Re: [twsocket] unable to link design time CB2007 as missing external file 'crypt32'
I've added crypt32.lib to my Builder project. I can't remember why I had to do this, but I've had it there for a long time. The lib file is found at C:\Program Files (x86)\Embarcadero\Studio\17.0\lib\win32\release\psdk for Builder 10 Seattle. It will be in a similar location of CB7. This should eliminate the linker errors. Richard On 24 February 2018 at 11:30, Paul Read <p...@nsolve.com> wrote: > Numerous linker messages like this: > > [ilink32 Error] Error: Unresolved external 'CertFreeCertificateChainEngine' > referenced from C:\DEV\CMP\ICS\LIB\DEBUG\WIN32 > \D2007\OVERBYTEICSMSSSLUTILS.OBJ > [ilink32 Error] Unresolved external 'CertFreeCertificateChainEngine' > referenced from C:\DEV\CMP\ICS\LIB\DEBUG\WIN32 > \D2007\OVERBYTEICSMSSSLUTILS.OBJ > [ilink32 Error] Error: Unresolved external 'CertFreeCertificateContext' > referenced from C:\DEV\CMP\ICS\LIB\DEBUG\WIN32 > \D2007\OVERBYTEICSMSSSLUTILS.OBJ > > > These appear to external references to crypt32, yet I don't have that file > (I believe). > > Last version I built without issue was ICS v8.49 with Borland C++ 2007, > currently overbyte.eu seems to be down so can't try any versions between > > Any suggestions? > Paul Read > > -- > To unsubscribe or change your settings for TWSocket mailing list > please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket > Visit our website at http://www.overbyte.be > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] ICS and OpenSSL security
k for 16 years! But really, on the other hand, I'm very happy you've decided you need to take action. I know you guys want to provide the best possible software and service possible. You always have. This is good. I'll watch for it. For my purposes, I have no problems with AuthentiCode verification. My users need not do that. I will. Thanks, Richard -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] ICS and OpenSSL security
I first sent this from the wrong email address. My apology. On Fri, 28 Oct 2016 08:24 +0100 (BST), you wrote: > > > When downloading ICS and the OpenSSL binaries you provide, I've > > never been able to find any sig, sha, or md5 files for checking > > authenticity. > > ICS itself is source code, so in theory is not a security risk. Source code is subject to the same concerns as binaries. When the SSL code was added to ICS years back, security became a concern. > We don't provide any authentication for our builds of the OpenSSL tools > because no-one has ever asked, and we don't have the means to easily > automate it. Doing so would involve time better spent supporting ICS. > > You don't have to use the ICS build OpenSSL tools, there are other > Windows versions out there you can use instead. > > One thing that could be done with a new command batch file is to > digitally sign the OpenSSL DLLs, which you can already do for your own > customers. You're right. All that's required is a batch file. I PGP sign all my source and binaries. It's required. Your ICS and OpenSSL DLLs are included in my releases, and it makes me a little uneasy signing for your work as I cannot say I know for a fact these binaries came from the original source code or aren't otherwise tampered with. The original OpenSSL files you downloaded were signed. Then you don't sign. Then I do sign. You're sort of a broken link in the security chain. I have always trusted you guys implicitly, I feel quite certain everything is fine. I will continue to trust you. I appreciate your very long and most excellent work. I've been with you since, I think, 1999. > But ICS does have an authenticode certificate and is not a > company so might have trouble actually buying one (they are expensive) > so they'd probably need to be signed by my company as Magenta Systems > Ltd. But at least that would protect against tampering. I'm not sure about your authenticode cert and how the user tests it. I've seen them available and I know they're expensive. I'm guessing this is for your commercial software. It's probably not the best choice for this application. In the open source world, PGP sigs are universally accepted for this purpose. All that's required is the GPG program and creation of a key owned by the person signing the release. I know this is something you haven't considered previously. Early on, your work had no security implications at all. I can understand and have basically overlooked this all along. Taking this step would be an important and needed service to all who use your ICS/OpenSSL, but if this is too much for you right now, I hope you can work it in at some time in the future. Regards, Richard -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] ICS and OpenSSL security
Hi All, When downloading ICS and the OpenSSL binaries you provide, I've never been able to find any sig, sha, or md5 files for checking authenticity. I probably have overlooked these. Could you help me out with this? Thanks, Richard -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] OpenSSL and Poodle exploit
Hi Angus, On Mon, 20 Oct 2014 18:38 +0100 (BST), you wrote: There has been recent press about an SSL server exploit called Poodle, which only effect SSLv3, not the more recent TLS 1.x protocols. Disabling SSLv3 in servers can be done by setting: SslContext.SslVersionMethod := sslV23_SERVER; SslContext.SslOptions := [sslOpt_NO_SSLv2, sslOpt_NO_SSLv3, sslOpt_CIPHER_SERVER_PREFERENCE]; v2 was obsolete long ago. You should also change the cipher suite, Mozilla now suggests three levels of ciphers, which are all now added to the latest overnight ICS v8 SVN. The minimum browsers these ciphers support are: sslCiphersMozillaSrvHigh - Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7, Android 4.4, Java 8 sslCiphersMozillaSrvInter - Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7 sslCiphersMozillaSrvBack - Windows XP IE6, Java 6 so since IE6 is long obsolete I suggest: SslContext.SslCipherList := sslCiphersMozillaSrvInter; Once you have your ICS SSL web server updated and installed on a public server, there is an excellent SSL testing web site at: https://www.ssllabs.com/ssltest/index.html It takes a few minutes to test all the ciphers, but generates a detailed security report giving your web site a letter rating. Making the changes above raised my ICS SSL site from C to A-. I see you speak of fixing web servers in regard to the poodle exploit. Is there any problem with clients? I see mine are set to sslv23. I believe that was the default. Should I change this and if so, to what? Also, I was wondering if it's possible to get a snapshot of your openssl 1.0.1i or 1.0.1j? Thanks so much, Richard -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] Openssl-1.0.1g
Hi, I need some info. My project uses ICS v8GOLD. My users are greatly relieved that they are unaffected by heartbleed (currently I have 1.0.0J), but they are now asking, 'why I don't I upgrade to 1.0.1G, since 1.0.0j is so old. I see in OverbyteIcsLIBEAY.pas the the current max openssl version is 1.0.0j. Will you be testing 1.0.1G soon? If not, what should I tell my users? Thanks, Richard -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] RFC 822 Date Time Conversion
Many thanks Angus and Michael. In the end I decided to use the code from OverbyteIcsSmtpSrv.pas. In order to understand how it worked (I'd not seen the secret TParser class before) I decided to translate the code into C++. The constructor for TParser is slightly different (requires 2 parameters), but otherwise the code is the same. I've copied the code below in the hope that it might be of use someone else who stumbles across this when googling for a C++ solution. Thanks again, Richard //--- bool __fastcall Utilities::GetMonth(TParser* Parser, int Month) { UnicodeString Months[] = {Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec, }; Month = 1; while(!Parser-TokenSymbolIs(Months[Month - 1]) Month 13) ++Month; return Month 13; } //--- void __fastcall Utilities::GetTime(TParser* Parser, int Hour, int Min, int Sec) { Hour = Parser-TokenInt(); Parser-NextToken(); if(Parser-Token == ':') Parser-NextToken(); Min = Parser-TokenInt(); Parser-NextToken(); if(Parser-Token == ':') // Angus, allow missing seconds { Parser-NextToken(); Sec = Parser-TokenInt(); Parser-NextToken(); } } //--- bool __fastcall Utilities::ParseRFC822Date (UnicodeString DateStr, TDateTime DateTime, UnicodeString ErrorMessage) { if(!DateStr.Length()) { ErrorMessage = Zero length date string.; return false; } // Add a fictitious day name if one is missing from the start of the string - courtesy of Angus if(DateStr[1] = '0' DateStr[1] = '9') DateStr = Sun, + DateStr; TParser* Parser; TStringStream* StringStream; try { try { StringStream = new TStringStream(DateStr); // Create a NULL TParserErrorEvent object to pass into the TParser constructor. // TParser will still generate an exception on error. TParserErrorEvent p = NULL; Parser = new TParser(StringStream, p); Parser-NextToken(); if(Parser-Token == ':') Parser-NextToken(); Parser-NextToken(); if(Parser-Token == ',') Parser-NextToken(); int Month, Day, Year, Hour, Min, Sec; if(GetMonth(Parser, Month)) { Parser-NextToken(); Day = Parser-TokenInt(); Parser-NextToken(); GetTime(Parser, Hour, Min, Sec); Year = Parser-TokenInt(); } else { Day = Parser-TokenInt(); Parser-NextToken(); if(Parser-Token == '-') Parser-NextToken(); GetMonth(Parser, Month); Parser-NextToken(); if(Parser-Token == '-') Parser-NextToken(); Year = Parser-TokenInt(); if(Year 50) Year += 2000; if(Year 100) Year += 1900; Parser-NextToken(); GetTime(Parser, Hour, Min, Sec); } TDateTime temptime; if( TryEncodeDate (Year, Month, Day, DateTime)) if( TryEncodeTime (Hour, Min, Sec, 0, temptime)) DateTime = DateTime + temptime ; } catch(Exception e) { ErrorMessage = e.Message; return false; } } __finally { delete StringStream; delete Parser; } return true; } //--- On 30 January 2014 17:18, Michael Gasser michael_gas...@bluewin.ch wrote: Hi Richard maybe you should check the user made component LASTMOD.ZIP from http://www.overbyte.be/frame_index.html?redirTo=/products/usermade.html ___ I use this code in two programs. My programs did send me some error feedback while parsing 'LAST-MODIFIED:' (html downloads with ICS HttpCli) with the inet component above (5 errors, ~500'000 downloads). Therefore I had to slightly modify the code: Two modifications - see 1., 3. ___ 1. Right after begin add: INetDate := trim( INetDate ); (2.) If you use XEn: if Uppercase(MonthName) = string(Months[IX]) then instead of if Uppercase(MonthName) = Months[IX] then 3. after line Delete(InetDate,1,Pos(' ',InetDate)); add this line: if pos( ' ', inetdate ) = 0 then inetdate := inetdate + ' '; ___ If you f.e. want to catch the value of LAST-MODIFIED of a html file using a THttpCli : modify : event httpgetHeaderEnd procedure TsjOnlineForm.httpgetHeaderEnd(Sender: TObject); VAR IX : INteger; hst, ST : STring; szgmt, DT : tDateTime; try for IX := 0 to Httpget.RcvdHeader.count-1 do BEGIN hst := Httpget.RcvdHeader.Strings[IX]; if Pos('Content-Length:',hst) 0 then BEGIN ST := hst; Delete(ST,1,Pos(' ',ST)); END else if Pos('LAST-MODIFIED:',Uppercase(hst)) 0 then BEGIN ST := hst; Delete(ST,1,Pos(':',ST)); DT.:= 0; try DT := InetStdDateToDateTime(ST); except senderrorFeedback_eMail_to_RichardGallois( 'cannot parse t=' + ST ); end, ___ Best regards Michael - Original Message - From
[twsocket] RFC 822 Date Time Conversion
Hi, Has anyone got a solid method of converting RFC 822 date times (e.g. Thu, 30 Jan 2014 05:48:07 +0800) to a TDateTime. I've found a function in Indy to do this, but I'd rather not compile Indy into my project if there is an ICS way to do this. Many thanks, Richard -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be