Angus Robertson

I think that property goes back to Windows XP or something when there were different versions of winsock.  But they currently default to 2 and need never be changed. 

You should only get that error if your application tries to change ReqVerLow after TWSocket has loaded, and why would you want to?

Angus

ICS includes a unit OverbyteIcsAvlTrees.pas written by Arno Garrels, from the unit:

Implements a fast cache-like data storage based on two linked AVL-Trees for primary and secondary indexing.  Primary key of type string has to be unique, secondary key of type TDateTime may have duplicates.   AVL or balanced binary trees are extremely efficient data structures for searching data. Finding an element in  65536 requires at most 16 compares.  Uses an AVL-Tree as it is described in the book "Algorithms & Data Structures", Prof. Niklaus Wirth.

No real dependencies on other ICS units.

Angus

You can apply file permissions to Windows folders against Windows logins, but not password protect a folder. 

Yes, ICS is from Overbyte, there is an ICS forum.  You could run your FTP server on strange ports, but that is usually a nightmare with FTP and firewalls/routers.  Fortunately my hosted server has a /27 subnet, don't even use all of them.

Angus

IIS FTP uses Windows accounts, so you need to set-up those from Delphi as well, can probably be scripted. 

The usual solution to your problem is to use a long random file name that disappears once the download is completed, but you need to watch the log to see when that happens.

The better solution is to you use a Delphi FTP server, like the ICS one I support, then you can control logins and directories yourself easily, using the ICS FTP Server sample you should have a working solution in a few hours, days faster than using WMI.  But it needs it's own IP address and port, will not help if you have to use IIS.  

There is no type library for the IIS management stuff, it's all WBEM based code.

Angus

You can start reading at https://www.iis.net/overview/control/powerfuladmintools

I'm just looking at WMI scripting for controlling IIS.  Setting up a virtual directory through IIS admin is easy.

Angus

Think that got broken during the integration into ICS, the original TMagFileCopy version had a messagepump that used fMultiThreaded, but I changed the class from TComponent to TIcsWndControl and did not change use of MultiThreaded.  Will fix it shortly.

Angus

Yes, I've been using SvCom for 15 years, but it is commercial software.  DDService actually patches your local copy of TService, while SvCom borrowed it. 

Angus

Don't think monitor power off will really help you, you need to check PowerEvents like PBT_APMQUERYSUSPEND and PBT_APMRESUMESUSPEND.  I'll email my unit that does all this.

Angus

HandlexEx is supported by the DDService replacement for the Delphi version, written by Arno Garrels. 

You can also intercept WMPowerBroadcast messages which is sent at various stages before and after suspend and works fine in a service.  I have a THardwareEvents component I've never got around to releasing due to lack of documentation.

Angus

I have seen DNS amplification attacks using my DNS in the past, usually from the size of the firewall logs, but then block it using the external firewall.  Generally I'm not too worried about exploits, no-one has ever successfully attacked my servers. 

I have however moved the DNS for a test domain to Cloudfare, so will add updating it's DNS records to the ICS sample application alongside Windows DNS,  Not sure if I also moved the web site to Cloudfare, the dashboard is very confusing and I don't really care at the moment, need to write code instead.

Angus

My public DNS servers have recursion and caching disabled, they are primary/secondary DNS servers, not used for local DNS.  I believe that avoids the worst abuse, but certainly not an expert.

My experience of the three Let's Encrypt challenge methods is they are all similar speed, The ICS component already does DNS, it tells you what TXT records to set-up manually, I'm just making it easier. 

Now if someone has a Delphi component that handles the various Cloud DNS provides APIs I'd love to use it.  I'm sure it's not complicated, just time consuming to set-up accounts with various providers to test it.

Angus

I get the impression from reading the windns.h DNS API documentation that it's mainly for querying and modifying caching DNS servers, rather than updating primary DNS servers, no functions for server setup,  zones, etc, all of which are in the DNS WMI API.  I also need this to work over a LAN, which WMI handles, albeit sluggishly.

Angus

Has anyone looked at automating management of the Windows DNS Server, such as adding and deleting resource records? 

It can be done using the WMI namespace root\MicrosoftDNS, done a couple of quick tests, I just need to add and remove TXT records (for Let's Encrypt challenges), but wonder whether there is a demand for a more versatile component.

Angus

Thought you ran it 30 times sequentially, not concurrently, you are probably hitting some Windows problem. 

Are you trying to run 30 parallel instances of openssl.exe?  Why? 

Angus

This is a function I've been using for 15 years, including with OpenSSL command lines, not looked at your code to see how they differ, but might be worth trying it.

Angus

procedure GetConsoleOutput (const CommandLine : string;  var Output : TStringList);
var
  SA: TSecurityAttributes;
  SI: TStartupInfo;
  PI: TProcessInformation;
  StdOutFile, AppProcess, AppThread : THandle;
  RootDir, WorkDir, StdOutFileName:string;
const
  FUNC_NAME = 'GetConsoleOuput';
begin
    StdOutFile:=0;
    AppProcess:=0;
    AppThread:=0;
    try

    // Initialize dirs
    RootDir:=ExtractFilePath(ParamStr(0));
    WorkDir:=ExtractFilePath(CommandLine);

    // Check WorkDir
    if not (FileSearch(ExtractFileName(CommandLine),WorkDir)<>'') then
      WorkDir:=RootDir;

    // Initialize output file security attributes
    FillChar(SA,SizeOf(SA),#0);
    SA.nLength:=SizeOf(SA);
    SA.lpSecurityDescriptor:=nil;
    SA.bInheritHandle:=True;

    // Create Output File
    StdOutFileName:=RootDir+'output.tmp';
    StdOutFile:=CreateFile(PChar(StdOutFileName),
                   GENERIC_READ or GENERIC_WRITE,
                   FILE_SHARE_READ or FILE_SHARE_WRITE,
                   @SA,
                   CREATE_ALWAYS, // Always create it
                   FILE_ATTRIBUTE_TEMPORARY or // Will cache in memory
                                               // if possible
                   FILE_FLAG_WRITE_THROUGH,
                   0);

    // Check Output Handle
    if StdOutFile = INVALID_HANDLE_VALUE then
      raise Exception.CreateFmt('Function %s() failed!' + #10#13 +
        'Command line = %s',[FUNC_NAME,CommandLine]);

    // Initialize Startup Info
    FillChar(SI,SizeOf(SI),#0);
    with SI do begin
      cb:=SizeOf(SI);
      dwFlags:=STARTF_USESHOWWINDOW or STARTF_USESTDHANDLES;
      wShowWindow:=SW_HIDE;
      hStdInput:=GetStdHandle(STD_INPUT_HANDLE);
      hStdError:=StdOutFile;
      hStdOutput:=StdOutFile;
    end;

    // Create the process
    if CreateProcess(nil, PChar(CommandLine), nil, nil,
                     True, 0, nil,
                     PChar(WorkDir), SI, PI) then begin
      WaitForSingleObject(PI.hProcess,INFINITE);
      AppProcess:=PI.hProcess;
      AppThread:=PI.hThread;
      end
    else
      raise Exception.CreateFmt('CreateProcess() in function %s() failed!'
                   + #10#13 + 'Command line = %s',[FUNC_NAME,CommandLine]);

    CloseHandle(StdOutFile);
    StdOutFile:=0;

    Output.Clear;
    Output.LoadFromFile (StdOutFileName);

  finally
    // Close handles
    if StdOutFile <> 0 then CloseHandle(StdOutFile);
    if AppProcess <> 0 then CloseHandle(AppProcess);
    if AppThread <> 0 then CloseHandle(AppThread);

    // Delete Output file
    if FileExists(StdOutFileName) then
      SysUtils.DeleteFile(StdOutFileName);
  end;
end;

The chorus certificate is an intermediate, it should be signed by a CA, the main chorus-pro.gouv.fr intermediate is signed by Certigna Services CA which is in the ICS trusted bundle RootCaCertsBundle.pem.

But the failure of all the browsers and ICS to connect is not a certificate issue, it is never sent, it failed before that.  Perhaps using SHA1 ciphers or something else outdated.

Angus

Ssllabs testing is wonderful, but only works on port 443. 

Angus

I can not reach https://chorus-pro.gouv.fr:5443/ with any of the four browsers on my PC either, so not really surprising that ICS can not reach it, a badly configured site. 

Perhaps it only supports an ancient SSL version no longer supported by anyone?  The certificate is issued by someone that is not a trusted CA, but that is not the main issue.  Their main site is fine, but it uses a different SSL certificate to the site on port 5443. 

Although ICS provides what looks like detailed SSL debug logging, this is virtually useless for SSL protocol investigations since none of the protocol packets are decoded.  Wireshark does such decoding, but I really would not waste your time, just ask the web company what TLS protocols they support and which browsers.

Angus

Sorry, had a quick look at the code, but can not see any reason why ParseReqHdr would truncate RequestParams, it just copies the line after the ?, need to debug it with real data and busy with end of month stuff this week.  

Angus

Not sure if Qualys check FTP errors, the logs just show dozens of login attempts with real and anonymous credentials, the fail is when they get access.  Did not actually check any RFCs to see what to do, response 533 was already used for another command not allowed without TLS.

Angus

Implicit TCP/IP connections were originally easier to implement since they did not requires changes to the protocol, often done with STunnel or similar for FTP, POP3, NNTP and SMTP.  Once the protocols got updated with the STARTTLS command, some people tried to make the implicit ports obsolete, but this can be dangerous since end users don't always tick the use SSL/TLS box.  

There is new RFC 8314 'Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access' that again recommends implicit ports as being good practice. 

I have penetration testing by Qualys on my public server and they kept failing FTP port 21 for allowing clear text passwords, so I've just updated the ICS FTP server component to return '533 USER requires a secure connection' if the LOGIN command is sent before STARTTLS, and Qualys is now happy again. 

Angus

No ICS does not support SSH.

Angus

Depending on your version of Delphi and project options, you may need to copy libcrypto-1_1.dll and libssl-1_1.dll  from the samples directory into whatever directory the DCUs and EXE end up in, perhaps win32\debug or win32\release. 

All ICS SSL applications need access to libcrypto-1_1.dll and libssl-1_1.dll which are the latest versions of OpenSSL. In theory, these can be loaded from a directory in the common path or windows directory, but because there are so many different applications using OpenSSL, you can get lots of old DLL versions on your PC, often not compatible with each other.  So generally it is safest to distribute the OpenSSL DLLs in the same directory as your application, so you have a reliable known version. 

By default, ICS applications will try and load from the local directory first before looking elsewhere, in your case it probably found an old OpenSSL DLL elsewhere on your PC, but was missing the other.  You can force ICS to load the DLLs from a specific directory, to avoid such issues. 

Angus
 

The server now uses all three protocols, svn, http and https.  The old server did not have https or rather we never set it up. 

I agree the svn protocol on port 3690 is very old, but we always supported it and many people will have scripts expecting to use svn (like me) rather than http, so it's still running. 

Angus

Now trying to get the zips updated automatically, seems someone has been messing with SVN commands in the past 12 years, which is why I never updated anything!

Angus