Trying to move from SslContext to ICSHosts

[AllanF 0]

Hi 

I am currently using TSslFtpServer and TSslWSocketServer in combination with SslContext but there are connection issues coming up recently with Failed SSL Handshake before negotiation.

Instead of chasing that I want to update to the current technique of using ICSHosts. Here I am stuck when trying to connect with FileZilla Client my Server comes into ClientConnect Event

and then in ClientCommand  Keyword is empty and then control goes to ClientDisconnect. Does not go into Validation etc.

 

The problem is that there is no example using ICSHosts, so I used the OverbyteIcsSslFtpServ example removing the SslContext and adding a Item in IcsHosts

Kindly note that mine is an application wherein I have a Server module running on one machine and I have several machines connecting to the Server

There is no Website I can validate 'HostNames.Strings' with, so hope machine name will do ?

 

DFM section of TSslFtpServer

    IcsHosts = <
      item
        HostNames.Strings = ('VMAF')
        HostEnabled = True
        HostTag = 'MyTag'
        SslCert = '01cert.pem'
        SslKey = '01key.pem'
        SslInter = 'cacert.pem'
      end>

 

since 01cert.pem etc. are not working here I made fresh Certificates which I tested and are working with the SslContext.

 

Regards

Allan

 

[Angus Robertson 574]

Sorry the lack of an FTP sample using IcsHosts, it's been on my list all year but other projects keep putting it back.  It is however properly documented, follow the links from http://wiki.overbyte.eu/wiki/index.php/FAQ_Using_IcsHosts and all the properties are separately explained, including HostNames which are the DNS names for the SSL certificates.  

 

The latest version of IcsHosts does not even need SSL/TLS certificates, it will automatically create self signed certificates so the server can start, and then order proper certificates from Let's Encrypt, if required. 

 

The sample to look at is really OverbyteIcsSslMultiWebServ.dpr since the set-up and use of IcsHosts is almost identical in all servcers.

 

Angus

 

[Angus Robertson 574]

You don't normally configure IcsHosts or the server through the object inspector, but from an INI file.  The component has two functions  IcsLoadFtpServerFromIni and IcsLoadIcsHostsFromIni which load all the required settings from an INI file set-up similarly to the following, this is the second of two servers, behind a NAT firewall, but could be using public IP addresses.  It orders the SSL/TLS certificate automatically without any other settings.  Once the settings are loaded, you call ValidateHosts to check everything then Start,  BTW, these IcsHosts settings prevent FTP being accessed without SSL.

 

[FtpServer:2:Host1]
Hosts=sip.magsys.co.uk
HostTag=SIP.MAGSYS
BindIpAddr=192.168.1.123
BindIpAddr2=2a00:1940:1:2::123
BindNonPort=21
BindSslPort=990
AuthSslCmd=True
AuthForceSsl=True
Desc=
HostEnabled=True
SslCert=C:\certificates\local\sip_magsys_co_uk.pfx
SslPassword=password
SslSecLevel=sslSrvSecTls12Less
CertSupplierProto=SuppProtoAcmeV2
CertDirWork=d:\weblogs\acme-certs\
CertChallenge=ChallFileSrv
CertPKeyType=PrivKeyRsa2048
 

[FtpServer:2]
DefaultHost=sip.magsys.co.uk
ServerDesc=sip.magsys.co.uk on 192.168.1.123: 21/990
HostEnabled=True
BannerConnect=220-\h\n220-\v\n220-ICS\s\n220 Server: \p at \o
MaxClients=100
MaxAttempts=5
PasvIpAddr=217.146.115.85
PasvPortRangeStart=21001
PasvPortRangeSize=997
MD5UseThreadFileSize=100000
TimeoutSecsLogin=60
TimeoutSecsIdle=300
TimeoutSecsXfer=60
ZlibMinLevel=1
ZlibMaxLevel=9
ZlibNoCompExt=.zip;.rar;.7z;.cab;.lzh;.gz;.avi;.wmv;.mpg;.mp3;.jpg;.png;
AlloExtraSpace=1000000
ZlibMinSpace=50000000
ZlibMaxSize=500000000
ListenBackLog=5
SrvOptions=[ftpsCwdCheck,ftpsCdupHome,ftpsNoPasvIpAddrSameSubnet,ftpsHidePhysicalPath,ftpsModeZCompress,ftpsSiteXmlsd,ftpsThreadRecurDirs,ftpsThreadAllDirs,ftpsEnableUtf8,ftpsAutoDetectCodePage]
SslRenegotiationInterval=0
BandwidthLimitKB=0
SslCertAutoOrder=True
CertExpireDays=30
RootCA=C:\certificates\TrustedCABundle-magdev.pem
 

Angus

 

[Angus Robertson 574]

There is a new ICS Multi Host FTP Server sample using IcsHosts in the overnight zip, really designed to be a Windows service application. It supports multiple SSL hosts with multiple listeners, can order it's own SSL certificates and will create self signed certificates for any missing,  and will email status information and errors to an administrator.

 

Angus