Re: [twsocket] OpenSSL 1.1.0c support

[Jasja Glasbeek]

Thanks a lot
will Install after 2th update of Delphi

Met vriendelijke groeten - Best regards - Mit freundlichen Grüßen - 
Bestu kveðjur - Sincères salutations
  Jasja Glasbeek | Sales/Export/ICT | Machandel BV 
<http://www.machandel.com>

☎ +31 (0)516 - 425020 |  +31 (0)6 - 20165848 |  ja...@machandel.com



-- Origineel bericht --
Van: "Angus Robertson - Magenta Systems Ltd" <an...@magsys.co.uk>
Aan: twsocket@lists.elists.org
Verzonden: 15-11-2016 18:28:00
Onderwerp: Re: [twsocket] OpenSSL 1.1.0c support


ICS V8.38 is now available in SVN and the overnight zip.

It includes changes to support checking of the authenticode code
signing digital certificates on the latest versions of the ICS built
OpenSSL DLLs. The new IcsVerifyTrust function can also be used to self
test digitally signed end user applications to check they are not
corrupted or maliciously altered.

To ensure only the latest signed OpenSSL DLLs are used from the local
directory, all applications should add the following lines in
FormCreate or at least before any calls that may cause OpenSSL to be
initialised:

GSSLEAY_DLL_IgnoreNew := False;  { V8.38 don't ignore OpenSSL 1.1.0 and
later }
GSSLEAY_DLL_IgnoreOld := True;   { V8.38 ignore OpenSSL 1.0.2 and
earlier }
GSSL_DLL_DIR := ExtractFilePath(ParamStr(0)); { V8.38 only from our
directory }
GSSL_SignTest_Check := True; { V8.38 check digitally signed }
GSSL_SignTest_Certificate := True; { V8.38 check digital certificate }

Without these lines, your application may load old OpenSSL versions
found in the Windows path, with unpredictable results.

Note that currently information from the digital certificate can not be
accessed, so you can not easily ensure it's our signed DLL, this needs
several more Windows certificate APIs or new OpenSSL functionality
(which I'll attempt first).

The OverbyteIcsPemTool sample has been updated to stop use of unsigned
OpenSSL DLLs. It also adds a Check Signed button that allows a single
file to be selected and it's digital certificate tested, which may be
useful for those interested in using the new IcsVerifyTrust function in
their own digitally signed applications.

Other recent ICS changes include:

A new property SocketErrs added to most major components that may be
set to wsErrFriendly (default is wsErrTech) for more friendly low level
wsocket exceptions without numbers.  Note this is a work in progress,
exceptions are generated in numerous places in various formats, and
it's a lot of work to standardise and clean them all up. There is a new
ESocketException that has extra properties for low level exceptions.

A new property ExclusiveAddr for servers to stop other applications
trying to listen on same socket, defaults to True.

The HTTP Client component has another POST relocation fix.

The HTTP Client component also fixes a long term bug that meant many
wsocket exceptions were suppressed and only partially reported in the
OnSocketError event was used (and the exception description was still
lost).  Beware this fix means more exceptions may need to be handled in
HTTP Client applications, so please do some simple functional testing
after using this new ICS version.  Several of my own applications
failed because I was trying to increase the socket buffer size before
the socket was connected, which now raised an exception which was
previously hidden.

Angus






--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] OpenSSL 1.1.0c support

[Angus Robertson - Magenta Systems Ltd]

ICS V8.38 is now available in SVN and the overnight zip. 

It includes changes to support checking of the authenticode code
signing digital certificates on the latest versions of the ICS built
OpenSSL DLLs. The new IcsVerifyTrust function can also be used to self
test digitally signed end user applications to check they are not
corrupted or maliciously altered.

To ensure only the latest signed OpenSSL DLLs are used from the local
directory, all applications should add the following lines in
FormCreate or at least before any calls that may cause OpenSSL to be
initialised:

GSSLEAY_DLL_IgnoreNew := False;  { V8.38 don't ignore OpenSSL 1.1.0 and
later }
GSSLEAY_DLL_IgnoreOld := True;   { V8.38 ignore OpenSSL 1.0.2 and
earlier }
GSSL_DLL_DIR := ExtractFilePath(ParamStr(0)); { V8.38 only from our
directory }
GSSL_SignTest_Check := True; { V8.38 check digitally signed }
GSSL_SignTest_Certificate := True; { V8.38 check digital certificate }

Without these lines, your application may load old OpenSSL versions
found in the Windows path, with unpredictable results.

Note that currently information from the digital certificate can not be
accessed, so you can not easily ensure it's our signed DLL, this needs
several more Windows certificate APIs or new OpenSSL functionality
(which I'll attempt first).  

The OverbyteIcsPemTool sample has been updated to stop use of unsigned
OpenSSL DLLs. It also adds a Check Signed button that allows a single
file to be selected and it's digital certificate tested, which may be
useful for those interested in using the new IcsVerifyTrust function in
their own digitally signed applications. 

Other recent ICS changes include:

A new property SocketErrs added to most major components that may be
set to wsErrFriendly (default is wsErrTech) for more friendly low level
wsocket exceptions without numbers.  Note this is a work in progress,
exceptions are generated in numerous places in various formats, and
it's a lot of work to standardise and clean them all up. There is a new
ESocketException that has extra properties for low level exceptions.  

A new property ExclusiveAddr for servers to stop other applications
trying to listen on same socket, defaults to True. 

The HTTP Client component has another POST relocation fix. 

The HTTP Client component also fixes a long term bug that meant many
wsocket exceptions were suppressed and only partially reported in the
OnSocketError event was used (and the exception description was still
lost).  Beware this fix means more exceptions may need to be handled in
HTTP Client applications, so please do some simple functional testing
after using this new ICS version.  Several of my own applications
failed because I was trying to increase the socket buffer size before
the socket was connected, which now raised an exception which was
previously hidden. 

Angus


 



-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] OpenSSL 1.1.0c support

[Jasja Glasbeek]

Thanks very much for the update

Verstuurd vanaf mijn iPhonet

> Op 11 nov. 2016 om 18:29 heeft François Piette  
> het volgende geschreven:
> 
> I think we should thank Angus for managing the whole process of code
> signing.
> This is a real plus toward a better ICS.
> 
> --
> francois.pie...@overbyte.be
> The author of the freeware multi-tier middleware MidWare
> The author of the freeware Internet Component Suite (ICS)
> http://www.overbyte.be
> 
> 
> 
> -Message d'origine-
> De : TWSocket [mailto:twsocket-boun...@lists.elists.org] De la part de Angus
> Robertson - Magenta Systems Ltd
> Envoyé : vendredi 11 novembre 2016 17:03
> À : twsocket@lists.elists.org
> Objet : [twsocket] OpenSSL 1.1.0c support
> 
> OpenSSL has issued a new version 1.1.0c fixing several security issues.
> 
> 
> Two new DLLs for Win32 and Win64 versions of OpenSSL 1.1.0c may be loaded
> from the Wiki at:
> 
> http://wiki.overbyte.be/wiki/index.php/ICS_Download
> 
> SVN and the overnight zip will be updated tonight.
> 
> The OpenSSL DLLs and EXE files included in the OpenSSL 1.1.0c and 1.0.2j
> zips are now digitally code signed 'Open Source Developer, François PIETTE',
> the lead developer for ICS.  
> 
> Digital code signing allows Windows to automatically check the authenticity
> and origin of binaries and whether they have been corrupted or patched.  In
> File Explorer, right click on a file, Properties, Digital Signatures should
> show two signatures with SHA1 and
> SHA256 algorithms, and allow the digital certificate to be viewed and it's
> status checked. 
> 
> The Magenta Systems Code Signing Trust and Certificate Check component at
> https://www.magsys.co.uk/delphi/magtrustchk.asp may be used in applications
> to check the correctly signed DLLs are being used by ICS, with this
> functionality planned to be included in ICS itself.  The component can also
> self check a signed application for corruption and tampering.  
> 
> Angus
> 
> 
> --
> To unsubscribe or change your settings for TWSocket mailing list please goto
> http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
> Visit our website at http://www.overbyte.be
> 
> -- 
> To unsubscribe or change your settings for TWSocket mailing list
> please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
> Visit our website at http://www.overbyte.be
-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] OpenSSL 1.1.0c support

[François Piette]

I think we should thank Angus for managing the whole process of code
signing.
This is a real plus toward a better ICS.

--
francois.pie...@overbyte.be
The author of the freeware multi-tier middleware MidWare
The author of the freeware Internet Component Suite (ICS)
http://www.overbyte.be



-Message d'origine-
De : TWSocket [mailto:twsocket-boun...@lists.elists.org] De la part de Angus
Robertson - Magenta Systems Ltd
Envoyé : vendredi 11 novembre 2016 17:03
À : twsocket@lists.elists.org
Objet : [twsocket] OpenSSL 1.1.0c support

OpenSSL has issued a new version 1.1.0c fixing several security issues.


Two new DLLs for Win32 and Win64 versions of OpenSSL 1.1.0c may be loaded
from the Wiki at:

http://wiki.overbyte.be/wiki/index.php/ICS_Download

SVN and the overnight zip will be updated tonight.

The OpenSSL DLLs and EXE files included in the OpenSSL 1.1.0c and 1.0.2j
zips are now digitally code signed 'Open Source Developer, François PIETTE',
the lead developer for ICS.  

Digital code signing allows Windows to automatically check the authenticity
and origin of binaries and whether they have been corrupted or patched.  In
File Explorer, right click on a file, Properties, Digital Signatures should
show two signatures with SHA1 and
SHA256 algorithms, and allow the digital certificate to be viewed and it's
status checked. 

The Magenta Systems Code Signing Trust and Certificate Check component at
https://www.magsys.co.uk/delphi/magtrustchk.asp may be used in applications
to check the correctly signed DLLs are being used by ICS, with this
functionality planned to be included in ICS itself.  The component can also
self check a signed application for corruption and tampering.  

Angus


--
To unsubscribe or change your settings for TWSocket mailing list please goto
http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be