Jump to navigation Jump to search
Revision as of 17:47, 20 November 2019 by Magsys (Created page with "Changes in '''ICS V8.63''' include: #IcsHosts is now supported in all the main ICS server components, TWSocketServer, TSslHttpServer, TSslHttpAppSrv, TIcsProxy, TIcsHttpProxy...")
Changes in ICS V8.63 include:
- IcsHosts is now supported in all the main ICS server components, TWSocketServer, TSslHttpServer, TSslHttpAppSrv, TIcsProxy, TIcsHttpProxy, TIcsIpStrmLog and TSslFtpServer. This simplifies server applications which do not need to setup an SSL context, can easily support multiple listeners and hosts, and can automatically order and install SSL/TLS certificates from Let's Encrypt and commercial suppliers. Multiple IcsHosts can be specified, each with one or two IP addresses and non-SSL and SSL port bindings, SSL certificates and private key, SSL context and security level.
- There are several changes relating to automatic certificate ordering, mostly cosmetic based on experience adding the feature into more applications with a few issues fixed during testing with better logging. Let's Encrypt orders will complete about 20 seconds faster, and close the account and local web server immediately upon completion to ease sharing the account and avoid potential hacking attempts that often follow listing in SSL certificate transparency logs immediately after issue. Expire and remove challenges from the database after 24 hours or a week for manual/email/dns.
- TWSocketServer has improvements relating to IcsHosts, and new AuthSslCmd property for when SSL is allowed on non-SSL ports after AUTH SSL command or similar, and to ptionally allow self signed certificates without errors. Automatic cert ordering now works if cert file name has -bundle or -cert appended to end.
- Made improvements to handle the OAuth2 version used by Google Accounts, allowing the REST component to access Google APIs such as Gmail. OAuth2 has extra TOAuthOptions OAopAuthPrompt and OAopAuthAccess for Google, OAopAuthPrompt uses property LoginPrompt usually 'consent', OAopAuthAccess Will also allow the ICS SMTP and POP3 components to support X0AUTH2 authentication but not done that yet. Google APIs provide a refresh token that remains valid for weeks rather than issuing a new one with each access
token, avoiding an application needing to refresh it daily.
- Improved the The SMS Works component so sync delivery works OK, and try to return similar delivery responses as Kapow. The HttpRestTst sample now allow double click in the grid for Json responses to open an object window showing parsed Json arrays and objects.
- TWsocket has SSL improvements to load a PFX certificate from a buffer, reports certificate Sha256Digests, better self signed certificate checking. Corrected fix for user exceptions in OnDataAvailable in last version to break receive loop after exception handling.
- Did a major refresh of the three SSL/TLS trusted root certificate bundles included with ICS, to add new roots from Amazon and others, and remove untrusted certificates. The contents of the ICS CA trusted store may be found at: FAQ_ICS_SSL/TLS_CA_Trusted_Store_Contents with information about how they are created and used at:
- There are improvements in TFtpCli to access FTP servers behind NAT routers where the internal and external IP addresses are different and not correctly handled by the FTP server. ftpFixPasvLanIP is a new Option that makes the client use control IP instead of a bad LAN IP. The client now also logs IP addresses and ports for passive connections to ease debugging.
- The TSslFtpServer component now uses the IcsHosts concept added to the web and proxy servers two years ago, see above. There is a new IcsHosts property which allows multiple hosts to be specified. If IcsHosts is specified, TSslWSocketServer ignores existing bindings and SSLContext, and creates new bindings and initialises an SSL context for each host checking and reporting all certificates. Automatic SSL/TLS certificate ordering is the same as for the web server with the same properties and events, except in IcsHosts, FtpSslTypes is set automatically to Implicit if an SSL port is specified or Explicit if AuthSslCmd is true. This has all been tested with my commercial FTP server, need to write a new FTP server sample using it, the new IcsHosts setup is loaded from an INI file similarly to OverbyteIcsSslMultiWebServ. Also fixed ftpsNoPasvIpAddrInLan and ftpsNoPasvIpAddrSameSubnet options to work correctly to present local passive IP address on LAN rather than PassIpAddr which is usually the external address. Logging various IP addresses for PASV command for debugging.
- Made some fixes to the TIcsFtpMultiThread component for SsL support similarly to TIcsFtpMulti and fixed logging got lost.
- The TIcsIpStrmLog component will now start despite non-fatal SSL/TLS certificate warnings, and may be used with self signed certificates. The OverbyteIcsIpStmLogTst sample shows how to restart the TCP server after the first SSL/TLS certificate is automatically installed.
- Better error handling in RFC1123_StrToDate to avoid exceptions on badly formatted dates, this change avoids a handled exception in the HTTP client for a zero expiry date.