ICS V8.64

From Overbyte
Jump to navigation Jump to search

Changes in ICS V8.64 include:

  1. ICS now supports International Domain Names for Applications (IDNA), i.e. using accents and Unicode characters in domain names. Domain names can only contain lowercase ASCII letters and numbers and a couple of symbols, so Unicode U-Labels (nodes in a domain) must be converted to A-Labels (Punycode ASCII) with an ACE (ASCII Compatible Encoding) prefix. So www.mâgsÿstést.eu becomes www.xn--mgsstst-pwa1e4l.eu and мособлеирц.рф becomes xn--90aijkdmaud0d.xn--p1ai. Sample OverbyteIcsBatchDnsLookup has lots of IDNA test names. ICS mostly does the Unicode to A-Label conversion just before looking up an IP address for a domain name (in DnsLookup) and converts back from A-Label to Unicode when doing a reverse lookup (in ReverseDnsLookup). HTTP headers also contain A-Labels for the Host: header and the host part of URLs for proxy or relocation, but Unicode paths should be UrlEncoded by the application as now. Not looked at SMTP yet mainly because not found a Windows mail server that supports IDNA. The HTTP client and server, Ping, ICMP and DNS Query components all now support Unicode domain names, generally without application changes unless you want to display the A-Label name looked-up (PunycodeHost property). DNS Query does require application changes due to all methods and properties previously being AnsiString, now String. SSL/TLS now fully supports Unicode domain names, including displaying the Unicode version of the domain name (except for Subject and Issuer lines), and X509 automatic certificate ordering from Let's Encrypt fully supports Unicode domain names. Certificate files are saved with Unicode names, not A-Labels. https://www.mâgsÿstést.eu/ is available to test client implementations.
  2. Added a new WMI component based on the Magenta Systems WMI and SMART Component but without any disk drive stuff and a new sample OverbyteIcsWmiTst application. The WMI component allows listing all WMI classes, adding and updating network adaptor IP addresses, and adding and updating records in Windows DNS Server (2012 and later). The demo is considerably improved on the original. The WMI component was originally written to customise cloned industrial PCs setting up networking from a database. WMI is currently only used by the OverbyteIcsX509CertsTst sample to order wildcard SSL/TLS certificates from Let's Encrypt by adding TXT records to Windows DNS Server.
  3. For SSL/TLS servers, the initial client hello sent before protocol and cipher negotiation starts is now available in the onSslServerName event, when it is easier to select the SslContext to be used on shared servers supporting lots of hosts. This allows logging of client hello parameters which may help diagnosing connection problems with failed handshakes, see the OverbyteIcsSslMultiWebServ and OverbyteIcsSslWebServ samples. It also fixes an issue that prevented the Let's Encrypt TLS-ALPN challenge working. Another use would be to check if the client support ECC SSL certificates which are smaller than RSA, and select an SslContext with ECC certificates.
  4. There are various improvement for SSL/TLS servers using IcsHosts. NonSSlPort may be zero for to allocate a random port (not for SSL), the new BindPort and BindSrvPort properties show the real port while listening, reported by ListenStates. There is a new AuthForceSsl property used by FTP servers so login is only allowed once SSL/TLS has been negotiated so credentials are never sent clear. Provided IcsHosts specifies at least one domain name in HostNames, if SslCert can not be found the server will create a self signed SSL certificate with all the HostNames so the server can start. The self signed certificate will be saved in SslCert certificate directory if it exists, otherwise TEMPDIR. If automatic X509 certificate ordering is specified, the self signed certificate should be replaced by a Let's Encrypt certificate quickly so the server can run correctly.
  5. There are many X509 SSL certificate ordering improvements from Let's Encrypt using ACME. All the ACME challenges are now supported. tls-alpn-01 which works on SSL port 443 using a special self signed certificate thus avoiding a server running on port 80 as well. dns-01 which updates Domain Name Server TXT records to avoid using any servers, allowing wild card orders, currently Windows DNS Server on the same server, but Cloudfare is planned. The existing http-01 challenge now allows applications to respond to the .well-known file request without saving a disk file. Additionally, challenges are now tested locally before Let's Encrypt is asked to check them, which may be useful for setting up DNS records manually. Note the OverbyteIcsX509CertsTst sample running on a Windows DNS Server is able to order a certificate with multiple wildcard and normal domain names automatically in a few seconds, where a similar commercial certificate would cost at least $100 per wildcard. Let's Encrypt orders may now be cancelled and revoked, the former is useful to remove old challenges (which remain valid for a week) so fresh challenges can be tested.
  6. TRestParams used with the TSslHttpRest component, has more parameter content types: PContXML, PContBodyUrlEn, PContBodyJson and PContBodyXML. The existing PContUrlEn and PContJson now specify REST params are sent as URL ? arguments, while the PContBodyxx version send params as content body. This fixes a bug that meant PUT request params were always sent as URL ? arguments. Note POST is always content body so the wrong PContent is corrected automatically for backward compatibility. XLM parsing into an ISuperObject has been added so SOAP and XML REST responses can be processed similarly to Json responses, there is no XML creation, Json seems to be offered as standard now. The sample OverbyteIcsHttpRest can now display XML responses.
  7. The TFtpServer component has a new TFtpOptions ftpsAuthForceSsl which requires SSL/TLS before allowing the LOGIN to be processed so that clear text credentials can not be sent. May also be set using IcsHosts with AuthForceSsl=True for specific Hosts only. Failure gives '533 USER requires a secure connection'. Improved error handling when all passive ports are being used. Fixed a range error with passive connections if range checking was enabled with option ftpsNoPasvIpAddrSameSubnet and adaptors had IPv6 addresses allocated.
  8. Added a Websocket server implementation (HIXIE and HYBIE protocols) ported from phpws project, written by Stan Korotky <stasson@orc.ru>. There is no a specific component for websockets, they are handled internally from a custom TWebSockSrvClient. Please note this is an experimental server websocket implementation, that needs a lot more testing in case the protocol has changed in the last eight years. There is a new sample OverbyteIcsWebSocket and web page websocketclient.html that accesses the server. Note there are no plans for an ICS Websocket client component, the normal ICS server/client components can be used for sending data outside the browser environment.
  9. Removed X509CATrust and related properties and methods from TX509Base, it was used by the ValidateCertChain method which now accepts a shared TX509List instead for efficiency. TSslSocketServer internally replaces FRootCAX509 with FX509CAList which is a TX509List for use by ValidateCertChain as Root CA store, specified by file RootCA, loaded by LoadRootCAList and available as RootCAList. Any applications directly calling ValidateCertChain will need to load CA certificates into a TX509List to pass to that function. This is a breaking change that may need application changes.
  10. Did a refresh of the three SSL/TLS trusted root certificate bundles included with ICS, to add new roots and remove untrusted certificates.
  11. Added CreateSelfSignCertEx to OverbyteIcsSslX509Utils to create self signed certificates with subject alternate names and specific key types,used by TSocketServer to start servers with missing certificates. Fixed a bug in CreateSelfSignedCert that ignored Days and always created seven day expiry certificates. When using subject alternate names, DNS and IP Address can be used together, and IP address is now saved correctly.
  12. Fixed a problem in the TDnsQuery component that meant responses with multiple answers sometimes contained extra data.