.msftconnecttest.com/connecttest.txt (13.107.4.52) took 16 msecs
08:31:49  Check Alive Ping to ipv6.msftconnecttest.com ([2a01:111:2003::52]) took 5 msecs
08:31:49  Check Alive to http://ipv6.msftconnecttest.com/connecttest.txt ([2a01:111:2003::52]) took 15 msecs

Note HTTP is the complete lookup DNS, connect, get a page, close cycle, not just send and receive a packet. I'm only timing with ticks, not performance counter, but I believe ticks are reasonably accurate in modern versions of Windows.

Angus

I don't believe ICS has any OS checks between Windows 7 and 10, only back to XP, nor does it check for 32-bit or 64-bit versions of Windows, and no conditional Win64 code for TWSocket. But the Windows winsock code is 12 years younger so maybe different. 

Are you sending packets using simple TWSocet functions, using IP addresses not domain names?

Angus

The Dxx projects are Delphi, CBxx are C++ Builder.  Looks like I put an extra D in the name, should have been OverbyteIcsCB101Run.cbproj, but evewn that is missing, so try Packages\OverbyteIcsCBXe3Run.cbproj and Packages\OverbyteIcsCBXe3Design.cbproj.  We are dependent upon C++ users to supply packages for new compilers, and it does not happen often enough.

Angus

Indeed, lets hope Embarcadero uses it to bring some long neglected RTL files up to date.

Also OpenSSL, but dare not ask them anything new, so far behind on 3.0.

Angus

Thanks, I'll update the DllSuffixes for the next release of Delphi.  I added support for DDService in Delphi 10.4 last summer.

Angus

Unless you need FMX support, you would be better installing the VCL only packages, they are less complicated.  But we don't seem to have them for 10.2 and later, so try using OverbyteIcsCBD101Run.cbproj and OverbyteIcsCBD101Design.cbproj

Sorry, I don't use C++ so can not help you any further.  We are dependent upon ICS users for C++ support.

Angus

Add recent: to the start of the account user name, no spaces.

Angus

Quote

But not all servers reply to ping request...

www.msftncsi.com and ipv6.msftncsi.com both respond to ping. 

Angus

Rather than accessing Google, you should check http://www.msftncsi.com/ncsi.txt and http://ipv6.msftncsi.com/ncsi.txt  which are the Microsoft Network Connectivity Status Indicator web pages used by almost all Windows installations every few seconds for many years to detect network connectivity for IPv4 and IPv6 (one or other may not work). They are designed for heavy use, and return a two word text page.

While you can use TCP to open a web page, there is a long timeout trying to connect, 30 seconds or more, so it's faster to use ICMP ping, to www.msftncsi.com, look at the OverbyteIcsPingTst.dpr sample, with ping you can set a five second (or less) timeout to get a quick response.

Angus

The original example was a short POST URL with parameters sent as Json, which can easily be encypted in numerous ways for privavy, base64 does not protect anything.  Advantage of using JOSE is the use of standard libraries.  Not sure why one would want to prorect a simple login page URL. 

Angus

Quote

It is impossible for a server to detect middle man when the secure connection is TLS/HTTPS with only server side certificate authentication

Which is why many servers insist on using JOSE technologies such as Json Web Signing which means the headers are signed with a password or private key before being sent, so can not be changed without the server knowing, this is how Let's Emcrypt and OAuth1/2 work.  Or Json Web Encryption if you don't want the headers read. 

Angus

Sorry, my fault, seems the latest version never made it to master or SVN,  Will be fixed real soon, once I get SVN installed on my new development PC, such a pain building new systems. 

Angus

Quote

I did have to add `TIcsRestEmail` to the parameter list of the RegisterComponents() procedure call in `OverbyteIcsReg.pas`

The comments at the top should say: Sep 2020  V8.65  - Added TIcsTwitter and TIcsRestEmail, unless you have an older version?

Angus