Andriy 0 Posted May 6, 2021 (edited) Hi. I use Delphi 7 +8.58 2 years. Every year I just add new pem and key files (my programs is old and It does not have new version) This year my program doesn't work. My ssl was old and I create new ssl. I bought 2 ssl - rapid and than cert. I changed version ssl. Not work. Test on site - https://www.sslshopper.com/ ssl is OK - with rapid and cert. OnGetDocument not called - browser get error - ERR_CONNECTION_CLOSED. There are working breakpoints in my program: GetClientConnect GetSslSetSessionIDContext GetSslServerName GetSslHandshakeDone GetClientConnect GetSslSetSessionIDContext GetSslServerName GetSslHandshakeDone and then ERR_CONNECTION_CLOSED My project now is down. Can you help me. Where I can found that error? Because I don't know why ics close ssl session. Today I create new project - with ics but ssl also don't work. IF load program from bad IP (IP<>domain name) ssl don't work and OnGetDocument working fine - but withot ssl. I will appreciate your help ssltest.zip Edited May 6, 2021 by Andriy Share this post Link to post
Angus Robertson 577 Posted May 7, 2021 Sorry, insufficient information to make any real diagnosis, you don't say what OpenSSL you are using, or which protocols, or what errors the client sees. The client may have closed the connection and the problem is not server related. SslHandshakeDone is called for both success and failure, you are not logging what happened. I suggest you try configuring the OverbyteIcsSslMultiFtpServ.dpr sample with your certificate and IP address and try to connect to that, it has better logging. Maybe use V8.66 as well. The latest versions of ICS will start without SSL certificate, it creates a self signed certificate to start-up, and will then order a free certificate from Let';s Encrypt so you don't need to buy manually from RapidSSL. Angus Share this post Link to post
Andriy 0 Posted May 7, 2021 Hi, thanks for the answer. free Let's don't work 1 years without renew and my service official and works for hospitals. I don't want to use self cert. Ok I will try to update to 8.66. Now I add logger to demo project and now I got all logs. Maybe these lines? 16:25:09:465 AlpnCB> Protocols: h2,http/1.1 16:25:09:465 ProtoMsg: None, State: SSLv3/TLS read client hello, Send, DataLen: 5, Data= 1503030002 16:25:09:465 ProtoMsg: TLS 1.2 Alert, Fatal: , State: SSLv3/TLS read client hello, Send, DataLen: 2, Data= 0278 16:25:09:465 007428D8 ICB> SSL3 alert write fatal no application protocol 16:25:09:465 007428D8 ICB> SSL_accept: error 1 in error 16:25:09:465 007428D8 BIO_read(sslbio, 0x18FCF3, 0) = -1 [20] 16:25:09:465 007428D8 BIO_should_retry(sslbio) = 0 [21] 16:25:09:465 007428D8 HandleSslError handle=284 [22] error:1417A0E2:SSL routines:tls_post_process_client_hello:clienthello tlsext 16:25:09:465 007428D8 TriggerEvent handle=sslFdClose 284 16:25:09:465 007428D8 NetworkError #10053 It's from any computers, from any browsers. I add full log file 1.log Share this post Link to post
Angus Robertson 577 Posted May 7, 2021 ICS only create a self signed certificate if there is no real certificate available, without which the server will not start. As I said elsewhere today, the ICS logger is designed for internal component debugging, not application errors, nor SSL debugging. What is your URL, email if necessary. Angus Share this post Link to post
Angus Robertson 577 Posted May 7, 2021 I can connect to your test server with the host name you sent, using the ICS browser component, get a 404 error no index page, uses a RapidSSL certificate: SSL Connected OK with TLSv1.1, cipher ECDHE-RSA-AES256-SHA, key auth RSA, key exchange ECDH, encryption AES(256), message auth SHA1 TLSv1.1 and SHA1 are now obsolete and not supported by most browsers. Somehow you have configured the server not to support TLSv1.2, either by using very old OpenSSL DLLs or with options. Angus Share this post Link to post
Andriy 0 Posted May 7, 2021 I updated 2 ssl files to OpenSSL v1.1.1k Win64 for ICS, http://www.overbyte.be. But it's not help. "TLSv1.1 and SHA1" it's bad param in SslContex?? Maybe you know new good working parameters? Share this post Link to post
Angus Robertson 577 Posted May 7, 2021 You should really be configuring your server using IcsHosts so you can ignore the SslContext. But try these settings: SslCtx.SslMinVersion := sslVerTLS1_2; SslCtx.SslMaxVersion := sslVerTLS1_2; SslCtx.SslCipherList := sslCiphersMozillaSrvTLS12; { V8.66 was sslCiphersMozillaSrvInterFS } SslCtx.SslSecLevel := sslSecLevel112bits; Angus Share this post Link to post
Andriy 0 Posted May 7, 2021 So. I installed 8.66 on D7. I got error - [Error] OverbyteIcsThreadTimer.pas(571): Undeclared identifier: 'AtomicIncrement'. Replace on InterlockedIncrement. Then REM all call X509Log because also Undeclared identifier +copy new ssl from 8.66 folder and ssltest demo working. Then I start old project with new those ssl files and working fine too. LOL :) Thank you very much for helping. Share this post Link to post
Angus Robertson 577 Posted May 8, 2021 So your web server is accepting connections again? Not many people still use Delphi 7 so don't test it very often, but I will fix V8.67 to work on it again next week. Angus Share this post Link to post
Andriy 0 Posted May 10, 2021 hi. Now It'is working fine. And thx for SslContext1.SslCertX509.ValidNotAfter - Now I use it with email notify in my projects. And I have still one qestion. What do you reccomend ics component for creating secure ftp server and also secure ftp clients. Week's backup for 200+ users. And what is this ftpmulti1 :) thx Share this post Link to post
FPiette 385 Posted May 10, 2021 1 hour ago, Andriy said: What do you recommend It is better you open a new message thread for that other subject. Share this post Link to post
Angus Robertson 577 Posted May 13, 2021 Just installed the overnight zip on Delphi 7, worked the second time after I deleted all the old units and packages and started fresh. A number of old units were removed in V8.,66 which will no longer build. Having trouble building samples due to them having D2007 properties, long time since I tried to downgrade forms. Angus Share this post Link to post
Kyle_Katarn31 0 Posted May 17, 2021 I still use ICS exclusively on D7 and... So far so good with official builds. Share this post Link to post