Angus Robertson

One interesting concept of the Azure code signing certificates is they expire within two days, effectively created daily on demand. 

While such a short expiry is impractical for servers, code signing relies on a time stamp, so applications can be used for many years beyond the certificate life. 

Angus

Sure you can copy a certificate from a token, the certificate is also in every program you sign. 

But the token keeps the certificate private key secure so it can not be copied, shared or stolen, which means you can only sign code with the token, which actually handles the sign operation, the private key never leaves the token.

There are ways to remotely sign code using the cloud or remote servers, suggest reading https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens

Microsoft also has a remote signing solution https://learn.microsoft.com/en-gb/azure/trusted-signing/

Angus

Another define to kill, OpenSSL_Check_SignCert will stop the verify trust check, usually that only fails on very old versions of Windows.  

OAuth2 uses two tokens, when you authenticate with a login and password a refresh token is generated which usually has a very long expiry, maybe years, and is used to generate an access token which is short lived, an hour to a day, and a new one is generated regularly by ICS from the refresh token.   So you save securely the refresh token, not the access token. 

Angus

I suspect that is a fault in K-Software's automated systems, not been updated since tokens became mandatory.  The web site does say 'Secure token available'  which means is not really optional. 

My three year K-Sotfware certificate expires next month, so just about to go through the same process. 

Angus

The price increase is down to code signing certificates needing to be shipped on USB dongles instead of as files.

Angus

Be careful with OAuth2 refresh tokens, they do make authentication very simple and usually remain valid for months or even years.  But you must have some code in place for the day the token becomes invalid without notice, immediate emails to the system admin (using the IcsMailQueue component), because otherwise you are going to have hundreds of failed requests very quickly.  Perhaps dummy requests during the night so you get a warning before the rush. 

Angus

You should also undefine OpenSSL_AutoLoad_CA_Bundle.  This causes OpenSSL to be loaded when any ICS application is loaded, even if no ICS components are used. 

This define is usually best since otherwise OpenSSL can be loaded and unloaded repeatedly if not done manually once before making any SSL calls. 

I've never tried using ICS in an ISAPI, only simple DLLs, they are not quite standard with a few special exports.  All my Windows 2025 servers run an ISAPI I wrote 20 years ago and last compiled in 2005, never needed to touch it, just keeps working, fortunately Microsoft does not mess with IIS, so nothing ever breaks. 

Angus

webview2loader.dll is used to load the Edge browser, no way that will run as a Windows service, no Window.  You can use ICS OAuth2 stuff in services, but only with saved refresh tokens obtained from another application. 

If you are using a recent ICS version, the loading problem is probably ICS trying to extract the OpenSSL DLLs from the DLL, never tested that, try disabling define OpenSSL_Resource_Files.

The component itself runs fine in a normal DLL, I recently updated OverbyteIcsConHttp.dpr

Angus

Help & Manual allows you to output CHM, PDF and HTML versions of the same help content, used it for 15 years or more.   And probably more formats I don't need.  But it keeps the content in XML, so might not be a quick import from your existing DOCs or whatever.

Angus

Sorry, no quick answer. 

The issue here is avoiding multiple escaping with nested escaped objects. which is why some AddItem overloads have an ARaw parameter to skip escaping, but not AddItemSO. 

I'll need to look carefully at this so as not to break anything, mat be a while.

Angus

This error often happens with older versions, but usually just means the property is lost for the old version, which only matters if you have been already set it specifically for the newer version.  I often open applications in both Delphi 11.3 and 2007, and ignoring properties never causes a problem.

What is more annoying is the IDE inability to cope with a lot of similar errors, insisting on presenting dozens of modal dialogs if you open a large project group, you have to be so careful if what you click to avoid components not being removed from forms if they are not currently installed in the IDE.

Angus

Just keep the time or tick count before you make the request, and again afterwards.  The component can do this internally for sessions, bur not single requests. 

Angus

I have implemented extended passive (and port) mode for the ICS client for IPv4 connections, however I'm not sure if it will fix the original poster's problem since it will only be used if the server FEAT command advertises availability, so it is unlikely to fail.  If it does fail, there is a new option that stops the EPSV and EPRT commands being used.  I asked for an FTP log that would have shown the FEAT command and failure response, but can not guess what is happening.

The ICS FTP server already supports EPSV for IPv4, unfortunately the developer that added it missed updating the FEAT command so it's not advertised, and few FTP clients will use it for IPv4, now fixed as well, will be in SVN once more testing is done.

Angus

Public property RespDateDT

Angus

Packages and programs only have one Win32 option, no idea how you select the tool chain. 

In terms of samples, the obvious ones OverbyteIcsHttpsTst.cbproj, OverbyteIcsWebServ.cbproj, OverbyteIcsCliDemo.cbproj, would be a good start to check applications build.

Angus

I'll update the types unit with the new include emits shortly. 

I can only build C++ packages not use them, since the ICS C++ samples are too old to build with modern compilers, it really needs someone to update two or three C++ samples so I can test that they build with new versions of ICS. 

The C++ Win64 packages build with release for me, but not debug, someone will need to look at that. 

The common package builds for Win64x, but not the run package which imports conmon, because currently D12.2 can only import Delphi packages and not C++ due to missing symbol files, due to fixed in a future release.  

Angus

Thanks, fix will be added for the next release shortly.

Angus

The concept of certificate revocation is changing due to the slow down it causes and the massive databases needed.  OCSP seems to be dead with browsers no longer using it (CRL instead), Let's Encrypt is stopping it's OSCP servers service soon.  The industry wants certificate life to be shorter so they are replaced regularly (monthly) rather than being revoked.  

But this is not really relevant to code signing, since expired certificates are usually trusted provided they are time stamped signed, Azure issues code signing certificates that expire within two days or something.  You can only revoke unexpired certificates, and our signed applications need to run for years or decades, thus the time stamp.  

In theory, the OS or scanners could try and check old signing certificates being revoked, but it would not be easy.

Angus

It is up to the FTP client to decide whether to start passive mode with a PASV or EPSV command, the former has worked with IPv4 for decades, the latter is required for IPv6 so no check for availability is needed.  None of this has changed in ICS in 15 years or more. 

I've never seen a server refuse a PASV request, even if it supports EPSV as well.

It would need changes to the FTP client to prioritise EPSV over PASV, and I'm not likely to get to that for a few weeks.

Angus

I started a new thread about C++ 21 October, you replied and agreed to test the new version. 

All the cbproj packages and some cpp and pas files changed in October, so any comments relating to C++ in V9.3 are irrelevant to building the overnight beta version.

Angus

There have been other CVEs in Zlib over the years, and we were slow to update our version, which is why ICS now uses the Delphi version, at least for those using recent Delphi versions. 

Angus

Extended Passive mode (EPSV) is for IPv6 connections, I'm not aware it has any purpose for IPv4 if that is what you are using. 

Never heard of active passive mode, can you please show the ICS FTP log.

Angus

ICS V8.70 and later come with Zlib 1.2.12 for old Delphi releases, but automatically users the System.Zlib for Delphi 11.1 which had the same release, and newer releases hae newer Zlibs.

Not planning to update the built-in version for old compilers, unless there is a serious issue.

Angus

    {$IF Declared(RTLVersion121)}Result := '12.1';{$IFEND}
    {$IF Declared(RTLVersion122)}Result := '12.2';{$IFEND} 
    {$IF Declared(RTLVersion123)}Result := '12.3';{$IFEND}   // guessing

Angus

ICS has a function IcsBuiltWith that uses a lot of defines to get the version, ie 12.2, but not patches.  Not much code, but it does need an insert file that does most of the version checking.  Several ICS samples report the Delphi version, which is useful. 

Angus