ICS V8.70 announced

[Mark- 26]

3 hours ago, Angus Robertson said:

The existing web server without SSL/TLS could then be abandoned.

Abandoned but not removed? I assume the new web server component will have a new name.

Edited January 12, 2023 by Mark-

[omnibrain 14]

1 hour ago, Angus Robertson said:

I'm planning a new web server component, and there will be no non-SSL version, as there is no non-SSL proxy component.  The existing web server without SSL/TLS could then be abandoned.

I would really like to continue to be able to use webservers without SSL/TLS for several reasons:

• In a more complex setup ssl gets offloaded from the application servers to load balancers, reverse proxies or web application gateways
• modern reverse proxies like caddy are ridiculously easy to use and just work with ACME certificates (or self signed) with almost zero config, it's not even funny
• it's usually easier to update a reverse proxy/load balancer or WAG for new openSSL versions than the applications itself
• webservers embedded into the application, bound only to localhost, don't need ssl/tls (for internal APIs)
• it's easier during development if you don't have to wrangle self signed certs and browser errors

But I don't care if the ssl/tls code get's compiled into the program or not. I just want to be able to use a server without SSL/TLS.

Edited January 12, 2023 by omnibrain

[Fr0sT.Brutal 897]

I use ICS with plain sockets and my own SChannel wrapper for TLS so I don't have to bother with OpenSSL libs.

omnibrain is right, it's a common practice to hide business-logic servers behind reverse proxies and load balancers that take care of all the TLS stuff. This config, in addition to easier maintenance, gives ability to use other TLS libs than buggy and non-backward-compatible OpenSSL.

And local microservices will only uselessly suffer from performance loss because of en/decryption.

I'm curious what exactly troubles do you experience with USE_SSL defines?

Edited January 13, 2023 by Fr0sT.Brutal

[Angus Robertson 523]

As I said, SSL/TLS is always selectable for each connection, that will never change, except when QUIC becomes an alternative. 

 

Quote

I'm curious what exactly troubles do you experience with USE_SSL defines?

TSslWSocketServer is a relatively simple component, but descends through eight different classes with 24 USE_SSL defines, all of which makes improvements difficult, the new version will be much simpler.

 

The SChannel wrapper for ICS is an interesting project, but YuOpenSSL allows ICS to be used without external DLLs, and SChannel is different with every operating system, fine if you only want to support the latest and greatest, useless if you want applications to continue to run on Windows 7 or 8 where each time Windows Update is run, half the ciphers disappear so causing ECDSA key certificates to be ignored, for instance. 

 

Angus

 

[omnibrain 14]

1 hour ago, Angus Robertson said:

As I said, SSL/TLS is always selectable for each connection, that will never change, except when QUIC becomes an alternative. 

Thanks for the clarification. I misunderstood what you want to do with the new server component then. I currently use THttpAppSrv and I'm curious what your future developments are going to offer.

[Angus Robertson 523]

The long planned new web server will use a configurable mix of threads and parallel components to make proper use of multiple CPUs, allowing heavier loads than can be supported by a single thread as at present.  For instance, there could be four threads, each with 500 clients, or 500 threads each with one client. 

 

ICS already has a TSslWSocketThrdServer component (one per client), but there has never been a web server using it. I've never heard of anyone using it. 

 

Angus

 

[Fr0sT.Brutal 897]

3 hours ago, Angus Robertson said:

SChannel is different with every operating system, fine if you only want to support the latest and greatest, useless if you want applications to continue to run on Windows 7 or 8 where each time Windows Update is run, half the ciphers disappear so causing ECDSA key certificates to be ignored, for instance. 

This could be probably important for servers or some complex encryption stuff but you don't need all of that just for connecting to a TLS server. RTL built-in net/http clients are powered by SChannel as well as famous cURL which optionally could rely on it as TLS engine

[softtouch 5]

Will there be in the near future any update to support macOS 64 bit?

[Angus Robertson 523]

Quote

Will there be in the near future any update to support macOS 64 bit?

Only if a Apple user contributes something, neither Francois or I have any suitable hardware so can not test anything.

 

Angus

 

[Shira 0]

I haven't been able to install the new release under Delphi 11, either the 8.70 or the daily snapshots,  always getting this error about OverbyteIcsHtmlPars, installing the VclFmx group:

 

 

if I try the VCL-only group, only a few components get installed:

 

Edited February 17, 2023 by Shira

[KodeZwerg 54]

22 minutes ago, Shira said:

I haven't been able to install the new release under Delphi 11, either the 8.70 or the daily snapshots,  always getting this error about OverbyteIcsHtmlPars, installing the VclFmx group:

 

https://i.imgur.com/CMppWVP.png

 

if I try the VCL-only group, only a few components get installed:

 

https://i.imgur.com/UpeiMwH.png

Are you aware about that you can add images right here as attachment like I show you when I open your links?

[Shira 0]

15 minutes ago, KodeZwerg said:

Are you aware about that you can add images right here as attachment like I show you when I open your links?

 

Edited

Edited February 17, 2023 by Shira

[Shira 0]

Nevermind that, I had some conflict with another package where a component is using TWSocket, I worked around it then it installed fine.