ICS V8.58

From Overbyte
Jump to: navigation, search

Major changes in ICS V8.58 include:

  1. Support for OpenSSL 1.1.1 with TLSv1.3, new cryptographic algorithms and ciphers. OpenSSL 1.1.0 and 1.0.2 also supported.
  2. A new client TSslHttpRest component with Json support for all compilers and integrating cookie, SSL/TLS, content decoding, content compression and logging. There are many THttpCli improvements.
  3. A new TRestOAuth component for OAuth2 authentication including an integrated local web server.
  4. JOSE (Json Object Signing and Encryption) components supporting JWT, JWS and JWK.
  5. Simplified client SSL/TLS security and protocol settings. Support for SSL ALPN extension.
  6. A new TSslX509Certs component allowing ICS servers to automatically order, download and install SSL/TLS certificates from various suppliers, including free certificates from Let's Encrypt, and commercial certificates for DigiCert, Comodo, Thawte and GeoTrust from CertCentre AG. It also acts as a private CA to issue local certificates.

OpenSSL 1.1.1 Support

OpenSSL 1.1.1 is the latest long term support version and adds support for TLSv1.3 RFC8446 and various new cryptographic private key and hash digest types. This version will be supported until 2023. OpenSSL 1.1.0 and 1.0.2 also supported by ICS, but 1.1.0 support ceases in September 2019, and 1.0.2 in December 2019. More details of OpenSSL 1.1.1 are at: https://www.openssl.org/blog/blog/2018/09/11/release111/

New HTTPS REST Component

TSslHttpRest descends from THttpCli, and publishes all it's properties and events with additional methods and properties for making REST (REpresentional State Transfer) client requests. It also integrates several other existing components for extra HTTP functionality, including SSL configuration and certificate validation with a root bundle, SSL session caching, content compression, content code page decoding, persistent cookies, Json handling, logging and client SSL certificate.

The component uses TRestParams which define a collection of REST parameters and allows them to be saved as URL encoded or Json. An ICS version of Super Object Toolkit for Json is included supported by Delphi 7 and later. Using TSslHttpRest in new applications for HTTP and HTTPS requires only a few lines of code and no event handlers to make requests instead of much more code, SSL contexts, extra components and many event handlers when using THttpCli.

There is a new sample project OverbyteIcsHttpRestTst to demonstrate the HTTPS REST and OAuth Components.

HTTP Client Improvements

The THttpCli component adds various new properties and events. ExtraHeaders simplifies adding extra headers to a request (previously done in the onBeforeHeaderSend event). THttpAuthType adds httpAuthBearer and httpAuthToken, and AuthBearerToken for OAuth. Connected is now available as a property. ResponseNoException property suppresses error exceptions for sync requests, ie most 400 and 500 status codes (eases debugging). ReasonPhrase for abort may return SSL handshake error. Added OnSelectDns event to allow application to change DnsResult to one of the several offered, round robin or IPV4/IPV6.

New OAuth Component

TRestOAuth is for handling 0Auth authorization to web apps, by several means. Beware OAuth is really a concept with differing implementations, so use may not always be straight forward. OAuth1 and 1A were originally developed for Twitter and use cryptography, OAuth2 is a simpler and easier to implement version now widely used by most cloud services without any cryptography (other than SSL).

The concept of OAuth is that applications should not know any login details. The login need to be entered through a browser, which then redirects to a fixed URL which includes an Authorization Code that is subsequently exchanged for an Access Token that can used by the REST client. Access Tokens have a limited life and usually expire within three to 24 hours. To avoid user interaction, the token exchange process sometimes offers a Refresh Token with the same expiry, but which can be used to get another Access Token, and this is automatically handled by TRestOAuth, while it still runs.

New Simple Web Server

TSimpleWebSrv is a simple web server primarily designed for accepting HTTP requests from REST servers which don't expect real pages to be sent but just application generated responses. It is used by TRestOAuth to respond to the browser login and by TSslHttpRest for .well-known file responses generated by from a challenge database.

New JOSE functions - Json Object Signing and Encryption

JOSE is used for JWS (Json Web Signing), JWT (Json Web Tokens), JWK (Json Web Key) and JWE (Json Web Encryption). Variously used by OAuth1, ACME and other protocols. Creates hash digests using SHA, SHA2, SHA3 and shake, Keyed-Hash Message Authentication Codes (HMAC) with shared secret keys, Asymmetric Key-Hash Message Authentication Code (Async MAC) using private/public keys. Creates Json Web Keys with RSA or EC public or HMAC keys, and Json Web Signatures to protect headers and payloads.

There is a new sample project OverbyteIcsJoseTst to demonstrate various JOSE functions.

SSL/TLS security

SslContext has a new property SslCliSecurity which if set to other than sslCliSecIgnore sets the protocols, security and ciphers to standardised settings, may be changed without reinitialising the context. This means client applications can avoid messing with several SSL settings and offer the user a 'simple' list of security settings. Several are very useful for testing SSL applications. sslCliSecHigh is recommended.

sslCliSecIgnore    - ignore, use old settings
sslCliSecNone      - all protocols and ciphers, any key lengths
sslCliSecSsl3Only  - SSLv3 only, all ciphers, any key lengths, MD5
sslCliSecTls1Only  - TLSv1 only, all ciphers, RSA/DH keys=>2048
sslCliSecTls11Only - TLSv1.1 only, all ciphers, RSA/DH keys=>2048
sslCliSecTls12Only - TLSv1.2 only, all ciphers, RSA/DH keys=>2048
sslCliSecTls13Only - TLSv1.3 only, all ciphers, RSA/DH keys=>2048
sslCliSecTls1      - TLSv1 or later, all ciphers, RSA/DH keys=>1024
sslCliSecTls11     - TLSv1.1 or later, all ciphers, RSA/DH keys=>1024
sslCliSecTls12     - TLSv1.2 or later, all ciphers, RSA/DH keys=>2048
sslCliSecBack      - TLSv1 or later, backward ciphers, RSA/DH keys=>1024, ECC=>160, no MD5, SHA1
sslCliSecInter     - TLSv1.1 or later, intermediate ciphers, RSA/DH keys=>2048, ECC=>224, no RC4, no SHA1 certs
sslCliSecHigh      - TLSv1.2 or later, high ciphers, RSA/DH keys=>2048, ECC=>224, no RC4, no SHA1 certs
sslCliSecHigh128   - TLSv1.2 or later, high ciphers, RSA/DH keys=>3072, ECC=>256, FS forced
sslCliSecHigh192   - TLSv1.2 or later, high ciphers, RSA/DH keys=>7680, ECC=>384, FS forced
sslCliSecDefault   - currently equal to sslCliSecTls11 but will change soon to sslCliSecHigh when TLSv1.1 is deprecated.

Note there is also SslSrvSecurity as part of IcsHosts which sets similar security levels for servers.

SSL Application Layer Protocol Negotiation (ALPN) is an extension which is sent with the initial SSL hello. For clients, SslAlpnProtocols sets SslContext with a list of protocols the application supports (ie http/1.1, h2), and SslGetAlpnProtocol after connection returns whatever the server selected (if any). For servers, there is a OnSslAlpnSelect event that has the list of protocols from the client, from which one may be selected (ie H2 to support HTTP/2).

Automatic SSL/TLS certificates

The TSslX509Certs component will automatically download SSL/TLS X509 certificates from various suppliers, including free certificates from Let's Encrypt, and commercial certificates for Digicert, Comodo, Thawte and GeoTrust from CertCentre AG and Servertastic (not done yet). It also acts as a private CA to issue local certificates.

The component automates the process from creating a new private key and certificate request, placing the order, arranging for domain validated certificates to be checked by various challenge methods, collecting the certificate and intermediate, creating PEM and PKC12 bundle files with the private key, then copying the files to the web server ready for automatic installation. Ordering wildcard and multiple SAN certificates is fully supported.

The component includes a database of certificate orders and pending challenges, allowing certificates to be re-ordered and the supplier periodically checked to see if a challenge has been successful when the X509 certificate can be automatically downloaded and installed. Events are generated upon completion or failure, allowing the application to inform the user (by email) of certificate ordering progress.

The component supports automated file challenge for Domain Validated certificates, using an external HTTP server such as IIS or HTTP server component such as TSslHttpServer or TSslHttpAppSrv to which files may be copied using UNC shares, or a built-in local HTTP server so the component is self contained. In all cases, the web server must be accessible from the public internet for the domain (or domains) for which a certificate is being ordered. The application can also use an FTP server to copy files to an external HTTP server. DNS challenge currently require the application to update the DNS server, the demo application waits a few minutes for the user to manually update the DNS server which allows wild card certificates to be ordered. A pending feature is TLS-ALPN SSL SNI challenges for Let's Encrypt using HTTPS.

The component supports the ACME V1 and V2 protocols as implemented by Let's Encrypt to download free domain validated certificates, beware V1 bears little resemblance to any of the Acme Internet Draft specifications, V2 is much closer to draft 10 but only implemented sufficiently for Let's Encrypt, V2 is designed to also handle commercial certificates which are more complicated to process. Acme V1 has been superseded by V2, and was only supported because V2 did not go public until March 2018.

You don't need to register with Let's Encrypt, but it only supplies domain validated certificates so the domains for which you order certificates must already be registered and have DNS pointing to a live HTTP server to satisfy the domain challenge.

Commercial suppliers of certificates have their own APIs, usually using HTTP REST, currently the component supports CertCentre AG at https://www.certcenter.de/, https://www.certcenter.co.uk/ or https://www.certcenter.com/ from where you can buy certificates issued by Comondo, DigiCert (including GeoTrust, Symantec and Thawte) and GlobalSign, and free certificates from AlwaysOnSSL (by resellers only), see https://alwaysonssl.com/issue.php. You need to register with CertCentre AG and open a reseller account to pay for any certificates bought, although for testing most can be cancelled within 30 days without charge. CertCentre AG uses OAuth2 authentication which is complex to set-up, but then mostly invisible. Domain validated certificates can be purchased and downloaded automatically using file or DNS challenges, other types of certificates can be ordered and will automatically downloaded when the order is completed after hours or days.

The TSslWSocketServer, TSslHttpServer, TSslHttpAppSrv, TIcsProxy and TIcsHttpProxy components can assign a TSslX509Certs component to support automatic certificate ordering of domain validated certificates with very little extra code.

There is a new sample project OverbyteIcsX509CertsTst to demonstrate the TSslX509Certs component, which may be used as a standalone application to order X509 certificates from Let's Encrypt and CertCentre AG, and monitor the certificate orders database, and to issue own CA certificates.