Angus Robertson

OpenSSL has released new minor version 3.2.0, which has a lot of new features.  It is compatible with the current versions of ICS, but has only been tested briefly with clients, it needs at least a week of testing with servers before I'm comfortable adding the DLLs to ICS as the defaults.

The major change in 3.2.0 is support for client side QUIC protocol. QUIC is based on UDP rather than TCP and allows multiple streams in parallel, typically for downloading web pages with hundreds of elements, QUIC combined with HTTP/2 becomes HTTP/3.  There is a DLL solution that has been used to add HTTP/2 to Indy but not native Delphi implementation I'm aware of, it's a lot of work. So no possibility of ICS having HTTP/3 soon.

Other changes in 3.2.0 include:
Certificate compression in TLS, including support for zlib, zstd and Brotli
Deterministic ECDSA.
Support for Ed25519ctx, Ed25519ph and Ed448ph.
AES-GCM-SIV.
Argon2 and supporting thread pool functionality.
Hybrid Public Key Encryption (HPKE).
The ability to use raw public keys in TLS.
Support for Brainpool curves in TLS 1.3.
SM4-XTS.
Support for using the Windows system certificate store as a source of trusted root certificates.

Some of the above cipher and hash changes may be used by TLS connections without change to ICS, if negotiated with the other end, but certificate related changes will need updates to ICS.

Windows binaries are available in SVN and the overnight zip file and separately from https://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp

In addition to the three DLL files, the zip includes a compiled RES resource file that contains the same DLLs, text files and version information, see the RC file. The RES file may be linked into application EXE files and code then used to extract the DLLs from the resource to a temporary directory to avoid distributing them separately.

ICS V9.1 and later optionally support loading the resource file, currently in SVN and the overnight zip.

Angus

ICS V9.0 added a function IpHlpGetDnsServers  in unit OverbyteIcsIpHlpApi.pas that sets a TStringList with the local PC DNS server IPs.

The DnsQuey unit also has a list of public DNS servers, Cloudfare, Google, etc, that TDnsQuey can loop through.  Ditto for DoH.

Angus

The main problem with the PUT handler in the application server was a complete lack of content upload handling, it was just ignored, now fixed, will be in SVN today.

Angus

Look at where that code came from in the X509Certs unit, it loops through a few different public DNS servers until one gives the expected result. 

Angus

Beware DNS caches are not very clever with new TXT records, I found it may take a couple of requests before a newly added TXT records was found, should not matter for email since that rarely changes.

Angus

DNS TXT records are undefined, the content varies according to the application.

The ICS unit for ordering wildcard SSL certificates simply checks the entire TXT record against the value given:

                FDnsQuery.QueryAnySync(Item.CPage, DnsQueryTXT) ;
                if FDnsQuery.TXTRecordCount > 0 then begin
                    for I := 0 to FDnsQuery.TXTRecordCount - 1 do begin
                        if (FDnsQuery.TXTRecord = Item.CDNSValue) then begin
                            LogEvent('Successfully tested DNS challenge for: ' + Item.CPage + ', Data=' + Item.CDNSValue);
                            Result := True;
                            Exit;
                        end;
                    end;

For email SPF records, you might search the record for v=spf1 and look at the rest afterwards.

Angus

I will test PUT finally works this week, but not for a couple of days. 

Angus

TDnsQuery in V9.0 added TXTRecordCount and TXTRecord[n] methods, since there are often multiple TXT records.   Also sync mode to make it easier to use.  

Look at the latest OverbyteIcsNsLookup sample.

Angus

Thanks, that will explain why a PUT test upload failed recently, it was still on my list to test, fix will be in SVN this week.

Angus

The second option to avoid distributing OpenSSL DLLs was added last week, embedding the DLLs in the application and extracting them when the application is first run to a common directory, this was discussed in the last OpenSSL update message. Other related changes will happen this week. 

I always saw the major downside of SChannel that Microsoft is slow to add new features, and they are only added to new Windows versions, even TLS/1.2 took several years to be added to Windows 8/Server 2012 and did not support EC certificates properly.  So exactly the same update policy as OpenSSL, except you have to upgrade the entire OS instead of a couple of DLLs.

Angus

The fix was in SVN weeks ago.  If you work with ICS from SVN, you need to keep it up to date and accept things may get broken, and you may need to wait a few days for bug fixes, 

I try to make sure SVN always has a buildable version, but it does not always work, currently SVN is waiting for two Posix fixes from the last update, but I've changed dozens of units since then which need a lot of testing.

Angus

Quote

probably you could make it in some pluggable manner to easily integrate another TLS engines?

That would be a massive amount of work, OpenSSL functions are buried in a lot of ICS functions at low level. 

I looked at your SChannel implementation for ICS when you initially wrote it.

At the time the USP was no DLLs, but there are now two separate solutions that avoid distributing separate OpenSSL DLLs, so what do you now see as the benefit of SChannel? 

Angus

The output folders should be created when the DCU are built.  If not the batch lines you copied earlier create both folders.  

It is not necessary to distribute lots of empty folders, except for ancient versions that did not create them. 

Angus

Looking at the D2010 package, there is typo, you need to correct the post-build command to change a win64 to win32, since D2010 does not have Win64 so the directory will not exist,

Sorry, these package changes are done manually, and I have to edit hundreds of files by hand.

Angus

Don't worry about the compile errors with Android, I've just installed Android support for Delphi 12 and get a load of errors when building ICS 9.1 for Android (and a couple of Linux) which I will fix or suppress in the near future. 

For ICS V10, just comment out the offending functions like IcsIsValidAnsiCodePage which uses ICON and IcsGetFreeDiskSpace, which are fine for Posix not seemingly not Android, doubt any of this stuff is needed to get basic sockets working on Android.

And avoid changes like using generics that are unnecessary to make ICS work on Android.

Angus

Those build command in the package copy DFM forms from the source directory to compiled Lib, but you can do it manually if it fails and remove the build lines from the package.

Angus

Thanks, I'll attempt to reproduce those conditions to see if I can reproduce the error, then fix it, for the next release.

Zipping did get changed recently to support the native component, and I don't use zipping myself much nowadays.

Angus

Please don't post large chunks of code in this topic, few people need to look at it. 

Either attach to a short message as a text file or send it by private message to whoever has requested it.

Angus

The TsslWebSocketCli is a very new component, not heard of any using it yet (I use the websocket server for dynamic web pages).  What are you using it for?

It will need the HTTPRest component, but that will be one of the first to be converted.  Adding SSL to V10 is likely to be the hardest part due to the low level changes.  

Angus

ICS V9.0 will be very difficult to convert to Android, it should work on MacOS but has not been tested for a few years due to lack of hardware and volunteers. 

ICS V10 is currently a very small number of units that does work on Linux for simple sockets, no SSL.  Over the next year or so I will be migrating the V9 code to V10, it's a massive job.  

I strongly recommend that initially you concentrate on adding Android support to V10 and making the two FMX samples work on Android.  You will see results far faster than working with V9. 

Angus

I saw the auto suffix is available in a drop down list, but you have to click a button to find it, I would have designed it with a tick box, so it is obvious.

Angus

OpenSSL has released new versions of the two active branches.

These releases fix a medium severity bug with symmetric cipher key and initialisation vector (IV) length that can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. This does not effect SSL/TLS, only encryption using EVP_EncryptInit_ex2().

Windows binaries are available in SVN and the overnight zip file and separately from https://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp

Separately, YuOpenSSL has released 3.0.12 as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.

In addition to the three DLL files, the zip includes a compiled RES resource file that contains the same DLLs, text files and version information, see the RC file. The RES file may be linked into application EXE files and code then used to extract the DLLs from the resource to a temporary directory to avoid distributing them separately.

ICS V9.1 and later optionally support loading the resource file, currently in SVN and the overnight zip.

The OpenSSL extract directory is shell path CSIDL_COMMON_APPDATA which in recent Windows versions is "C:\Users\All Users\" aliased as "C:\ProgramData\", in sub-directory "ICS-OpenSSl" with a sub-directory for each different   OpenSSL major/minor version, ie "3012" for 3.0.12, ie  "C:\ProgramData\ICS-OpenSSl\3012\libcrypto-3.dll".

OverbyteIcsDefs.inc has a new define OpenSSL_Resource_Files which causes the resource file to be linked, the major/minor version being defined as OpenSSL_30, OpenSSL_31 or OpenSSL_32 (not supported yet), the actual resource files are  LibV3xOpenSSL32.RES and LibV3xOpenSSL64.RES where x is the minor version.

Note ICS supports linking specific major/minor versions of OpenSSL, but only one per application, but not multiple patch versions which don't have new features, only security and bug fixes. The RES files are distributed in the zip files with the DLLs from the ICS wiki site, with the latest versions in the source directory. If the new resource can not be found or there is a problem extracting the DLLs, ICS falls back to looking for OpenSSL DLLs as previous releases.

The OverbyteIcsDefs.inc in SVN has define OpenSSL_Resource_Files enabled, so if copied will mean projects rebuilt will automatically have the OpenSSL resources linked without any other changes.

A decision will be taken before the final release as to whether this is best behaviour, it does resolve a long term problem of DLL hell or keeping OpenSSL DLLs updated in potentially dozens of different directories, particularly if applications build to Win32 and Win64 directories, now a single set of any version is needed in "C:\ProgramData\ICS-OpenSSL".  The only downside is larger EXE files, particularly if an application has multiple EXEs.

ICS has a global variable GSSL_DLL_DIR that defines where to look for the OpenSSL files, defaulting to blank but set in all samples to the program directory so a known version of OpenSSL is loaded.

Perhaps ICS should set this to "C:\ProgramData\ICS-OpenSSL" by default so only a single set of DLLs are needed. Only snag is automating a means of getting files to this directory if the resource files are not used.

Angus

Quote

Just set it to auto in de Project options for the package: Lib suffix: $(Auto)

Thanks, did not know that, there should really be an Auto Suffix tick box, so it's self documenting.

Angus

Quote

Well, 280 is a version 11, and Delphi 12 is 290 so Delphi 12 will definitely not like such bpl.

Indeed, I thought I'd changed the package suffix to 29, but somehow the change got lost, and so D12 packages were built with suffix 28 which D11 then found due to so many different paths searched, and crashed the IDE on start-up.  

The risk of updating old components to use new compilers before the original developers have done so, if they are still around.

Parnassus is now installed in both D11 and D12, but calls itself Yukon instead of Athens, one reason I've stopped using these names for ICS, gets very confusing.

Angus

Not sure if my problem with D11.3 relates to Parnassus. 

It seems Delphi has taken a dislike to dclframviewer280.bpl built months ago, which is HtmlViewer, I added that to D12 and probably got some packages wrong.

Angus