Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Dec 13 23:51
    chuacw commented #256
  • Dec 13 20:46
    rlebeau edited #49
  • Dec 13 19:50
    rlebeau commented #245
  • Dec 13 19:44
    rlebeau closed #256
  • Dec 13 19:44
    rlebeau commented #256
  • Dec 13 19:43
    rlebeau labeled #256
  • Dec 13 19:43
    rlebeau labeled #256
  • Dec 13 19:41
    rlebeau closed #264
  • Dec 13 19:41
    rlebeau closed #257
  • Dec 13 19:39
    rlebeau commented #274
  • Dec 13 19:18

    rlebeau on master

    Fix for THANDLE_32 define on OS… (compare)

  • Dec 13 19:15
    Bi0T1N commented #274
  • Dec 13 17:49
    TommySlokky commented #274
  • Dec 13 16:23
    rlebeau commented #247
  • Dec 13 16:23
    rlebeau commented #247
  • Dec 11 10:55
    TommySlokky commented #274
  • Dec 11 10:54
    TommySlokky commented #274
  • Dec 11 10:54
    TommySlokky commented #274
  • Dec 11 10:53
    TommySlokky commented #274
  • Dec 11 10:53
    TommySlokky commented #274
Remy Lebeau
@rlebeau
@SamBirnbaum The only packages that belong to Indy are IndySystem, (dcl)IndyCore, and (dcl)IndyProtocols, the rest are Embarcadero's.
Sam B
@SamBirnbaum
@rlebeau Ok. I will move them back into that directory. HAve to find again where the header is being prepared.
@rlebeau The .pas file are all new. idHTTP.pas was created on 12/15/2016 , IdHTTPHeaderInfo.pas was created 12/28/2015. does that sound right ?
@rlebeau Need to get a bite to eat. Can't think straight anymore.
Sam B
@SamBirnbaum
@rlebeau Will be back shortly
Sam B
@SamBirnbaum
@rlebeau ITS ALIVE :) :) :) Can't thank you enough.
@rlebeau Knocking off for the night. I really need a drink after this. Will cleanup environment tomorrow.
Jeroen Wiert Pluimers
@jpluimers
What would be a good defense mechanism on a server against HTTP clients keeping the connection open indefinitely with sending very little traffic?
mezen
@mezen
Do the clients are sending valid HTTP traffic?
Jeroen Wiert Pluimers
@jpluimers
Not always. Basically it's part of my previous questions on throttling. Basically this is to harden a server against wrong traffic and high loads of traffic (not even DoS or DDoS though I'm interested in preventing that as well.).
Matthijs ter Woord
@mterwoord
hmm, disable http keep alive? ie, revert back to http 1.0?
Jeroen Wiert Pluimers
@jpluimers
Some clients do not support http 1.0 and require keep alive; but they do keep communicating and never keep alive for more than like 60 seconds.
Remy Lebeau
@rlebeau
Even if a client only supports HTTP 1.1+, the server always has final say in keep-alive handling. You could just set TIdHTTPServer.KeepAlive=False, that will work just fine for HTTP 1.1 clients. On the other hand, TIdHTTP and TIdHTTPServer currently support the 'Connection: keep-alive' header to keep a connection open, but they do not yet implement the 'Keep-Alive: <timeout>' header to timeout and close an open connection between requests. In TIdHTTPServer, at least, when KeepAlive=True, you could try setting the AContext.Connection.IOHandler.ReadTimeout property in the OnConnect event and let Indy raise an exception and close the connection if the client does not send any traffic within the timeout period. That won't really address DoS attacks, though.
Jeroen Wiert Pluimers
@jpluimers
I'll try the last suggestion.
We need KeepAlive=True because some of the HTTP clients expect that.
Remy Lebeau
@rlebeau
@jpluimers That is highly doubtful. All compliant clients are expected to support the 'Connection: close' header. The HTTP spec makes it clear that just because 'Connection: keep-alive' is the default behavior for an HTTP 1.1 request does not guarantee that all servers will use 'Connection: keep-alive' on their responses. HTTP keep-alives are always negotiated, never assumed or guaranteed (client asks for a keep-alive, the server responds yay or nay). And besides, if the server closes its end of the connection after sending a response, clients have no choice but to close their ends as well. Any TCP socket implement has to deal with the possibility of closed/lost connections and reconnects. HTTP is stateless, there is no guarantee that a connection will stay alive from one request to the next, so any HTTP client has to be prepared to reconnect on each new request if necessary
Sergey
@icegood
Hi there!
I have a question regarding latest build of Indy Sockets for VCL:
In IdIOHandler in all versions of Read/Write for integers we have parameter AConvert: Boolean = True . I wonder in which cases it is useful to have AConvert= False? If we are interest in reliable tcp/ip protocol we have to run pairs of HostToNetwork and NetworkToHost calls. I mean we shouldn't do any assumptions about endianness of both client and server.
Sergey
@icegood
I also converting one project fro indy9 to indy10. And i wonder, whether should i create new component ioHandler (i beleive TIdIOHandlerStack) for old TIdFTP component? Or Indy does it for me?
mezen
@mezen
If you dont set an explicit IOHandler to your component (TidTFP, TidHTTP, etc.), Indy creates an own default IOHandler. But if you need TLS Support, you have to set an openssl io handler.
Remy Lebeau
@rlebeau
@icegood MOST binary-oriented protocols want multi-byte integers to be transmitted in network byte order, so AConvert defaults to True to ensure outgoing integers are sent in network byte order, and incoming integers are returned in host byte order. But, there are some protocols that don't specify/require network byte ordering. AConvert is provided as an option for those cases where integers are not transmitted in network byte order. Yes, that is rare, but such protocols do exist.
@mezen that is typically true. However, to be more accurate, you are not limited to just OpenSSL, any SSL IOHandler will do, OpenSSL is just the default provided by Indy. And while all Indy TCP clients will create and assign a default non-SSL IOHandler object for you if one is not already assigned, there is currently only one component, TIdHTTP, that will actually create a default SSL IOHandler object for you.
Sergey
@icegood
hi again. Is $ENDIAN_BIG defined in delphi or indy?
The problem on why i ask is how correctly pass WideString type?
Sergey
@icegood
Hmm, i found smth strange in OpenSSL (not for fix just knowledge sharing). If i wait more 20 sec right before call of SSL_connect(fSSL) in TIdSSLSocket.Connect i do obtain SSL_ERROR_SYSCALL.
@rlebeau , i read both http://stackoverflow.com/questions/35987485/eidosslconnecterror-error-connecting-with-ssl-eof-was-observed
and your comment in TIdSSLSocket.Connect regarding that but my case is not in negotiation. Actually if i omit that time delay then connection is OK!
Remy Lebeau
@rlebeau
@icegood ENDIAN_BIG and ENDIAN_LITTLE are defined by the FreePascal compiler. The Delphi compiler does not define endianess conditionals, so Indy manually defines ENDIAN_LITTLE for Delphi. Either way, you don't need to worry about endianess to work with WideString (or UnicodeString in D2009+). Indy deals with endianness internally when needed.
Remy Lebeau
@rlebeau
@icegood why are you making Indy wait 20s before letting it call SSL_connect()? Maybe you are encountering an error due to the default 30s timeout assigned by TIdSSLIOHandlerSocketOpenSSL.OpenEncodedConnection()
Sergey
@icegood
No, Remy. I'm just waiting in debugger
Jeroen Wiert Pluimers
@jpluimers
@rlebeau the thing here is that the other ends are embedded devices with firmwares that sometimes are not that well implemented. Solving this has been suspended until I've worked around https://plus.google.com/+JeroenPluimers/posts/Nze9sDEFb7S but I will get back on it later.
Sergey
@icegood
@rlebeau I don't actually see how Indy works with WideString. The only way i see that there is an overriden version of TIdIOHandler.Write for type=string. But i have rather old version of Delphi with 1-byte sring, so i wonder how in such a system Indy would know how correctly deal while writting WideString?
Remy Lebeau
@rlebeau
@icegood my point is, by making Indy wait before it calls SSL_connect(), you are delaying the SSL/TLS handshake, and the underlying socket, or even the other party, may time out and fail the connection, which will then be reported by OpenSSL when it finally tries to finish the handshake.
@icegood Indy uses (Wide|Unicode)String internally when converting strings <-> bytes. TIdIOHandler has a DefStringEncoding property, and Write(String) has an optional AByteEncoding parameter (defaulting to DefStringEncoding if not specified), to control (Wide|Unicode)String <-> bytes conversions. In pre-Unicode versions of Delphi and FreePascal where String=AnsiString, TIdIOHandler also has a DefAnsiEncoding property, and Write(String) has an optional ASrcEncoding parameter (defaulting to DefAnsiEncoding if not specified), to control the Ansi charset/codepage used for AnsiString <-> (Wide|Unicode)String conversions.
Remy Lebeau
@rlebeau
@jpluimers that does not change what I said earlier. Regardless of client implementation, an HTTP server has final say over how HTTP keep-alives are used. An HTTP server is not required to honor a keep-alive request from a client, period. So there is no reason that you cannot set TIdHTTPServer.KeepAlive=False even if the clients are using HTTP 1.1. If the server closes a connection after sending a response, and the clients are not smart enough to reconnect on their next request, that is their own fault, not the server's.
Jeroen Wiert Pluimers
@jpluimers
The problem is that if we send the response, then immediately disconnect, some clients do not process the response and resend their same request.
Remy Lebeau
@rlebeau
@jpluimers Then that is on them, not the server. But whatever. You have buggy clients. If you must use KeepAlive=True, then setting the connection's ReadTimeout is about all you can do for now to close the connection after a few extra seconds of waiting.
Ludwig Behm
@lbehm
Is there any way to access the SSL_CTX of a TIdServerIOHandlerSSLOpenSSL and then also use it with SSL_CTX_set_options() from C++ (Berlin)?
Trying to "improve" my HTTPS server after @mezen mentioned it...
Remy Lebeau
@rlebeau
TIdServerIOHandlerSSLOpenSSL and TIdSSLIOHandlerSocketOpenSSL both have an SSLContext property which contains the SSL_CTX, but it is protected, so you will have to define an accessor class to reach it, eg: class TIdSSLContextAccess : public TIdSSLContext { public: __property SSL_CTX* Handle = {read=fContext}; }; ... SSL_CTX_set_options(static_cast<TIdSSLContextAccess*>(IOHandler->SSLContext)->Handle, ...);
Ludwig Behm
@lbehm
and is there a way to access SSL_CTX_set_options? isn't in the hpp header files
Remy Lebeau
@rlebeau
SSL_CTX_set_options() is just a macro around SSL_CTX_ctrl(). You would have to access it from the OpenSSL SDK directly, not from Indy's headers
Ludwig Behm
@lbehm
okay... any hints how to do that?
Remy Lebeau
@rlebeau
Um, add the relavant #include statements to your C++ code for the OpenSSL header files, and link to the OpenSSL DLL. Just like accessing any other DLL function
Ludwig Behm
@lbehm
of course... nervermind^^
adbjn
@adbjn
New to this forum. I have a problem installing Indy 10 for Delphi 2010 (Delphi 2010 came with RAD Studio). I will try to describe the problem in as few words as possible. To install the version of Indy I am using I have removed everything related to Indy that came with Delphi. That is, everyting related to Indy in the C:\Program Files (x86)\Embarcadero\RAD Studio\7.0\bin, lib and source directories. I have then copied a downloaded version of Indy to the three folders C:\Program files (x86)\Embarcadero\RAD Studio\7.0\source\Indy\Indy10\Core, Protocols and System and added all three paths to the Library Paths setting. I then build the downloaded IndySystem140.bpl, IndyCore140.bpl, IndyProtocols140.bpl, dclIndyCore140.bpl and dclIndyProtocols140.bpl, in that order. This works fine. I get the problem even with just two projects using Indy. The first one builds fine. The second one builds too. However, when I go back to build the first one again I get the error "[DCC Fatal Error] IndyCore140.dpk(91): F2051 Unit IdContext was compiled with a different version of IdGlobal.IdDisposeAndNil". If I rebuild the 5 Indy BPLs it works once more to build my two projects, but after both of my projects have been built the same situation occurs again. That is, the first project cannot build and gives me that error message. I don't know where to start searching for the solution to the problem. Neither IdContext.dcu nor IdGlobal.dcu seem to get recompiled after the BPLs were first built so I don't get why it complains about the versions not matching. The Indy version was downloaded at 2015-12-28 and it HAS worked fine before, however on this new computer I am setting up I cannot get it to work without this frustrating problem. I am reluctant to use a different version of Indy if I don't really really have to. The version from 2015-12-28 has been very stable. It is used in a very critical system that just HAS to work. Any suggestions for how to resolve this would be extremely appreciated.
adbjn
@adbjn
Just checked again and IdGlobal does get recompiled but not IdContext. So, after the second project gets built they no longer have the same time stamp. Is this the problem? I thought Delphi was supposed to recompile everything that needed to be recompiled so this situation should never happen?
adbjn
@adbjn
I resolved the problem by rebuilding ONLY IndyCore140.bpl instead of all five Indy BPLs. After I do this I can then rebuild the two projects any number of times with no error messages. I have no idea why this fixed the problem though, but would love to know...
Sergey
@icegood

Hi, Remy!
How do i properly migrate from Indy9 next code:

AHashMessageDigest5 := TIdHashMessageDigest5.Create;
Result := AHashMessageDigest5.HashValue(AStream); (T4x4LongWordRecord)

i don't see any implementations of HashValue anymore as i saw it in Indy9...

Remy Lebeau
@rlebeau
@icegood the base TIdHash class has public HashStream() and HashSteamAsHex() methods, eg: Result := AHashMessageDigest5.HashStream(AStream); where Result is a TIdBytes, or Result := AHashMessageDigest5.HashStreamAsHex(AStream); where Result is a String.
Sergey
@icegood

Hello, Remy. Here is my results of migration from Indy9 to Indy10 of secured email via different hosts.

Preconditions:
1) Port is hardcoded to 465
2) services to check : mailtrap.io and smtp.gmail.com
3) In our application user can manually choose which type of SSL to use. By default it is OpenSSLv23 i.e. negotiation to choose version is allowed.
Results:
Indy 9 code worked under that settings for both mailtrap.io and smtp.gmail.com.
smtp.gmail.com negotiated with client to TlSv1

under Indy10 negotiation with mailtrap.io works fine
with smtp.gmail.com negotiation doesn't work (why it doesn't negotiated to TlS at all?) but after applying 'magic line'
AIdSMTP.UseTLS := utUseImplicitTLS;
smtp.gmail.com became to understand application in negotiation mode too and negotiation is resolved to TLSv1.2.

Now the question is : is it reliable to left this line provided end user would have own mail server settings?
And why negotiation didn't work without that line?

Remy Lebeau
@rlebeau
@icegood You must set UseTLS appropriately, as that governs how SSL/TLS is used during the SMTP session. UseTLS=utNoTLSSupport is the default, it means no SSL/TLS is used. UseTLS=utUseImplicitTLS performs an SSL/TLS handshake as soon as the socket is connected, before any SMTP traffic is exchanged. UseTLS=utUseExplicitTLS connects the socket initially unsecure and then issues an SMTP STARTTLS comand to perform a handshake only if the server advertises support for that. Indy 9 did not support STARTTLS at all. Indy 10 does. So you have to specify which mode to use. Not all servers support STARTTLS, but those that do offer it for legacy clients so they don't have to use SSL/TLS if they don't want to. GMail supports both modes. Port 465 is SMTP's implicit SSL port, port 587 is the explicit TLS port.
Justin
@klsyzzz
hi there, I'm trying to use Indy for SMTP and getting error 'SSL Negotiation failed', I think one before this is 'Could not Load SSL Library', can you please helep