Jump to content

Angus Robertson

Members
 View Profile  See their activity

  • Content Count

    2074

  • Joined

  • Last visited

  • Days Won

    38

Posts posted by Angus Robertson

  2. Posted

    I missed the IcsAsymVerifyDigestTB name, it takes a TBytes binary digest (base 0) and casts it to PAnsiChar to pass to an OpenSSL API.

     

    ICS does not use TEncoding anywhere since it's not in old compilers, so I've no idea of the purpose of that line.  ICS only uses base 1 for strings, not TBytes. 

     

    Angus

     

     

     

  5. Posted

    ICS has a unit that emulates GetTickCount64 using QueryPerformanceCounter on older OSs, meaning it does not wrap at 49 days as using GetTickCount instead would. 

     

    QueryPerformanceCounter is also more accurate than ticks if you are timing milliseconds.

     

    But 49 days running is rare nowadays, even for servers which Microsoft will forcibly reboot to load Windows Updates unless you take severe measures to stop it.  

     

    Angus

     

  6. Posted

    Suggesting you support an OS you don't at least test once is not a good idea. 

     

    I have a Windows 7 VM that has Delphi 6 to XE installed, and I build and run stuff with a few of those compilers occasionally, so I know it still works. Trying to support anything older is dangerous.  That VM still gets some Windows security updates, so has minimal support from Microsoft.  

     

    One common API to avoid for Windows 7 is GetTickCount64 which was added with Vista and Windows 2008, don't think Delphi uses it internally.

     

    Angus

     

    • Like 1
    • Thanks 1

  7. Posted

    The short answer is not easily with the ICS HTTP client components, they don't built a request nor buffer a response before processing it. 

     

    The 'proper' solution would be to use the ICS proxy component as an intermediary to handle the encryption, which does give access to headers and content, but would still need changes since it would ignore the encrypted reply.

     

    If you are only taking to a specific server with limited requirements and error handling, it would be easier to write your own HTTP client

     

    I wrote a simple application 'Simple TCP Client Testing, ie HTTP headers' that uses the TIcsIpStrmLog component to send a simple HTTPS request to a server repeatedly, for heavy testing.  TIcsIpStrmLog expects to send and receive text lines as used by most protocols, if your encrypted headers and content arr binary, you would need to use a simple TWSocket instead.

     

    Angus

     

  11. Posted

    As I said earlier, ICS has never had a working message pump for Linux, so no functions dependent on messages will work.

     

    Some changes were made to TIcsEventQueue to try and support Linux in V9.2 but did not work and were disabled for V9.3 so at least the non-message stuff loaded. 

     

    So making THttpClient work is not trivial with V9.3. 

     

    Angus

     

  12. Posted · Edited by Angus Robertson

    It seems six (or more) EC_Group functions were deprecated in OpenSSL 3, and some builds exclude deprecated functions. 

     

    In OverbyteIcsLIBEAY.pas, suppress four lines in the table with @@EC_GROUP_set_curve_GF , @@EC_GROUP_new and EC_GROUP_clear_free and change the array size to [0..841], that will stop these four exports loading.  If you get new names appearing in the exception, do the same thing.  ICS now only uses EC_GROUP_get_curve_name, not the dozens of others we load.  

     

    I agree only loading those exports we use would be ideal, but working out which of those 842 are not used is not trivial, and many are there for future use, or use by end user applications.  

     

    Angus

     

  13. Posted

    That exception happens when ICS attempts to load all the OpenSSL exports, it would appear the OpenSSL version is missing certain EC_GROUP exports that are available in the standard 3.0 library.   Unfortunately, the screen short truncates the error list, there may be lots more missing.  They may be logged, can not recall if that sample has a log. 

     

    Not sure if ICS uses EC_GROUPs, if not we can simply avoid loading them and the problem goes away.  I've done that before.  

     

    I guess I need to build a Hyper-V RedHat VM to test in my copious spare time, the issue is what other important stuff do I ignore to do that?

     

    Angus

     

  14. Posted

    I fixed all the Linux resource file build issues and wincrypt problems two months ago, and built the Linux test package yesterday with V9.3 without errors, so it sounds like your version is V9.2, try the final release. 

     

    Provided your Linux project does not include TWSocket, it should work.  Try building the new IcsPemTest FMX sample on Red Hat provided it has OpenSSL 3 libraries in the same path as Ubuntu.  I will install Red Hat at some point, but only once most of ICS is working on Ubuntu.  

     

    My testing showed putting TWSocket on a Linux format prevented that form appearing in Linux, some library function it brings in that just stops apps running, which is why I created the new

    IcsPemTest sample so at least something would run.

     

    Angus

     

  15. Posted

    I'm not clear which ICS version you are using, only V9.3 released yesterday builds for Linux with SSL, but only utility functions work, like creating and reading SSL/TLS certificates.  I've only tested against Ubuntu 22.04, not Red Hat. 

     

    ICS does not yet support TWSocket for Linux, so no protocols will work.  A new cross platform message pump supporting Windows and Linus has been written, but has not yet been added to ICS V9, probably within the next six months.  I'm planning to make this conditional, so Windows applications can use the existing or new message pumps. 

     

    Previously ICS had a second message pump that was only supported MacOS, not Windows, which I've just removed ready for the new pump.  Another ICS user tried to make the MacOS pump work under Linux, but I never managed to build ICS with the changes he submitted.     

     

    Angus

     

  16. Posted

    ICS V9.3 has been released at: https://wiki.overbyte.eu/wiki/index.php/ICS_Download

     

    ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12 and C++ Builder 10.4, 11 and 12. ICS supports VCL and FMX, Win32 and Win64 targets. Beware C++ have not been tested recently due to lack of support from such users.

     

    The distribution zip includes the latest OpenSSL 3.0.15, 3.2.3 and 3.3.2, for Win32 and Win64.

     

    Changes in ICS V9.3 include:

     

    1 - V9.3 continues the simplification of use of ICS components by consolidating many types and constants into the OverbyteIcsTypes unit, avoiding projects needing to find and add specific units before they will build.  For XE2 and later, OverbyteIcsTypes and OverbyteIcsSslBase will be added automatically when components needing them are dropped on a form, or that form accessed for existing projects.  One benefit of this change is removing dependence on several units for many components and applications, it should be possible to remove OverbyteIcsWinsock, OverbyteIcsLIBEAY, OverbyteIcsSSLEAY and OverbyteIcsLogger from most applications, and also other units. See https://wiki.overbyte.eu/wiki/index.php?title=Updating_projects_to_V9.3 for more information.

     

    2 - Previously, the Windows Certificate Store was supported on Windows for all components and samples, despite it not always being required.  There are three new defines {$DEFINE MSCRYPT_Clients}, {$DEFINE MSCRYPT_Servers} and {$DEFINE MSCRYPT_Tools) that determine which components can use the store, at least one must be set or applications that need the store will fail. Although these new defines all default to enabled in the OverbyteIcsDefs.inc supplied with V9.3 and later, unless this file is installed, Windows Certificate Store will be unavailable.  These defines are disabled for non-Windows platforms and for C++ Builder which has bugs.

     

    3 - Added new application independent monitoring, comprising a client component and server sample.  The ICS Application Monitor TIcsAppMonCli client component is designed to report to an ICS Application Monitor server, which will ensure the main application remains running.  The ICS Application Monitor server IcsAppMon.exe is designed to monitor ICS applications using the TIcsAppMonCli client component, and ensure they remain running, restarting the application if it stops or becomes non-responsive, or on demand. Primarily to keep ICS server Windows services running non-stop, but may also be used for network wide monitoring of ICS applications. Client and server both use the TIcsIpStrmLog component with a simple TCP protocol.  More information at https://wiki.overbyte.eu/wiki/index.php?title=FAQ_ICS_Application_Monitoring

     

    4 - The HTTP client components TSslHttpCli and TSslHttpRest have new RespMimeType and RespCharset response properties parsed from the Content-Type header to avoid applications needing to parse this headers.  Fixed a problem in V9.2 where a missing / was added to the start of the request path, but was not needed for absolute paths used for proxies.

     

    5 - The TIcsIpStrmLog streaming log component has improvements for TCP Server mode when multiple remote clients connect.  Previously the same data was sent to all remote clients (the original concept being remote logging), but now applications can send data to specific remote clients, and more easily check which remote client is receiving data.  This change means TIcsIpStrmLog can be used as the core of many TCP servers with different protocols, such as the new IcsAppMon sample, see above.

     

    6 - The TSslHttpRest and component has a new way for applications to check SSL certificate chains themselves, ignoring OpenSSL bundle checks, usually for self signed private certificates, maybe checking certificate serials, names or public key. If LogSslVerMethod = logSslVerOwnEvent, a new event OnSslCertVerifyEvent is called so the application can check the chain and change the verify result appropriately.

     

    7 - Improved the ability to customise SSL ciphers if the ICS defaults need to be changed.  TSslContext and TIcsHosts have three properties, SslCipherList for TLSv12 ciphers, SslCipherList13 for TLSv13 ciphers, and SslCryptoGroups sets the cipher curve groups allowed (like P-256 or X25519).  Beware old SslContexts may include group P-512 which must be corrected to T-521.  SSL handshake responses now show the curve group used for OpenSSL 3.2 and later.  The OverbyteIcsHttpsTst client sample may be used to test the new cipher options, and they will be read from IcsHosts INI files for servers.

     

    8 - Added a new web server sample OverbyteIcsBasicWebServer1.dpr which is a simplified version of OverbyteIcsSslMultiWebServ ignoring configuration INI files, security features, session data, most demo pages and most logging, and settings for localhost set in code, search for IcsHosts to change IP addresses, etc. This sample should be easier to use as a basis for new web server applications.  The existing samples OverbyteIcsSslMultiWebServ and OverbyteIcsDDWebService have a new index.html template page, and default to localhost 127.0.0.1 with an internal localhost SSL certificate, so should always response to https://localhost/ without any INI file changes.

     

    9 - Fixed an HTTP web server problem in V9.2 to avoid repeated redirection for virtual default page /, was adding /// etc.

     

    10 - Updated OpenSSL binary and resource files to releases 3.3.2, 3.2.3 and 3.0.15, only one of which will be linked according to defines.

     

    11 - Restored the sample OverbyteIcsConHttp.dpr which is a console example, now supports SSL by replacing THttpCli with TSslHttpRest, no longer needs any events or a message loop for a single sync request, so a less code than without SSL. Now contacts https://wiki.overbyte.eu/wiki.

     

    12 - A lot of changes have been made preparing ICS for Linux.  Corrected loading OpenSSL on Posix, now loads the system supplied OpenSSL 3 DLLs on Ubuntu 22.04.  The Linux package now builds correctly, but beware WSocket is not yet supported on Linux so no protocols will work.  There is a new IcsPemTest FMX sample that works on Ubuntu 22.04 and which will create ICS signed SSL certificates.  Note, MacOS support is disabled pending the new Posix implementation.

     

    The release notes for V9.3 are at https://wiki.overbyte.eu/wiki/index.php/ICS_V9.3


    All ICS active samples are available as prebuilt executables, to allow ease of testing without needing to install ICS and build them all. There are four separate zip files split into clients, servers, tools and miscellaneous samples which can be downloaded from https://wiki.overbyte.eu/wiki/index.php/ICS_Samples

     

     

    • Like 3
    • Thanks 2

  17. Posted

    I've just tested the OverbyteIcsSslMailSnd sample in V9,3 and it's sending content and attached files as expected with the correct encoding headings. 

     

    But it is not attempting to send HTML emails.

     

    BTW, the component expects String content and will convert to whatever encoding is specified, no idea what will happen if you encode UTF8 and it then encodes it again. 

     

    Angus

     

     

    Angus

     

  19. Posted

    There is a new ICS sample OverbyteIcsBasicWebServer.dpr in SVN, will be zipped overnight, which is a simplified version of OverbyteIcsSslMultiWebServ ignoring configuration INI files, security features, session data, most demo pages and most logging, and settings for localhost set in code, search for IcsHosts to change IP addresses, etc.

     

    But this sample will be a much easier starting point for those developing web or Websocket servers with ICS.  I'm going to copy most of the code into another new ICS sample that needs a Websocket server.  

     

    Angus

     

     

  20. Posted

    WMI is about LAN computers with NetBIOS, you don't usually use IP addresses to connect to remote servers, but computer names.   For the local computer, use a blank name and credentials, but you might need admin rights for some WMI classes. 

     

    The ICS component library has a WMI unit that does all this for you, and an EXE sample, it displays the Win32_printer class, but I suspect getting the queue is complicated.

     

    Angus

     

  21. Posted

    Thanks, fixed the erroneous $ifend.  I still have customer applications using D2007, so would have found it soon. 

     

    The ICS distribution only includes OpenSSL DLLs in C:\ProgramData\ICS-OpenSSL\  which are always the latest version, when you build the packages a batch command file runs that copies them from the install directory to ProgramData, so I guess that failed in your case. 

     

    The DLLs in version directories were extracted from the resource files, and need to be version specific since different ICS applications may be using different OpenSSL versions. 

     

    No idea why Windows Security gave you a warning, no-one else has mentioned that in eight months since ICS has used OpenSSL resource files.

     

    Angus

     

     

  22. Posted

    If you really mean the websocket protocol and not HTTP, there are no header or bodies or protocol, once a websocket is open there is simply a two way TCP stream, and you can send what you like. 

     

    That stream arrives at the server in the ClientWSFrameRcvdEvent as a string packet and TWebSocketReceivedFrame to tell what typer of data is arriving (text, binary, or closing), it's up to the developer to decide how to interpret that data.

     

    Angus

     

×