Angus Robertson

OpenSSL does have newer functions to format certificate information, but most users want single fields, not a list of cryptic fields.

Angus

All the common subject and issuer fields are available as properties, ie SubjectCName, SubjectOName, IssuerCName, SubjectCOName, SubAltNameDNS, etc, or you can use GetNameEntryByNid with the NID literal for obscure ones like STREET, not even sure that exists...

Look at the function ListCertDetail in OverbyteIcsPemtool1.pas which creates a string detailing most certificate fields.

Angus

Only concerned about internal DER ASN_ENCODING format which ICS already supports, not file formats. 

OverbyteIcsPemtool1.pas already has code for opening a store, getting certificate contexts and converting them to X509 and PEM, need to move that into one of the library units, create a PCCERT_CONTEXT and add it to the correct store. 

Angus

ICS has code to read certificates from the Windows certificate store, but not to add them.  Not needed for ICS applications generally, but for servers using SChannel.

Angus

Thanks, added to my master, will be in SVN in a couple of days with other minor SSL improvements. 

Are you working with the Windows certificate store by any chance, by pending list includes putting certificates (Let's Encrypt) into the store. 

Angus

All Windows services run in their own thread already, TWSocketServer often runs in Windows services without needing extra threads.  Using a thread for some client responses and not for others is exactly what the FTP servers does, it is no difficult, just make sure the response is sent in the main thread once SQL is done.  

Bringing TWSocketThrdServer up to date and creating TsslHttpThrdSrv is a major project and needs someone to sponsor it.  My company effectively sponsors most ICS development since I create features mostly that are needed for our applications but which are then used by others without any cost.  But so far I've not needed TsslHttpThrdSrv.  It has been disscused in the past, it was going to be designed to handle x clients in a single thread before using another thread for x more, typically x would be 100 or more for a simple web server but could be one so each client gets a thread. 

Angus

Look at the new TIcsMailQueue component added to ICS earlier this year, it does exactly what you need.  You can queue hundreds of emails at the same time, and they will be sent and retried over several minutes or days.  The component is described half way down the page at http://wiki.overbyte.eu/wiki/index.php/ICS_V8.60

Angus

Not sure why you want to run the server in a thread, that just listens on one or more ports and creates clients.  Running the client in a thread can be done, ICS has TWSocketThrdServer that does exactly that, but it  is rarely used, has not been updated for 10 years, lacks newer multi-listen and SSL stuff and there is no web server derived from it, lack of demand from end users.

My own TSslHttpAppSrv SQL driven web server runs happily in a single thread,  the SQL stored procedures rarely take very long so are not blocking others users significantly, obviously this depends on volume, I'm only handling couple of thousand SQL requests a day, from the logging, SQL proc took 16ms, 31ms, 141ms, 63ms, 390ms, 16ms.  So I never bothered with threads.

As Francois says, using a thread just for the database lookup and returning the page in the main thread is the safest solution, look at class TClientProcessingThread in the ICS FTP server which uses a thread to calculate MD5sums and directory listing,

Angus

ICS support Delphi 7 onwards so we avoid any language features or libraries added after that, or have our own versions of them, such as ANSI or Wide5tring functions.   Users tell me quickly if I accidentally do something that Delphi 7 does not support so it is still used. 

Angus

Good, seems to read whole pages correctly now.  BTW, your ICS fix is in SVN now.

Angus

Quote

That's apparently an evil conspiracy of Google against Delphi!

Or the automated Google scan tools were finding something in one of the components or OpenSSL binaries that has been used in a malicious application somewhere, unfortunately they don't tell you anything specific, just that your site is banned in all browsers until you remove your malicious file, so it's trial and error. 

Angus

Not sure when Default() was added, but it gave an error in Delphi 2007.   The keep-alive issue was not in the ICS server, but in my application. 

But you still need to fix data being received correctly, if you remove the close line for your google example, it takes four minutes for the window to become responsive and display the received data, which is the Google timeout.

The Microsoft page actually shows how poor the ciphers are in older Windows versions, it says there are none for TLS/1,2 in Windows 7, although a couple have now been added. but not nearly as good as OpenSSL supports on Windows 7. 

Angus

I started fixing errors with Delphi 2007 to get it to build, but there were too many.  Simple things like type LONG missing.  Does not matter for personal projects, but is important if the code is ever to incorporated into libraries.

The issue with async requests seems to relate to most of the content not being returned until the connection is closed.  This URL works fine:

www.magsys.co.uk

GET /delphi/ddservice.asp HTTP/1.1
Connection: close
Host: www.magsys.co.uk
 

While this does not, the end of the page only appears after the server closes the connection on a 60 second timeout:

www.telecom-tariffs.co.uk
GET /serverinfo.htm HTTP/1.1
Connection: close
 

The first server is IIS. the second the ICS web server, so it seems we have aggressive Keep-Alive that is ignoring the Close command, another ICS bug for me to fix.  But it shows up a bug in your code as well. 

I chose that page because it shows the SSL/TLS connection parameters selected by the server, useful to check browser capabilities, and the poor range of ciphers supported by SChannel on older versions of Windows. 

Angus

And a link to the download page top left, with the words Download Latest DDService. 

There are no zips on the open Delphi pages because Google blacklists my site when it finds Delphi components.

Angus

I've completed a new release of DDService Application Framework from the late Arno Garrels, it now supports Delphi 5, 7 and 2006 to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo and 10.3 Rio, as well as C++ Builder 2006 to XE5. Note that bugs fixed in these new releases had already been done in DDService.  Also added new unit to control, install and remove Windows Service applications.

The new and old versions may be downloaded from https://www.magsys.co.uk/delphi/ddservice.asp or from an SVN repository at: http://svn.magsys.co.uk:8443/svn/ddservice/ , use username = ics and password = ics for read access.

Angus

Interesting, it does work with modern compilers, not with Delphi 2007, too many new language features. 

At least the sync request returns a full page, the async request only returns one buffer load of data. 

While SChannel avoids the need for OpenSSL DLLs, it does mean encryption protocols and ciphers are determined by Microsoft, and they don't really care about keeping up to date, particularly with older operation systems, it took years for Windows Vista and 7 to get TLS/1,2 and probably only because anything older is becoming obsolete soon.  TLS/1,3 is still not supported by Windows 10/2019 a year after everyone else started using it, including ICS. 

If you take this further, ICS already has soon functions to interact with the Windows certificate store for checking certificate chains, it's one of our options, using them will save you a lot of effort.

Angus

Yes, should not have taken that out, we do need to break the loop, I'll put it back. 

However even that may not stop TriggerDataAvailable being called again since there may still be received data buffered,  Much nicer if there was no exception in the first place. 

Angus

There is no need for the function DetectRemoteSession to be in the DPR, it can just as easily be in MainFrm.pas,  just not in a method in a  form.  

Angus

Look at the new sample OverbyteIcsSslMultiWebServ.dpr in \Samples\delphi\sslinternet\, this is effectively a commercial web server using THTTPAppServer and lots of AddGetHandler, with a minimal interface designed to be used as a Windows service. 

I will be adding another ICS sample shortly using the DDService environment once I've brought it up to date for new compilers, but the ICS code will be identical. 

Your exception must relate to code you've written in the handler, add some error handling.

Angus

I'm attempting a new release of DDService adding support for XE7 and later. 

Collected original SvcMgr.pas files from all versions if Delphi, think I have to update each new one to DDSvMrg,pas and then create DIFF files using WinMerge.  Not too hard, since there is only a single service bug fix (quoting image path) in 15 years and Arno fixed that in 2008. 

But are there any other service handler bugs in DDService that should be fixed for a new release?

I also want to add an example of how to use DDService for dual GUI/service , there is a demo CombiService on my system but not tried it and not sure where it came from  Has anyone done this with DDService?

Angus

Quote

Judging from the provided link alone a webhook is a server running on the client side.

That was where I was getting confused, a server running on the client is simple but unlikely to work in 99% of cases unless the client has a unique public IP address, most of us block incoming connections, use NAT., dynamic IP addresses, firewalls, etc.  But leaving a connection open to a remote server is even worse once you have more than a few hundred clients, servers can only handle a few thousand simultaneous connections at best.  Still no idea what a data consumer means. 

If it is a local web server and only needs to handle simple notifications to update pages, then the new TSimpleWebSrv added recently is lightweight and easier to implement than the full web server, ICS uses it for Let's Encrypt authentication requests and OAuth2. 

Angus

That error means you failed to free an instance of TSuperObject, I've not seen it in my own projects or the ICS samples.  It only appears for DEBUG builds.  Not sure that line is a good idea, even in debug builds.

Angus

I've looked at a couple of pages on webhooks and still have no idea which end is listening and which is sending, or what.  Someone will need to explain this as simple HTTP concepts. 

The ICS HTTP client has keep-alive that leave connections open potentially for days or weeks, the HTTP server has a timeout to stop that happening.

Angus

2 hours ago, timfrost said:

I am using DDService successfully in Delphi 10.3;

The latest files in my DDService version are 20 April 2014, mostly XE6 units.  I'm not sure how the DIFF files that patch a copy of the installed SvcMgr.pas file are created, or whether the zip includes the tools to create new DIFF files.  Suspect the patched XE6 file could be distributed and used in more recent versions without a problem, which might be what you doing.

Angus

DDService is also in CodeCentral, up to XE2:  https://cc.embarcadero.com/Item/28354