Angus Robertson

ICS V8.58 added a new TSslX509Certs component allowing ICS servers to automatically order, download and install SSL/TLS certificates from various suppliers, including free certificates from Let's Encrypt, and commercial certificates for DigiCert, Comodo, Thawte and GeoTrust from CertCentre AG. It also acts as a private CA to issue local certificates.  

The TSslWSocketServer, TSslHttpServer, TSslHttpAppSrv, TIcsProxy and TIcsHttpProxy components can assign a TSslX509Certs component to support automatic certificate ordering of domain validated certificates with very little extra code. 

There is a new sample project OverbyteIcsX509CertsTst to demonstrate the TSslX509Certs component, which may be used as a standalone application to order X509 certificates from Let's Encrypt and CertCentre AG, and monitor the certificate orders database, and to issue own CA certificates.

http://wiki.overbyte.eu/wiki/index.php/FAQ_Order_SSL_Certificates

I'm about to revisit the TSslX509Certs component to support some Let's Encrypt changes like the new SSL challenge, so am interested in any feedback or suggestions from those that have used it,  Even just the sample application which can be used to order certificates for other web servers or applications.

Angus

OK, I'll do that since this is simple, but I won't test so won't know if it breaks modern compilers, I assume you can do that?

Listing a few canges is acceptable, any more and I need emailed complete units, particularly anything C++ related which I can not test.

Angus

Sorry no idea, that line is there for historic reasons for reasons I don't understand since I don't use C++, but I nearly always get caught out when I remove stuff I believe is unwanted.

But I've commented it out here.

Angus

ICS implemented OpenSSL 1.1.1 last year, initially for draft versions of TLSv1.3, then the final version. 

There are comments in the ICS SSL units about the major changes needed to support 1.1.0 and 1.1.1, and ICS applications support for three major OpenSSL versions, one of which is chosen during initiatisation.  

Now looking at OpenSSL 3 (or maybe 4) due out later this year, they say before support ceases for OpenSSL 1.0.2 at the end of the year. 

Angus

13 hours ago, Remy Lebeau said:

we created an internal project that has a database of active units and flags to dictate their behavior, and it can generate the various package files, resource files, etc for each compiler version we support.

Every time I do a set of updates, I think it's time to automate the process, but at that moment I'm not usually planning any more major changes, so leave it for another day. Fortunately ther RAD Studio release cycle has slowed from twice a year, so less urgent now. 

Angus

Generally no, TIcsLogger is a framework to implement diagnostic logging in ICS components, what is logged depends on the implementation in each different component.  But rarely is rfeceived or sent data logged, due to the sheer volume.  

But logging actual data is generally easy, most components have events that can be used.

Angus

I know that people still use Delphi 7 onwards, because they tell me when I make changes that are not Delphi 7 compatible, I use Delphi 2007 for most of my applications so I don't add language features from newer versions. 

But I can not recall anyone asking about old C++ versions for years, only the most recent versions, and they used to be told to lry the last XE3 package.  So unless you can test at least the OverbyteIcsCBXe3Run package, I don't see any point in pretending it's worthwhile.  I'll archive the old C++ files somewhere, so they are not lost.  

Angus

What use are the old C++ package files if they do not contain all the units necessary to build the package, as required by the registration unit?

Angus 

Sorry, been busy doing too many other things this week.

When I add new units to ICS, I have to update literally hundreds of package files for all the old Delphi versions we support.  A few I might fire up that version of that Delphi, but it takes days to do that for all old versions so mostly it's a text editor job. 

But currently the old C++ packages are untouched, and I suspect they will no longer build anyway, at least not without lots of errors.  So I'll remove all old C++ files from the distribution, and going forward we'll just support 10.2 and later.  If someone needs support for C++ XEx, they will be better working from a newer version than an older version.

My email address is in the readme8.txt file.

Angus

You need to make your application SSL aware to use https, and that means using an SslContext, at least for older components.

I suggest you look at the new  OverbyteIcsHttpRestTst sample that uses the new OverbyteIcsSslHttpRest component, this hides the complexity of the SslContext from the application.

Angus

Four new zips for Win32 and Win64 versions of OpenSSL 1.1.1b and 1..0.2r can now be downloadable from the Wiki at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download . The DLLs are also included in the ICS distribution SVN and overnight zip.  1.0.2r includes a moderate severity security issue, but I don't think it can impact ICS applications. 

Changes in 1.1.1b may be found at https://www.openssl.org/news/openssl-1.1.1-notes.html and 1.0.2r at  https://www.openssl.org/news/openssl-1.0.2-notes.html

Beware 1.1.1b fixes a problem relating to multiple handshake done messages with TLSv1.3 that I reported to OpenSSL almost a year ago, and provided a workaround in ICS to fix meanwhile.  Others meanwhile reported the same problem updating old applications for TLSv1.3 so OpenSSL finally changed the handshake done behaviour.  My original fix still seems to work OK, but need to do more debug traces to ensure nothing unexpected has also changed with TLSv1.3.

Angus

12 minutes ago, Sherlock said:

That looks like tedious work, how come that has not been done on the distributors side, or why is it undocumented?

Because ICS is entirely supported by volunteers, and none of us understand C++.  It would be far easier to cease support for C++. 

I've asked for assistance in producing C++ packages in the past, and one user kindly supplied some mostly working stuff, for 10.2 which I modified for 10.3, so renaming errors are mine.  But when I can not build the packages and no-one else helps, errors are inevitable. 

So will some-one please email me a complete working set of 10.3 C++ package files, with whatevery changes are needed for the readme, and they will be placed in the distribution.  I'm not going to work from a list of instructions I can not test. 

Angus

I know nothing about Kerberos, never knowingly used it.  I don't believe it has any connection to OAuth, except they both end up with an access token from an authentication server.

But since Windows uses Kerberos, I assume it can be used unattended without user interaction, which is not the case with OAUth which is designed for interactive web applications. 

So I doubt the TRestOAuth component will be much use in implementing Kerberos, although our OpenSSL implementation should handle encryption.

For Windows applications, I would assume there are API calls that will handle Kerberos in the same way that NTLM authentication is handled, but again I've never look at that and have no plans to do so.

Angus
 

I have started a new ICS release V8.60, not finished yet but available from SVN and the daily overnight zipped snapshot at :

http://wiki.overbyte.eu/wiki/index.php/ICS_Download

V8.60 is a major update added several new components and sample applications created by Magenta Systems Ltd and previously distributed separately to the ICS distribution.  Bundling them with ICS makes installation and updating easier, and allows existing ICS samples to make use of some the new components, such as UTF-8 file logging.  There are a lot of comments in the various SVN uploads which are included in the overnight zip file. 

New classes added include:
TIcsBlacklist
TIcsBuffLogStream
TIcsFindList
TIcsIpStrmLog
TIcsMailQueue
TIcsStringBuild
TIcsTimeClient
TIcsTimeServer
TIcsWhoisCli

and there are four new sample applications that illustrate their use:

OverbyteIcsMailQuTst.dpr

OverbyteIcsIpStmLogTst.dpr

OverbyteIcsWhoisCliTst.dpr

OverbyteIcsTimeTst.dpr

Also there are major updates to OverbyteIcsSslMultiWebServ.dpr which now has almost all the functionality of my commercial web server. 

V8.60 will also include the Magenta File Transfer components, not finshed yet.

Angus