Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 06:11
    grahamegrieve commented #299
  • 05:05
    grahamegrieve commented #299
  • 05:04
    grahamegrieve commented #299
  • Oct 24 18:58
    grahamegrieve commented #299
  • Oct 24 18:52
    grahamegrieve commented #299
  • Oct 24 18:50
    grahamegrieve commented #299
  • Oct 24 18:43
    grahamegrieve commented #299
  • Oct 24 18:39
    SlMaker commented #299
  • Oct 24 18:10
    grahamegrieve commented #299
  • Oct 24 17:34
    grahamegrieve commented #299
  • Oct 24 17:34
    grahamegrieve commented #299
  • Oct 24 09:50
    grahamegrieve commented #299
  • Oct 24 06:19
    grahamegrieve commented #299
  • Oct 24 06:12
    grahamegrieve commented #299
  • Oct 22 19:28
    rlebeau commented #326
  • Oct 22 00:30
    grahamegrieve synchronize #326
  • Oct 21 16:56
    rlebeau commented #6
  • Oct 21 08:22
    grahamegrieve opened #326
  • Oct 20 18:20
    rlebeau commented #297
  • Oct 20 18:12
    tothpaul closed #297
Remy Lebeau
@rlebeau
@RyanTruran unless you recompile Indy to register it, you should just add IdSASL_NTLM.pas to your project directly, then #include the resulting IdSASL_NTLM.hpp file in your code and instantiate a TIdSASLNTLM object at runtime and Add() it to the SASLMechanisms property.
Ryan Truran
@RyanTruran
so I should grab the .pas off of github right?
Remy Lebeau
@rlebeau
@RyanTruran I have no idea if TIdSASLNTLM works or not, which is probably why it is still not registered by default. Is that the only AUTH the server is reporting?
@RyanTruran Indy's code is not on GitHub. It is on AToZed's own SVN server (link is on Indy's website). GitHub is only used for chat and issue tracking
Ryan Truran
@RyanTruran
so are you with indy?
Remy Lebeau
@rlebeau
@RyanTruran yes, I am the primary developer of Indy, and one of its admins. But I'm not with AToZed. And I didn't write TIdSASLNTLM, and have no way of testing it myself (no access to any servers that use NTLM authentication).
Ryan Truran
@RyanTruran
gotcha
so when I add the .pas to the project does it generate a .hpp? that I can include?
Remy Lebeau
@rlebeau
@RyanTruran It will, when the project compiles the .pas file. C++Builder projects can include Pascal source files, and it will always compile Pascal files before C/C++ files, for exactly the reason of generating any necessary .hpp files that may be used by the C/C++ code.
Ryan Truran
@RyanTruran
which will occur when I compile the project right?
Remy Lebeau
@rlebeau
@RyanTruran yes
Jos de Bruijn
@josdebr_twitter
@rlebeau I am using 10.6.2.0.
On line 1644 i've got the following code: Result := LFName + IntToHex(LNamePart, 8) + LFQE;
Remy Lebeau
@rlebeau
@josdebr_twitter What version of Delphi are you using? What is the actual value of LNamePart when the error occurs? LNamePart is a TIdTicks, which is a UInt64. Is the value of LNamePart > High(Int64) (9223372036854775807) when the error occurs? IntToHex() has had an overload for UInt64 since XE2. Do you get the same error if you preceed that line of code with {$R-} or {$RANGECHECKS OFF}?
Justin
@klsyzzz
hi @rlebeau just wondering is it possible to enable certificate validation with ssl? We are using TidSMTP with UseTLS as ExplicitTLS and IOHandler as SocketOpenSSL, but looks like it is not validating the certificate
Remy Lebeau
@rlebeau
@klsyzzz Are you enabling the sslvrfPeer flag in the SSLIOHandler's VerifyMode, and using its OnVerifyPeer event? OpenSSL does validate certificates, but first you have to tell it to do so, and then you have a chance to look at the result of the validation and provide your own additional feedback based on your own needs/policies.
Justin
@klsyzzz
currently all options under VerifyMode is false
Remy Lebeau
@rlebeau
@klsyzzz Well, then turn them on, or at least sslvrfPeer
Justin
@klsyzzz
ok so I just need to turn VerifyPeer property, do I need to add anything to the OnVerifyPeer event?
Remy Lebeau
@rlebeau
@klsyzzz only if you don't trust OpenSSL's default validations, and/or you want to verify anything yourself.
Justin
@klsyzzz
@rlebeau thank you very much
Justin
@klsyzzz
sorry @rlebeau I'm new to this, do I need to set the property for CertFile or RootCertFile under SSLOptions? I got a SSL negotiation failed error after turn on sslverfPeer
Justin
@klsyzzz
@rlebeau the underlying error is this when debugging : error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
mezen
@mezen

@klsyzzz OpenSSL certificate validation with Indy is a little bit tricky (or maybe its the OpenSSL part that makes it tricky^^), sslvrfPeer says "if the server sends a certificate, it wil be verified. If the verification fails, the handshake will be terminated immediately. The only time that a server would not send a certificate is when an anonymous cipher is in use" (which should never be used^^). sslvrfFailIfNoPeerCert and sslvrfClientOnce are only used for server. If no VerifyMode is set, OpenSSL (in client mode) will verify the server certificate, but failure will not terminate the handshake.
I even believe you have always to implement a OnVerifyPeer, otherwise Indy uses a default implementation which is Result := True which overrides the verification result of OpenSSL.
If OpenSSL should verify the certificate, it needs to know which certificate are trustable. For this OpenSSL uses all public certs which are stored in the directory which you specified in SSLOptions.VerifyDir. If you want to use the windows certificate store, you could use this snippet, but you have to have a look into the msdn for CertOpenSystemStore, CertEnumCertificatesInStore and maybe is CertEnumSystemStore interessting for you.

    LCert := CertEnumCertificatesInStore(LStore, nil);
    while Assigned(LCert) do
    begin
      LX509 := d2i_X509(nil, @lCert.pbCertEncoded, LCert.cbCertEncoded);
      if Assigned(LX509) then
      begin
        X509_STORE_add_cert(ctx.cert_store, LX509);
        X509_free(LX509);
      end;
      LCert := CertEnumCertificatesInStore(LStore, LCert);
    end;
    // Calls of CertFreeCertificateContext are not needed, because
    // CertEnumCertificatesInStore frees the pPrevCertContext Argument

Another Point for certificate verification is the VerifyDepth: OpenSSL uses as default 9, but Indy overrides this with its own default, which is default(Integer) = 0. If the SMTP Server sends a certificate issued by a intermediate CA, OpenSSL terminate the connection with cert chain too long. VerifyDepth specifies the max length of a certificate chain.

mezen
@mezen
@rlebeau FYI: the shipped version of Indy with Delphi Berlin does not contain a IdSASL_NTLM.pas, that file is missing.
Jos de Bruijn
@josdebr_twitter
@rlebeau I am using D2005. And i've tried to add {R-} before my call to IMAPClient.retrieveMsg() but with no result. Unfortunately I cannot directly connect to this server, so I cannot debug the Indy library to see what value the different parameters are.
Jos de Bruijn
@josdebr_twitter

@rlebeau I've changed the function to use a UID for the temp file name:

    if(CreateGuid(Uid) = S_OK) then
      Result := Copy(stringreplace(GuidToString(Uid),'-','', [rfReplaceAll]), 2, 10) + LFQE;
//    Result := LFName + IntToHex(LNamePart, 8) + LFQE;
    if not FileExists(Result) then begin
      Break;
    end;

The first test of this change is hopefull, my application is again able to parse the messages with attachments.
Can you think of any problems I might run into using this change (Apart from compatibilty issues when I try to upgrade the Indy components)

Remy Lebeau
@rlebeau
@mezen the missing file is an Embarcadero issue, take it up with them. The file is in Indy's SVN repository, which they pull their releases from.
@josdebr_twitter you can't add the {$R-} directive to your code and expect it to apply to Indy. You would have to add it directly to Indy's source code and then recompile Indy. But either way, another solution that does not involve altering any Indy source code is to derive a class from TIdAttachmentFile and override its virtual PrepareTempStream() method to return a TFileStream object using whatever temp filename you want, and then you can use the TIdMessage.OnCreateAttachment event to create an instance of your attachment class
Remy Lebeau
@rlebeau
@josdebr_twitter I just checked in an update that limits the range of ticks that GetUniqueFileName() uses. Hopefully the range check errors won't happen anymore
Justin
@klsyzzz
thank you @mezen, so I guess the error (14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed) I'm getting is because OpenSSL doesn't know which certificate are trustable.
mezen
@mezen
@klsyzzz you can always use the parameter AError in OnVerifyPeer to see what exactly error you got. A documentation can be found in https://wiki.openssl.org/index.php/Manual:Verify(1) (and Indy also declares the const for avoiding magic numbers)
mezen
@mezen
@rlebeau yup, that is a problem from Embarcadero, it was only FYI. And there already exist a QP Entry: https://quality.embarcadero.com/browse/RSP-18094
Jos de Bruijn
@josdebr_twitter
@rlebeau Thanks I will check out the latest version and will give that a try.
Justin
@klsyzzz
@mezen thank you I will try to see what the exact error is.
DelphiWorlds
@DelphiWorlds
@rlebeau When you have time, can you clarify something for me? Using another (Windows) NNTP client, I get this error when attempting to connect:
"Error connecting with SSL. - error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small"
When I researched this earlier, it seems to indicate that EMBT have not updated their SSL libraries on the forums server. I'd like to be able to send a rocket their way and have someone fix it, if that is indeed the case
(If it isn't clear: I mean connecting to EMBTs newsgroups)
Remy Lebeau
@rlebeau
@DelphiWorlds The DH error is a known issue, and a simple workaround: https://forums.embarcadero.com/thread.jspa?threadID=249192#884029 "A simple client fix is to change the OpenSSL cipher list to exclude DH ciphers, by adding :!DH: within the existing cipher list, I've just changed mine to: 'ALL:!ADH:!DH:RC4+RSA:+SSLv2:@STRENGTH' and now the latest OpenSSL 1.1.0e connects". You can use the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.CipherList property for that.
DelphiWorlds
@DelphiWorlds
Is there a particular message in that thread that refers to these details? when I go to that link, it takes me to the first message.
Remy Lebeau
@rlebeau
@DelphiWorlds The link I gave you above should jump right to the specific message that explains the issue and the CipherList workaround (the jump works fine for me). If your browser is not jumping to that message, your browser is being stupid. Just read the message from Angus Robertson on Apr 20 2017, it explains the DH issue and gives the workaround
DelphiWorlds
@DelphiWorlds
Why is the workaround necessary for EMBT's server?
DelphiWorlds
@DelphiWorlds
Never mind.. the answer is in his details.. which I have already read before. I blame the 'flu that I'm recovering from ;-)
Remy Lebeau
@rlebeau
@DelphiWorlds Yes, per the discussion: "The essential issue is the server is using DHParams with less than 768
bits
, which are needed to support DH ciphers. To prevent the Logjam attack, OpenSSL 1.0.2e and later will not connect
with DHParams less than 768 bits, giving dh key too small
... The proper fix would be to create new DHParams for the Jive server,
with 1,024 bits or later
"
DelphiWorlds
@DelphiWorlds
thanks
DelphiWorlds
@DelphiWorlds
...and fixed :-) Just tested EMBTs forums with OpenSSL 1.0.2k.. all good
mezen
@mezen
Does the proxy authentification in IdHTTP work with NTLM? And if, what have I to do? Just simple put Username and Password to IdHttp1.ProxyParams.ProxyUsername and IdHttp1.ProxyParams.ProxyPassword? For my bad I have no proxy with ntlm authentification here for testing and it seems that setting up a squid with ntlm is a little bit complicated :(
Remy Lebeau
@rlebeau
@mezen Proxy auhentication uses the same mechanism as normal HTTP authentication - Indy's TIdAuthentication classes. TIdHTTP only supports BASIC authentication (TIdBasicAuthentication) by default, but adding additional IdAuthentication... units to your uses clause will activate other classes. NTLM is handled by the TIdNTLMAuthentication class in the IdAuthenticationNTLM unit, which is actually untested and thus is not registered in the IDE by default, but you can try adding it to your projct manually and see if it works.
mezen
@mezen
@rlebeau if I want to use IdAuthenticationNTLM or IdAuthenticationSSPI (which also contain NTLM?), do I still have to set ProxyParams.BasicAuthentication := True; or is NTLM not considered as Basic authentication?
(My Target Platform is only Win32, maybe Win64 someday in a far future)
Mark Humphreys
@mmarquee
I am trying to add client certificates to a solution using TIdTCPServer that already has SSL connections - based on an answer given in Embarcadero forums. I have setup OnVerifyPeer events, and set VerifyMode to [sslvrfPeer], but it is currently allowing connections when there is no client certificate. What have I done wrong / missed ?
mezen
@mezen
sslvrPeer: A Request from a client certificate will be sent to the client. The client may opt to ignore the request, but if a certificate is sent back, it will be verified.
sslvrfFailIfNoPeerCert: only used for server when sslvrPeeris set. Use of this flag will cause the handshake to terminate immendiatly if no certificate is provided by the client.
sslvrfClientOnce: only used for server when sslvrPeeris set. Use of this flag will prevent the server from requesting a certificate from the client in the case of renegotiation. A certificate will still be requested during the initial handshake