Re: [twsocket] unable to link design time CB2007 as missing external file 'crypt32'

2018-02-24 Thread Richard Gallois 
I've added crypt32.lib to my Builder project. I can't remember why I had to
do this, but I've had it there for a long time. The lib file is found at
C:\Program Files (x86)\Embarcadero\Studio\17.0\lib\win32\release\psdk for
Builder 10 Seattle. It will be in a similar location of CB7. This should
eliminate the linker errors.

Richard

On 24 February 2018 at 11:30, Paul Read <p...@nsolve.com> wrote:

> Numerous linker messages like this:
>
> [ilink32 Error] Error: Unresolved external 'CertFreeCertificateChainEngine'
> referenced from C:\DEV\CMP\ICS\LIB\DEBUG\WIN32
> \D2007\OVERBYTEICSMSSSLUTILS.OBJ
> [ilink32 Error] Unresolved external 'CertFreeCertificateChainEngine'
> referenced from C:\DEV\CMP\ICS\LIB\DEBUG\WIN32
> \D2007\OVERBYTEICSMSSSLUTILS.OBJ
> [ilink32 Error] Error: Unresolved external 'CertFreeCertificateContext'
> referenced from C:\DEV\CMP\ICS\LIB\DEBUG\WIN32
> \D2007\OVERBYTEICSMSSSLUTILS.OBJ
>
>
> These appear to external references to crypt32, yet I don't have that file
> (I believe).
>
> Last version I built without issue was ICS v8.49 with Borland C++ 2007,
> currently overbyte.eu seems to be down so can't try any versions between
>
> Any suggestions?
> Paul Read
>
> --
> To unsubscribe or change your settings for TWSocket mailing list
> please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
> Visit our website at http://www.overbyte.be
>
-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] ICS and OpenSSL security

2016-11-04 Thread Richard Christman 
k for 16 years!

But really, on the other hand, I'm very happy you've decided you need to
take action. I know you guys want to provide the best possible software
and service possible. You always have. This is good. I'll watch for it.

For my purposes, I have no problems with AuthentiCode verification. My
users need not do that. I will.

Thanks,

Richard
-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] ICS and OpenSSL security

2016-10-31 Thread richard 
I first sent this from the wrong email address. My apology.

On Fri, 28 Oct 2016 08:24 +0100 (BST), you wrote:
>
> > When downloading ICS and the OpenSSL binaries you provide, I've
> > never been able to find any sig, sha, or md5 files for checking
> > authenticity.
>
> ICS itself is source code, so in theory is not a security risk.

Source code is subject to the same concerns as binaries. When the SSL 
code was added to ICS years back, security became a concern.

> We don't provide any authentication for our builds of the OpenSSL tools
> because no-one has ever asked, and we don't have the means to easily
> automate it.  Doing so would involve time better spent supporting ICS.
>
> You don't have to use the ICS build OpenSSL tools, there are other
> Windows versions out there you can use instead.
>
> One thing that could be done with a new command batch file is to
> digitally sign the OpenSSL DLLs, which you can already do for your own
> customers.

You're right. All that's required is a batch file. I PGP sign all my 
source and binaries. It's required. Your ICS and OpenSSL DLLs are 
included in my releases, and it makes me a little uneasy signing for 
your work as I cannot say I know for a fact these binaries came from the 
original source code or aren't otherwise tampered with. The original 
OpenSSL files you downloaded were signed. Then you don't sign. Then I do 
sign. You're sort of a broken link in the security chain.

I have always trusted you guys implicitly, I feel quite certain 
everything is fine. I will continue to trust you. I appreciate your very 
long and most excellent work. I've been with you since, I think, 1999.

> But ICS does have an authenticode certificate and is not a
> company so might have trouble actually buying one (they are expensive)
> so they'd probably need to be signed by my company as Magenta Systems
> Ltd.  But at least that would protect against tampering.

I'm not sure about your authenticode cert and how the user tests it. 
I've seen them available and I know they're expensive. I'm guessing this 
is for your commercial software. It's probably not the best choice for 
this application.

In the open source world, PGP sigs are universally accepted for this 
purpose. All that's required is the GPG program and creation of a key 
owned by the person signing the release.

I know this is something you haven't considered previously. Early on, 
your work had no security implications at all. I can understand and have 
basically overlooked this all along.

Taking this step would be an important and needed service to all who use 
your ICS/OpenSSL, but if this is too much for you right now, I hope you 
can work it in at some time in the future.

Regards,

Richard
-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

[twsocket] ICS and OpenSSL security

2016-10-27 Thread richard 
Hi All,

When downloading ICS and the OpenSSL binaries you provide, I've never
been able to find any sig, sha, or md5 files for checking authenticity.
I probably have overlooked these. Could you help me out with this?

Thanks,

Richard
-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] OpenSSL and Poodle exploit

2014-11-06 Thread richard 
Hi Angus,

On Mon, 20 Oct 2014 18:38 +0100 (BST), you wrote:

 There has been recent press about an SSL server exploit called Poodle, which
 only effect SSLv3, not the more recent TLS 1.x protocols.

 Disabling SSLv3 in servers can be done by setting:

 SslContext.SslVersionMethod := sslV23_SERVER;
 SslContext.SslOptions := [sslOpt_NO_SSLv2, sslOpt_NO_SSLv3,
 sslOpt_CIPHER_SERVER_PREFERENCE];

 v2 was obsolete long ago.

 You should also change the cipher suite, Mozilla now suggests three levels of
 ciphers, which are all now added to the latest overnight ICS v8 SVN.

 The minimum browsers these ciphers support are:

 sslCiphersMozillaSrvHigh - Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7,
 Android 4.4, Java 8

 sslCiphersMozillaSrvInter -  Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
 Windows XP IE8, Android 2.3, Java 7

 sslCiphersMozillaSrvBack - Windows XP IE6, Java 6

 so since IE6 is long obsolete I suggest:

 SslContext.SslCipherList := sslCiphersMozillaSrvInter;


 Once you have your ICS SSL web server updated and installed on a public 
 server,
 there is an excellent SSL testing web site at:

 https://www.ssllabs.com/ssltest/index.html

 It takes a few minutes to test all the ciphers, but generates a detailed
 security report giving your web site a letter rating.  Making the changes 
 above
 raised my ICS SSL site from C to A-.

I see you speak of fixing web servers in regard to the poodle exploit. 
Is there any problem with clients? I see mine are set to sslv23. I 
believe that was the default. Should I change this and if so, to what?

Also, I was wondering if it's possible to get a snapshot of your openssl 
1.0.1i or 1.0.1j?

Thanks so much,

Richard

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

[twsocket] Openssl-1.0.1g

2014-04-21 Thread richard 
Hi,

I need some info.

My project uses ICS v8GOLD. My users are greatly relieved that they 
are unaffected by heartbleed (currently I have 1.0.0J), but they are 
now asking, 'why I don't I upgrade to 1.0.1G, since 1.0.0j is so old.

I see in OverbyteIcsLIBEAY.pas the the current max openssl version is 
1.0.0j.

Will you be testing 1.0.1G soon? If not, what should I tell my users?

Thanks,

Richard
-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] RFC 822 Date Time Conversion

2014-01-31 Thread Richard Gallois 
Many thanks Angus and Michael. In the end I decided to use the code
from OverbyteIcsSmtpSrv.pas.
In order to understand how it worked (I'd not seen the secret TParser class
before) I decided to translate the code into C++. The constructor for
TParser is slightly different (requires 2 parameters), but otherwise the
code is the same. I've copied the code below in the hope that it might be
of use someone else who stumbles across this when googling for a C++
solution.

Thanks again,

Richard

//---
bool __fastcall Utilities::GetMonth(TParser* Parser, int Month)
{
UnicodeString Months[] = {Jan, Feb, Mar, Apr,
  May, Jun, Jul, Aug,
  Sep, Oct, Nov, Dec, };
Month = 1;
while(!Parser-TokenSymbolIs(Months[Month - 1])  Month  13)
++Month;

return Month  13;
}
//---
void __fastcall Utilities::GetTime(TParser* Parser, int Hour, int Min,
int Sec)
{
Hour = Parser-TokenInt();
Parser-NextToken();
if(Parser-Token == ':')
Parser-NextToken();

Min = Parser-TokenInt();
Parser-NextToken();

if(Parser-Token == ':')   // Angus, allow missing seconds
{
Parser-NextToken();
Sec = Parser-TokenInt();
Parser-NextToken();
}
}
//---
bool __fastcall Utilities::ParseRFC822Date (UnicodeString DateStr,
TDateTime DateTime, UnicodeString ErrorMessage)
{
if(!DateStr.Length())
{
ErrorMessage = Zero length date string.;
return false;
}

// Add a fictitious day name if one is missing from the start of the string
- courtesy of Angus
if(DateStr[1] = '0'  DateStr[1] = '9')
DateStr = Sun,  + DateStr;

TParser* Parser;
TStringStream* StringStream;

try
{
try
{
StringStream = new TStringStream(DateStr);

// Create a NULL TParserErrorEvent object to pass into the TParser
constructor.
// TParser will still generate an exception on error.
TParserErrorEvent p = NULL;
Parser = new TParser(StringStream, p);

Parser-NextToken();

if(Parser-Token == ':')
Parser-NextToken();

Parser-NextToken();

if(Parser-Token == ',')
Parser-NextToken();

int Month, Day, Year, Hour, Min, Sec;

if(GetMonth(Parser, Month))
{
Parser-NextToken();
Day = Parser-TokenInt();
Parser-NextToken();
GetTime(Parser, Hour, Min, Sec);
Year = Parser-TokenInt();
}
else
{
Day = Parser-TokenInt();
Parser-NextToken();
if(Parser-Token == '-')
Parser-NextToken();
GetMonth(Parser, Month);
Parser-NextToken();
if(Parser-Token == '-')
Parser-NextToken();
Year = Parser-TokenInt();

if(Year  50)
Year += 2000;
if(Year  100)
Year += 1900;

Parser-NextToken();

GetTime(Parser, Hour, Min, Sec);
}

TDateTime temptime;
if( TryEncodeDate (Year, Month, Day, DateTime))
if( TryEncodeTime (Hour, Min, Sec, 0, temptime))
DateTime = DateTime + temptime ;
}
catch(Exception e)
{
ErrorMessage = e.Message;
return false;
}
}
__finally
{
delete StringStream;
delete Parser;
}

return true;
}
//---


On 30 January 2014 17:18, Michael Gasser michael_gas...@bluewin.ch wrote:



 Hi Richard


 maybe you should check the user made component LASTMOD.ZIP from
 http://www.overbyte.be/frame_index.html?redirTo=/products/usermade.html

 ___

 I use this code in two programs.

 My programs did send me some error feedback while parsing 'LAST-MODIFIED:'
 (html downloads with ICS HttpCli) with the inet component above (5
 errors, ~500'000 downloads).

 Therefore I had to slightly modify the code:
 Two modifications - see 1., 3.
 ___
 1.
 Right after begin add:
 INetDate := trim( INetDate );

 (2.)
 If you use XEn:
 if Uppercase(MonthName) = string(Months[IX]) then
 instead of
 if Uppercase(MonthName) = Months[IX] then

 3.
 after line
 Delete(InetDate,1,Pos(' ',InetDate));
 add this line:
 if pos( ' ', inetdate ) = 0 then inetdate := inetdate + ' ';
 ___


 If you  f.e. want to catch the value of LAST-MODIFIED of a html file using
 a THttpCli :

 modify : event httpgetHeaderEnd


 procedure TsjOnlineForm.httpgetHeaderEnd(Sender: TObject);
 VAR
  IX : INteger;
  hst, ST : STring;
  szgmt, DT : tDateTime;

 try
  for IX := 0 to Httpget.RcvdHeader.count-1 do
BEGIN
  hst := Httpget.RcvdHeader.Strings[IX];

  if Pos('Content-Length:',hst)  0 then
BEGIN
  ST := hst;
  Delete(ST,1,Pos(' ',ST));
END
   else
if Pos('LAST-MODIFIED:',Uppercase(hst))  0 then
BEGIN
  ST := hst;
  Delete(ST,1,Pos(':',ST));
  DT.:= 0;
 try
  DT := InetStdDateToDateTime(ST);
 except
   senderrorFeedback_eMail_to_RichardGallois( 'cannot parse
 t=' + ST );
end,
 ___


 Best regards
 Michael


 - Original Message - From

[twsocket] RFC 822 Date Time Conversion

2014-01-30 Thread Richard Gallois 
Hi,

Has anyone got a solid method of converting RFC 822 date times (e.g. Thu,
30 Jan 2014 05:48:07 +0800) to a TDateTime. I've found a function in Indy
to do this, but I'd rather not compile Indy into my project if there is an
ICS way to do this.

Many thanks,

Richard
-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be