Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 18 09:39
    Memnarch edited #331
  • Jan 18 09:39
    Memnarch opened #331
  • Jan 13 11:55
    nag944 commented #299
  • Jan 13 11:54
    nag944 commented #299
  • Jan 13 11:50
    mitzix commented #299
  • Jan 11 18:53
    xjikka commented #299
  • Jan 11 18:11
    undroidy commented #299
  • Jan 10 11:37
    dummzeuch closed #322
  • Jan 10 11:37
    dummzeuch closed #323
  • Jan 09 01:10
    xjikka commented #299
  • Jan 08 19:36
    xjikka commented #299
  • Jan 08 19:35
    xjikka commented #299
  • Jan 08 18:04
    undroidy commented #299
  • Jan 08 18:02
    undroidy commented #299
  • Jan 08 18:01
    undroidy commented #299
  • Jan 07 19:39
    SlMaker commented #299
  • Jan 06 23:42
    rlebeau commented #299
  • Jan 06 23:38
    rlebeau commented #299
  • Jan 06 22:29
    xjikka commented #299
  • Jan 06 22:12
    xjikka commented #299
Ryan Truran
@RyanTruran
it should be under FDefined right?
Remy Lebeau
@rlebeau
@RyanTruran no, FDefined is only used for keeping track of which delimiter properties have been assigned values (Delimiter, StrictDelimiter, QuoteChar, NameValueSeparator, and LineBreak). The AUTH strings are in the Strings[] subproperty instead. Have you ever worked with TStringList before?
Ryan Truran
@RyanTruran
AUTH NTLM?
Remy Lebeau
@rlebeau
@RyanTruran Yes, those strings. Which means you need to add TIdSASLNTLM in the TIdSMTP.SASLMechanisms property, at least.
Ryan Truran
@RyanTruran
So will I need to create that or is there a mechanism already built that I can use.
I'm not seeing one with my version of c++ builder
I guess I need to add the source file
Remy Lebeau
@rlebeau
@RyanTruran Indy has many TIdSASL components. They should be on your IDE's Component Palette on the "Indy SASL" page. Or instantiate them in code at runtime instead. But either way, you need to built up the contents of the TIdSASLMechanisms property to point at those components, before you login to the server.
Ryan Truran
@RyanTruran
gotcha that's what I was doing before just not with NTLM as that does not show up in my Indy SASL tool pallete
Remy Lebeau
@rlebeau
@RyanTruran doesn't look like TIdSASLNTLM is registered by default. Not sure if it was ever finalized or not.
Ryan Truran
@RyanTruran
so what would I need to do to add it.
Remy Lebeau
@rlebeau
@RyanTruran unless you recompile Indy to register it, you should just add IdSASL_NTLM.pas to your project directly, then #include the resulting IdSASL_NTLM.hpp file in your code and instantiate a TIdSASLNTLM object at runtime and Add() it to the SASLMechanisms property.
Ryan Truran
@RyanTruran
so I should grab the .pas off of github right?
Remy Lebeau
@rlebeau
@RyanTruran I have no idea if TIdSASLNTLM works or not, which is probably why it is still not registered by default. Is that the only AUTH the server is reporting?
@RyanTruran Indy's code is not on GitHub. It is on AToZed's own SVN server (link is on Indy's website). GitHub is only used for chat and issue tracking
Ryan Truran
@RyanTruran
so are you with indy?
Remy Lebeau
@rlebeau
@RyanTruran yes, I am the primary developer of Indy, and one of its admins. But I'm not with AToZed. And I didn't write TIdSASLNTLM, and have no way of testing it myself (no access to any servers that use NTLM authentication).
Ryan Truran
@RyanTruran
gotcha
so when I add the .pas to the project does it generate a .hpp? that I can include?
Remy Lebeau
@rlebeau
@RyanTruran It will, when the project compiles the .pas file. C++Builder projects can include Pascal source files, and it will always compile Pascal files before C/C++ files, for exactly the reason of generating any necessary .hpp files that may be used by the C/C++ code.
Ryan Truran
@RyanTruran
which will occur when I compile the project right?
Remy Lebeau
@rlebeau
@RyanTruran yes
Jos de Bruijn
@josdebr_twitter
@rlebeau I am using 10.6.2.0.
On line 1644 i've got the following code: Result := LFName + IntToHex(LNamePart, 8) + LFQE;
Remy Lebeau
@rlebeau
@josdebr_twitter What version of Delphi are you using? What is the actual value of LNamePart when the error occurs? LNamePart is a TIdTicks, which is a UInt64. Is the value of LNamePart > High(Int64) (9223372036854775807) when the error occurs? IntToHex() has had an overload for UInt64 since XE2. Do you get the same error if you preceed that line of code with {$R-} or {$RANGECHECKS OFF}?
Justin
@klsyzzz
hi @rlebeau just wondering is it possible to enable certificate validation with ssl? We are using TidSMTP with UseTLS as ExplicitTLS and IOHandler as SocketOpenSSL, but looks like it is not validating the certificate
Remy Lebeau
@rlebeau
@klsyzzz Are you enabling the sslvrfPeer flag in the SSLIOHandler's VerifyMode, and using its OnVerifyPeer event? OpenSSL does validate certificates, but first you have to tell it to do so, and then you have a chance to look at the result of the validation and provide your own additional feedback based on your own needs/policies.
Justin
@klsyzzz
currently all options under VerifyMode is false
Remy Lebeau
@rlebeau
@klsyzzz Well, then turn them on, or at least sslvrfPeer
Justin
@klsyzzz
ok so I just need to turn VerifyPeer property, do I need to add anything to the OnVerifyPeer event?
Remy Lebeau
@rlebeau
@klsyzzz only if you don't trust OpenSSL's default validations, and/or you want to verify anything yourself.
Justin
@klsyzzz
@rlebeau thank you very much
Justin
@klsyzzz
sorry @rlebeau I'm new to this, do I need to set the property for CertFile or RootCertFile under SSLOptions? I got a SSL negotiation failed error after turn on sslverfPeer
Justin
@klsyzzz
@rlebeau the underlying error is this when debugging : error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
mezen
@mezen

@klsyzzz OpenSSL certificate validation with Indy is a little bit tricky (or maybe its the OpenSSL part that makes it tricky^^), sslvrfPeer says "if the server sends a certificate, it wil be verified. If the verification fails, the handshake will be terminated immediately. The only time that a server would not send a certificate is when an anonymous cipher is in use" (which should never be used^^). sslvrfFailIfNoPeerCert and sslvrfClientOnce are only used for server. If no VerifyMode is set, OpenSSL (in client mode) will verify the server certificate, but failure will not terminate the handshake.
I even believe you have always to implement a OnVerifyPeer, otherwise Indy uses a default implementation which is Result := True which overrides the verification result of OpenSSL.
If OpenSSL should verify the certificate, it needs to know which certificate are trustable. For this OpenSSL uses all public certs which are stored in the directory which you specified in SSLOptions.VerifyDir. If you want to use the windows certificate store, you could use this snippet, but you have to have a look into the msdn for CertOpenSystemStore, CertEnumCertificatesInStore and maybe is CertEnumSystemStore interessting for you.

    LCert := CertEnumCertificatesInStore(LStore, nil);
    while Assigned(LCert) do
    begin
      LX509 := d2i_X509(nil, @lCert.pbCertEncoded, LCert.cbCertEncoded);
      if Assigned(LX509) then
      begin
        X509_STORE_add_cert(ctx.cert_store, LX509);
        X509_free(LX509);
      end;
      LCert := CertEnumCertificatesInStore(LStore, LCert);
    end;
    // Calls of CertFreeCertificateContext are not needed, because
    // CertEnumCertificatesInStore frees the pPrevCertContext Argument

Another Point for certificate verification is the VerifyDepth: OpenSSL uses as default 9, but Indy overrides this with its own default, which is default(Integer) = 0. If the SMTP Server sends a certificate issued by a intermediate CA, OpenSSL terminate the connection with cert chain too long. VerifyDepth specifies the max length of a certificate chain.

mezen
@mezen
@rlebeau FYI: the shipped version of Indy with Delphi Berlin does not contain a IdSASL_NTLM.pas, that file is missing.
Jos de Bruijn
@josdebr_twitter
@rlebeau I am using D2005. And i've tried to add {R-} before my call to IMAPClient.retrieveMsg() but with no result. Unfortunately I cannot directly connect to this server, so I cannot debug the Indy library to see what value the different parameters are.
Jos de Bruijn
@josdebr_twitter

@rlebeau I've changed the function to use a UID for the temp file name:

    if(CreateGuid(Uid) = S_OK) then
      Result := Copy(stringreplace(GuidToString(Uid),'-','', [rfReplaceAll]), 2, 10) + LFQE;
//    Result := LFName + IntToHex(LNamePart, 8) + LFQE;
    if not FileExists(Result) then begin
      Break;
    end;

The first test of this change is hopefull, my application is again able to parse the messages with attachments.
Can you think of any problems I might run into using this change (Apart from compatibilty issues when I try to upgrade the Indy components)

Remy Lebeau
@rlebeau
@mezen the missing file is an Embarcadero issue, take it up with them. The file is in Indy's SVN repository, which they pull their releases from.
@josdebr_twitter you can't add the {$R-} directive to your code and expect it to apply to Indy. You would have to add it directly to Indy's source code and then recompile Indy. But either way, another solution that does not involve altering any Indy source code is to derive a class from TIdAttachmentFile and override its virtual PrepareTempStream() method to return a TFileStream object using whatever temp filename you want, and then you can use the TIdMessage.OnCreateAttachment event to create an instance of your attachment class
Remy Lebeau
@rlebeau
@josdebr_twitter I just checked in an update that limits the range of ticks that GetUniqueFileName() uses. Hopefully the range check errors won't happen anymore
Justin
@klsyzzz
thank you @mezen, so I guess the error (14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed) I'm getting is because OpenSSL doesn't know which certificate are trustable.
mezen
@mezen
@klsyzzz you can always use the parameter AError in OnVerifyPeer to see what exactly error you got. A documentation can be found in https://wiki.openssl.org/index.php/Manual:Verify(1) (and Indy also declares the const for avoiding magic numbers)
mezen
@mezen
@rlebeau yup, that is a problem from Embarcadero, it was only FYI. And there already exist a QP Entry: https://quality.embarcadero.com/browse/RSP-18094
Jos de Bruijn
@josdebr_twitter
@rlebeau Thanks I will check out the latest version and will give that a try.
Justin
@klsyzzz
@mezen thank you I will try to see what the exact error is.
DelphiWorlds
@DelphiWorlds
@rlebeau When you have time, can you clarify something for me? Using another (Windows) NNTP client, I get this error when attempting to connect:
"Error connecting with SSL. - error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small"
When I researched this earlier, it seems to indicate that EMBT have not updated their SSL libraries on the forums server. I'd like to be able to send a rocket their way and have someone fix it, if that is indeed the case
(If it isn't clear: I mean connecting to EMBTs newsgroups)
Remy Lebeau
@rlebeau
@DelphiWorlds The DH error is a known issue, and a simple workaround: https://forums.embarcadero.com/thread.jspa?threadID=249192#884029 "A simple client fix is to change the OpenSSL cipher list to exclude DH ciphers, by adding :!DH: within the existing cipher list, I've just changed mine to: 'ALL:!ADH:!DH:RC4+RSA:+SSLv2:@STRENGTH' and now the latest OpenSSL 1.1.0e connects". You can use the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.CipherList property for that.
DelphiWorlds
@DelphiWorlds
Is there a particular message in that thread that refers to these details? when I go to that link, it takes me to the first message.
Remy Lebeau
@rlebeau
@DelphiWorlds The link I gave you above should jump right to the specific message that explains the issue and the CipherList workaround (the jump works fine for me). If your browser is not jumping to that message, your browser is being stupid. Just read the message from Angus Robertson on Apr 20 2017, it explains the DH issue and gives the workaround