Angus Robertson

Why not just execute the stored procedure from Delphi? 

I don't have any SQL statements in Delphi applications, just build the stored procedure parameters and use the ADO Execute method which returns a DataSet RecordSet that I parse for various results.   It means you can test all your SQL outside of Delphi.

Angus

Assuming you've missed a newline after http/1.1, this looks is standard authentication, any proper library should handle it, ICS certainly should.

Angus

Are you using a new or ancient XE7 version of ICS? 

It sounds like the TSslContext component has got lost. 

Angus

I wrote an open source component that indexes Windows directories and files recursively, written 20 years ago and used on every version of Windows and Delphi since, it just works, never fails. 

It currently builds a list of 1.2 million files on my c drive which it compares with the same number on a second drive, for backup on Windows 11.

Angus

The next release of ICS is finished, in SVN and the overnight zip.  Once documentation is finished, it will be release next week.

Meanwhile, testing of this version would be appreciated, so any serious problems can be found and fixed before the release. 

I'd particularly like C++ users to try and install it, it's okay for Win32, but getting some missing symbols for Win64, despite adding them.

Angus

There is a fix for this freezing problem in SVN, will be zipped later tonight. 

ICS went into an endless loop if SSL data was received after close down was completed but before the handles were reset. Found against a recent Nginx web server release, 

The SSL code is almost unchanged in 15 years, so not sure why the problem has not shown up before, it seems to happen with both TLSv1.2 and TLSv1.3 so does not seem to be protocol related.

Angus

Think FMX TStringGrid is your closest bet, I've used it to replace TListView.  But no obvious multi-select,

Perhaps you can do the TListView VCL trick of drawing tick boxes in the first column and checking mouse events to 'select' them.

The lack of many matching VCL components does make FMX conversions a pain. 

Angus

ICS has a component TIcsBlackList that can be used by servers to count access attempts by IP address, and block after a specified number of attempts until after several hours of inactivity.  It's use is illustrated in the OverbyteIcsSslMultiWebServ sample.

Just noticed these lines in the log for one of my web servers, someone using Alibaba Cloud in Hong Kong has made almost three million access attempts to my web site over several weeks, trying to read access data that is limited to 50 accesses per day.  And still trying despite those requests being rejected. 

47.76.209.138 attempts 1,481,269, first at 12:18:52, last at 20:00:17 BLOCKED

47.76.99.127 attempts 1,478,638, first at 12:04:36, last at 19:58:57 BLOCKED

Should really be reporting the date of first access, but don't normally see hackers continuing this long.

The sample shows various ways to detect hackers, such as web site access by IP address instead of host name, that stops hundreds daily on my sites (no HTTP allowed).  

Angus

Should be in SVN today, if I don't get distracted.

Angus

Sorry, the logging you provided has no detail about the HTTP protocol used, it is only for SSL development purposes.  So is no-use in diagnosing your problem.

The HttpRest log set to body level will be more useful, you can email it. 

Angus

I'm looking at your Json problem, the main issue here is whether it's acceptable to use non-printing characters in Json values. 

When I wrote TRestParams, I assumed that non-printing characters would be escaoped before beiing added to SuperObject so used the AsJson option not to escape them a second tme.  But that should really be an optional, so I'll add a second parameter to AddItemSO so escaping becomes the default, but can be changed. 

Your comment about 'aaa~bbb' being sent was incorrect, the component translates non-printing characters for logging and display, the Json would have contained your original #29 character which would have confused the server.

Angus

There are a few problems with your code. 

For V9.3, sslRootCACertsBundle no longer returns a Base64 PEM string, but a smaller PKC12 binary TBytes.  And there is a LoadAllFromTB method that checks the format and loads the bundle correctly.

V9.1 loaded the default CA bundle automatiucally on startup into a public IcsSslRootCAStore component unless you undefine OpenSSL_AutoLoad_CA_Bundle, or have not updated your OverbyteIcsDefs.inc file.  SslContext has a new property UseSharedCAStore that ignores the files and lines properties and uses the preloaded store instead.

You are still using TSslHttpCli, replace this with TSslHttpRest and you don;t need an SslContext, it's all handled for you.

Angus

Thanks, for the explanation, I see that buffer is a dynamic TBytes, unusual for 20 years ago when Delphi didn't really support TBytes.  I only started making wide use of TBytes a few years ago with a lot of new library functions. 

I'll fix the code, and check other receive loops for similar problems. 

I'm hoping to release ICS V9.4 this month, with various minor fixes.

Angus

Thanks, I'll have a look at how the buffer is declared. 

But this code has not changed in almost 20 years, have you actually seen this fail?

Angus

This is the INI file I used with VCLToFireMonkeyFormConvtr.exe, it also has a few ICS components that should not matter.  Not used it a for a couple of years. 

Angus

VCLToFireMonkeyFormConvtr.ini

A few more comments about the Thales Safenet signing token with Sectigo certificates:

Unlike the Centum token I used before, Safenet has an 'Enable single logon' tick box in Advanced Client Settings, which means it remembers the token password once entered, until Windows reboots, which in my case is usually once or twice a month. 

You need the latest version of signtool to work properly with new tokens, my 2016 version did not work with the /kc argument and gave a crypto API error.

I'm now using the following command, where you need to replace certfile with the exported PEM, DER or CER certificate file name, token-password with the new password you set (leave  {{}} alone), and update the Private Key Container Name that in my case is a time stamp of when the key was created, Sectigo_20250107102535 to your own version, to allow signtool to locate the private key:

signtool sign /f "certfile" /csp "eToken Base Cryptographic Provider" /kc "[{{token-password}}]=Sectigo_20250107102535"  /as /fd sha256 /tr http://timestamp.sectigo.com /td sha256 "filename' 'filename' 'filemask'

If using the /kc argument to pass a password with single logon enabled, the password is saved as if entered manually.  Beware when testing that five incorrect password attempts will lock the dongle, assuming the other syntax is correct.  The /kc command may need another parameter if you have multiple tokens.

Not noticed it before, but signtool allows you to sign multiple files with one command, add two or more filenames at the end, also mask characters are allowed so "c::\path\*.exe" will sign all exe files in the path specified.  Multiple files also work for the verify command. 

It seems the Thales SafeNet Authentication Software also works with Yubico tokens, mine is recognised.   

Angus

Thanks, will fix soon.

Angus

I renewed my Sectigo code signing certificate last Saturday, submitted documents on Monday, which the web site said were rejected, yet the order was approved and shipped Tuesday morning via UPS, and arrived Thursday, quite impressed. 

Although the Sectigo London office is a few miles away, the token was shipped from Sectigo's Lille office in France to London, with an invoice valuing the 'electronic document' at $10 so no customs duty to pay.  Perhaps Sectigo has an arrangement with Thales (a large French company)  who sell the Safenet tokens to provision them as well.   

Plugged the token into my PC, and the new certificate appears in the Windows Store, as reported by the ICS Delphi PemTool. 

All much less painful than I was expecting, except the massive cost increase over electronic certificates, and no invoice yet from K Software. 

Angus

Quote

Issued by sectigo public code CA R36

Valid from: 2022-04-01 to 2025-04-01

That is an old code signing certificate, issued almost three years ago before tokens became mandatory, and will stop working in April.  

So if you have renewed it, you are still using the old certificate. 

Certificate suppliers almost never supply PCKS12/PF files containing private keys, since you never send your private key to them as part of the certificate signing request, only the public key.  They supply a PEM or DER, which you then combine with your private key to build a PCKS12/PFX containing both.   This was discussed earlier in this topic. 

BTW, the Internet Component Suite (available from GetIt) which I support, contains a lot of tools for manipulating and building certificates, including exporting private keys from the Windows Store, issuing signed certificates, and getting free ones from Let's Encrypt. 

Angus

Not surprised it does not work for Certum, I used one of their dongles for a few years and it required special driver software, incompatible with the Windows Certificate Store.  Would not use them again.

Angus

I've just ordered a Sectigo dongle via K Software, a renewal of my last certificate, so hopefully should not take too long.

My understanding is signtool has special parameters that bypass password requests, not tried them yet.

Angus

Look at the sample for Magenta GPS and Location Component at  https://www.magsys.co.uk/delphi/maghardware.asp

It uses Google Maps API JavaScript to display blobs on an embedded Edge browser window.

Angus

I'd first make the general comment that it is always best to develop and test the two parts of client/server applications separately, against known working versions. 

In this case, with the ICS OverbyteIcsSslMultiWebServ and OverbyteIcsHttpRestTst samples.  Don't know if C++ allows you to build them, but the wiki site allows you to download prebuilt executable files.

Your settings are missing a websocket path or page, just ws://127.0.0.1/ so you are assuming the web server default HTML page is actually a Websocket request, this was never testing with the ICS web server, perhaps my fault for not expecting anyone to try that.  Since you set default page to index.html, I assume that is the websocket URL you are checking for, but you don;t show any of that code.

I find it best to use a virtual path /websocket/ to clarify that such requests from HTML.

Angus

I have no idea of the procedures used by certificate authorities with dongles. 

But technically, the end user creates a certificate signing request using the private key in the dongle, that is sent to the CA that creates a certificate with the details and public key from the CSR and signs the new certificate that is returned to the purchaser and is loaded back into the dongle.

The CA is not allowed to see or keep private keys, in the past millions of certificates have been cancelled when a CA was found to kept private keys it issued online. 

In practice, to make life easy for purchasers they want to ship a dongle with a new private key and certificate loaded, which is effectively a manual process, someone needs to plug the dongle into a PC or appliance and run an app to do it all.  Thus the horrible cost.  

Angus

One interesting concept of the Azure code signing certificates is they expire within two days, effectively created daily on demand. 

While such a short expiry is impractical for servers, code signing relies on a time stamp, so applications can be used for many years beyond the certificate life. 

Angus