Angus Robertson

Apologies if anyone has been having trouble accessing the ICS SVN over the last week, I've retired the 12 year old VM it was running on and now installed SVN on a new hosted Windows Server 2019, not trivial since I'd forgotten how we set it up all those years ago and I've avoided messing with it so as not to break it.

But SVN is now running on a modern version of Apache supporting SSL and running on ports 80, 443 and 8443 (the old one), so you can access http://svn.overbyte.be/svn/ or https://svn.overbyte.be/svn/ as well as the old URL, or svn://svn.overbyte.be/ which is unchanged.  That last server took a long time to set-up because I thought it was part of Apache but turns out to be a little SvnServe program that had been running for 12 years without me noticing.  SVN is now also available on IPv6, but that is transparent and handled by DNS. 

I believe the Apache SSL configuration is correct, but it also serves svn.magsys.co.uk with a separate certificate and sometimes gets confused about which to send. 

Please shout if SVN does not behave as expected.

Angus

ICS has a TMimeTypesList component that will read MIME types from the Windows registry, a supplied file mime.types or an internal list, application/vnd.ms-excel is common.  This component is used by TSslHttpServer for files it opens.

Angus

You should build the sample OverbyteIcsXferTst.dpr which is a a full SSL FTP client GUI, and uses TIcsFtpMulti which is much easier and quicker to use than TSslFtpclient. 

Angus

Beware ContentType: xls/xls is not commonly supported by browsers, but if it works...

Angus

15 hours ago, AllanF said:

With OverbyteIcsPemTool.exe Menu item Create a self-signed certificate. 

Sorry, seems the CreateSelfSignedCert function in OverbyteIcsSslX509Utils.pas got broken while being modernised, you need to add a missing line:

 MySslCertTools.ExpireDays     := Days;   { V8.64 got lost }

and it will work properly again.  Sorry, did not test that old function properly. 

The modern way to create a self signed certificate is using fields and buttons on the New Certificate Properties and Create Certificates tabs.  First click 'Generate Key Pair', complete the various New Certificate Request Properties, previous tab, click 'Create Self Signed Cert from Properties', then at the bottom of the tab specify the file names for the formats you want to save, tick if you want the private key in the same file, then click the buttons to save in PEM, PKCS12, DER, etc.  Finally on the List Certificate tab, click View Single File to double check the certificate is created properly. 

Those three tabs perform most of the common certificate functions of the OpenSSL command line tool.

Angus

By old files, I meant long expired SSL certificates and job files that are no longer needed since ICS samples can now do everything they did.  People try to use them and wonder why they don't work. 

Angus

Generally, the 'filename' is that of the page accessed with the GET request and is not returned in the response header.   Again generally you should use the FilenameToContentType function to get the content type, which will return 'application/octet-stream' for an XLS file, which will cause the browser to bring up a dialogue box asking what to do with the file.  If you want to display the file, there are Microsoft special headers to do so.  Keep it simple until it works.

Angus

Created PEM files how, which applications or which functions with what parameters.  Generally public certificates can no longer be issued with an expiry beyond one year and certain ICS tools do limit that. 

Angus

As I said before, you don't need to use OpenSSL command line tools to create certificates, ICS has functions to do that.  ICS has a lot of really old examples untested for 10 years, really should be removed. 

You should build the OverbyteIcsPemTool.dpr sample which has numerous facilities for creating, testing, converting and viewing X509 certificates, in various formats.  Then open your certificate files which will immediately tell you whether ICS can read them, and display all the content.  There are several Wiki FAQs on certificates I previously suggested you read that explain this all in detail.

ICS with OpenSSL applications work perfectly on Vista and Windows 2008, two of my public servers are 2008, closed down last week due to Microsoft support ending after 12 years.  I believe ICS applications still work on Windows XP but that has been out of support for years so no longer tested. The latest version 1.1.1 of  OpenSSL no longer supports Windows XP, you need to use 1.0.2 or 1.1.0, both of which are now out of support so no security fixes.  OpenSSL and Microsoft do offer paid support for XP and 1.0.2 for large organisations that really can not upgrade, but not for home users.

Angus

The latest versions of TSslFtpServer and TSslWSocketServer do not require to use an SslContext, which was never well documented and is complicated to use.  You should instead use IcsHosts to specify listeners, SSL properties and certificates,  The IcsHosts SslCert property can be a file name or an string containing a PEM certificate and the component loads either automatically.  This is all done in TSslWSocketServer.LoadOneCert if you really want to do it the old way.

Angus

OverbyteIcsWebAppServerUploads,pas is a handler that accepts POSTed files.

Angus

No TSimpleWebSrv does not currently support POST or PUT, if you look at the diagnostic log output you'll see 'Server Request Ignored'.  It was designed as a light weight server for OAUTH2 and responding to well-known requests by certificate authorities.  Adding complexity increases the size of any ICS REST applications that use those features.

Angus

Better use of multiple CPUs needs threads, which we generally try to avoid in ICS, but bring the ICS threaded socket server up to date is on my list, and perhaps allowing the web server to use it.

I'm aware there are Windows APIs that offer performance improvements over our existing use of sockets, by sending and receiving entire files, but you then lose control over what is happening and SSL becomes problematic.  But it's something we can look at.

Angus

I've explained the limitations of the TCP implementation on Windows and how to get around it.  If you don't want to listen to my experience, feel free to Google for better solutions then let us know when you have a proven working solution.   Many of us have done all this before, often several times. 

Angus

I have already given my suggestions on how to solve very common issue.   If you need new features you have the ICS source and you can update it yourself.   Or listen to those of us that have been using it for 20 years.

Angus

If you want to write your own internet library for your own requiremets, please feel free.

Angus

I would suggest reading ICS wiki FAQ_Using_TSslCertTools which explains all about certificates, and FAQ_Order_SSL_Certificates.  There are other FAQ on how we handle trust stores. 

Angus

TCustomTimeoutWSocket timeouts relate to a socket that is already opened and connected, primarily a server socket, not to TCP DNS and connection attempts.  As Francois says, you can use a timer to abort the connection, but this does not stop the windows connection attempt so the socket can not be re-used immediately for another attempt. 

Angus

7 hours ago, AllanF said:

I am trying to create Self Signed Certificates using  IcsSslBuildCerts.bat

Those are really old files and should have been removed a long time ago.

The primary demo and documentation for X509 certificates is OverbyteIcsPemTool.dpr which will display, create, and convert numerous certificate formats, it is complex but will do almost everything the OpenSSL command line tool will do, in code. 

For a simple self signed certificate, there is an ICS function CreateSelfSignedCert in OverbyteIcsSslX509Utils.

Angus

I assume you are now talking about clients and not servers? 

Simple answer is no, TCP is a lazy protocol based on waiting for responses from slow networks (decades ago) so nothing happens fast.  Long answer is Windows allows you to change the TCP timeouts, but such changes effect all applications on the PC and generally it's a very bad idea. 

Real solution is to try and ping the server before connecting using TCP, because you can timeout after a few seconds and give up.   ICS has a threaded ping component for this purpose. and a high level client/server component TIcsIpStrmLog that uses ping for exactly this purpose.  TIcsIpStrmLog may be configured as a client or server and allows simple text lines to sent, using few lines of code in the application and only a couple of events.  There is a sample OverbyteIcsIpStmLogTst.dpr that send packets to itself.  The component supports SSL and will order it's own certificates. 

Only problem with ping is sometimes it's blocked by firewalls so no response.  You can use a UDP server in parallel with the TCP server for a quick hello, no response is similar to ping. 

Angus

The ICS FTP server and client already support One Time Passwords automatically, added that long before SSL/TLS became common,  In the server, set the OtpMethod to those you wish to iupport, and the server hello prompt changes to advertise OTP, which the  FTP client handles automatically.

Angus

SVN and the overnight zip are updated with the 64-bit fix.  Still having fun and games with 4-bit samples, think I'll try an older version of Delphi. 

I checked other functions with TBytes, most already had const or var, a couple were missing both so added, although they were only used in ICS with TBytes buffers so should not have caused any issues.

Angus

Might come back this in the summer when OpenSSL 3.0 adds support for Certificate Management Protocol, which I'll try to support in ICS as well as Let's Encrypt.

Angus

I've only been talking about server certificates here.  Client certificates are totally different and make things very confusing.  ICS clients and servers do support client certificates but not automatically and there are no samples using them, really only needed for exceptionally high security stuff like Swift bank transfers. 

The ICS component has properties to add digitalSignature and codeSigning extensions to certificates, not sure which OID they add.

Angus

If you are talking about a simple analogue telephone line, this is all down to the hardware monitoring that line and how it delivers the caller id to your computer.,  20 years ago some modems and special hardware had this feature, and you use an RS232 port to read it on a PC. 

But with analogue telephony being rapidly replaced by VoIP and the old PSTN copper cable telephone networks and exchanges turned off and obsoleted (by 2025 in the UK), this is really historical curiosity.

Angus