Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Nov 26 21:50
    rlebeau labeled #329
  • Nov 26 21:50
    rlebeau labeled #329
  • Nov 26 21:50
    rlebeau opened #329
  • Nov 25 08:26
    xjikka commented #299
  • Nov 25 04:25
    grahamegrieve commented #299
  • Nov 23 17:09
    rlebeau commented #328
  • Nov 23 17:06
    rlebeau commented #328
  • Nov 22 23:45
    vincentparrett opened #328
  • Nov 17 21:33

    rlebeau on master

    Updating TIdCookie.ParseServerC… (compare)

  • Nov 11 16:34
    rlebeau commented #299
  • Nov 11 16:33
    rlebeau commented #299
  • Nov 11 16:25
    rlebeau commented #299
  • Nov 10 23:49
    grahamegrieve commented #299
  • Nov 10 23:26
    rlebeau commented #299
  • Nov 10 23:26
    rlebeau commented #299
  • Nov 10 07:48
    ralfjunker commented #299
  • Nov 10 06:59
    mezen commented #299
  • Nov 09 21:34
    xjikka commented #299
  • Nov 09 19:00
    rlebeau commented #299
  • Nov 09 17:13
    xjikka commented #299
Jos de Bruijn
@josdebr_twitter
@rlebeau I am using D2005. And i've tried to add {R-} before my call to IMAPClient.retrieveMsg() but with no result. Unfortunately I cannot directly connect to this server, so I cannot debug the Indy library to see what value the different parameters are.
Jos de Bruijn
@josdebr_twitter

@rlebeau I've changed the function to use a UID for the temp file name:

    if(CreateGuid(Uid) = S_OK) then
      Result := Copy(stringreplace(GuidToString(Uid),'-','', [rfReplaceAll]), 2, 10) + LFQE;
//    Result := LFName + IntToHex(LNamePart, 8) + LFQE;
    if not FileExists(Result) then begin
      Break;
    end;

The first test of this change is hopefull, my application is again able to parse the messages with attachments.
Can you think of any problems I might run into using this change (Apart from compatibilty issues when I try to upgrade the Indy components)

Remy Lebeau
@rlebeau
@mezen the missing file is an Embarcadero issue, take it up with them. The file is in Indy's SVN repository, which they pull their releases from.
@josdebr_twitter you can't add the {$R-} directive to your code and expect it to apply to Indy. You would have to add it directly to Indy's source code and then recompile Indy. But either way, another solution that does not involve altering any Indy source code is to derive a class from TIdAttachmentFile and override its virtual PrepareTempStream() method to return a TFileStream object using whatever temp filename you want, and then you can use the TIdMessage.OnCreateAttachment event to create an instance of your attachment class
Remy Lebeau
@rlebeau
@josdebr_twitter I just checked in an update that limits the range of ticks that GetUniqueFileName() uses. Hopefully the range check errors won't happen anymore
Justin
@klsyzzz
thank you @mezen, so I guess the error (14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed) I'm getting is because OpenSSL doesn't know which certificate are trustable.
mezen
@mezen
@klsyzzz you can always use the parameter AError in OnVerifyPeer to see what exactly error you got. A documentation can be found in https://wiki.openssl.org/index.php/Manual:Verify(1) (and Indy also declares the const for avoiding magic numbers)
mezen
@mezen
@rlebeau yup, that is a problem from Embarcadero, it was only FYI. And there already exist a QP Entry: https://quality.embarcadero.com/browse/RSP-18094
Jos de Bruijn
@josdebr_twitter
@rlebeau Thanks I will check out the latest version and will give that a try.
Justin
@klsyzzz
@mezen thank you I will try to see what the exact error is.
DelphiWorlds
@DelphiWorlds
@rlebeau When you have time, can you clarify something for me? Using another (Windows) NNTP client, I get this error when attempting to connect:
"Error connecting with SSL. - error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small"
When I researched this earlier, it seems to indicate that EMBT have not updated their SSL libraries on the forums server. I'd like to be able to send a rocket their way and have someone fix it, if that is indeed the case
(If it isn't clear: I mean connecting to EMBTs newsgroups)
Remy Lebeau
@rlebeau
@DelphiWorlds The DH error is a known issue, and a simple workaround: https://forums.embarcadero.com/thread.jspa?threadID=249192#884029 "A simple client fix is to change the OpenSSL cipher list to exclude DH ciphers, by adding :!DH: within the existing cipher list, I've just changed mine to: 'ALL:!ADH:!DH:RC4+RSA:+SSLv2:@STRENGTH' and now the latest OpenSSL 1.1.0e connects". You can use the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.CipherList property for that.
DelphiWorlds
@DelphiWorlds
Is there a particular message in that thread that refers to these details? when I go to that link, it takes me to the first message.
Remy Lebeau
@rlebeau
@DelphiWorlds The link I gave you above should jump right to the specific message that explains the issue and the CipherList workaround (the jump works fine for me). If your browser is not jumping to that message, your browser is being stupid. Just read the message from Angus Robertson on Apr 20 2017, it explains the DH issue and gives the workaround
DelphiWorlds
@DelphiWorlds
Why is the workaround necessary for EMBT's server?
DelphiWorlds
@DelphiWorlds
Never mind.. the answer is in his details.. which I have already read before. I blame the 'flu that I'm recovering from ;-)
Remy Lebeau
@rlebeau
@DelphiWorlds Yes, per the discussion: "The essential issue is the server is using DHParams with less than 768
bits
, which are needed to support DH ciphers. To prevent the Logjam attack, OpenSSL 1.0.2e and later will not connect
with DHParams less than 768 bits, giving dh key too small
... The proper fix would be to create new DHParams for the Jive server,
with 1,024 bits or later
"
DelphiWorlds
@DelphiWorlds
thanks
DelphiWorlds
@DelphiWorlds
...and fixed :-) Just tested EMBTs forums with OpenSSL 1.0.2k.. all good
mezen
@mezen
Does the proxy authentification in IdHTTP work with NTLM? And if, what have I to do? Just simple put Username and Password to IdHttp1.ProxyParams.ProxyUsername and IdHttp1.ProxyParams.ProxyPassword? For my bad I have no proxy with ntlm authentification here for testing and it seems that setting up a squid with ntlm is a little bit complicated :(
Remy Lebeau
@rlebeau
@mezen Proxy auhentication uses the same mechanism as normal HTTP authentication - Indy's TIdAuthentication classes. TIdHTTP only supports BASIC authentication (TIdBasicAuthentication) by default, but adding additional IdAuthentication... units to your uses clause will activate other classes. NTLM is handled by the TIdNTLMAuthentication class in the IdAuthenticationNTLM unit, which is actually untested and thus is not registered in the IDE by default, but you can try adding it to your projct manually and see if it works.
mezen
@mezen
@rlebeau if I want to use IdAuthenticationNTLM or IdAuthenticationSSPI (which also contain NTLM?), do I still have to set ProxyParams.BasicAuthentication := True; or is NTLM not considered as Basic authentication?
(My Target Platform is only Win32, maybe Win64 someday in a far future)
Mark Humphreys
@mmarquee
I am trying to add client certificates to a solution using TIdTCPServer that already has SSL connections - based on an answer given in Embarcadero forums. I have setup OnVerifyPeer events, and set VerifyMode to [sslvrfPeer], but it is currently allowing connections when there is no client certificate. What have I done wrong / missed ?
mezen
@mezen
sslvrPeer: A Request from a client certificate will be sent to the client. The client may opt to ignore the request, but if a certificate is sent back, it will be verified.
sslvrfFailIfNoPeerCert: only used for server when sslvrPeeris set. Use of this flag will cause the handshake to terminate immendiatly if no certificate is provided by the client.
sslvrfClientOnce: only used for server when sslvrPeeris set. Use of this flag will prevent the server from requesting a certificate from the client in the case of renegotiation. A certificate will still be requested during the initial handshake
@mmarquee so you have to set VerifyMode to [sslvrfPeer, sslvrfFailIfNoPeerCert]
mezen
@mezen
Good source is https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_verify(3)
SSL_VERIFY_NONE is VerifyMode := [];
Mark Humphreys
@mmarquee
@mezen Super, setting those values will disable connection until a correct client certificate it sent. Been looking at this for hours working out what was wrong. Thanks
Remy Lebeau
@rlebeau
@mezen BASIC is an actual authentication scheme of its own. Setting BasicAuthentication=True just means that TIdHTTP is allowed to fall back to BASIC if not using any other authentication
DelphiWorlds
@DelphiWorlds
I have an application that "advertises" itself by way of a UDP broadcast.. if I call Broadcast on TIdUDPClient, is it supposed to broadcast on all bindable IP addresses, or does it just pick the first one, or something else? Is using UDP an advisable way of doing this in the first place? I note that for IPv6 networks I'll have to use multicast anyway
Note that the comms is (for now) just happening on the local network
DelphiWorlds
@DelphiWorlds
I think I might need TIdIPMCastClient/Server.. just need to work out how to use them
DelphiWorlds
@DelphiWorlds
I'm attempting to bind all local addresses to the TIdIPMCastClient, but it fails with socket error 10049
Not sure what value I should be putting for MulticastGroup in the server, either
DelphiWorlds
@DelphiWorlds
ok.. that error happens on iOS Simulator.. not on Win32
DelphiWorlds
@DelphiWorlds
...and also errors on iOS
Remy Lebeau
@rlebeau
@DelphiWorlds Sending a UDP broadcast will go out on a single IP interface of the OS's choosing, unless you bind the socket to a specific interface beforehand, or use the broadcast IP of a specific subnet rather than the generic 255.255.255.255 broadcast address. If you want to broadcast on all available interfaces, you have to send a broadcast to each one individually.
Remy Lebeau
@rlebeau
@DelphiWorlds I can't comment on your 10049 error without seeing how you are binding the IPs to begin with. The MulticastGroup is the network multicast IP address that you want to send/receive packets on (the IP that routers watch for on packets), which is different than the local IP address that you bind sockets to. IPv4 multicast group addresses are in the 224.x.x.x to 239.x.x.x range. IPv6 multicast group addresses are in the FF0x:x:x:x:x:x:x:x range
DelphiWorlds
@DelphiWorlds
I'm not going beyond the router, so I assume I won't need multicast? I just need to make sure the broadcast is seen through the correct connection..
I need to loop through the available IPs and send on each
DelphiWorlds
@DelphiWorlds
ok.. I need multicast because IPv6 is involved
procedure TNetworkingModel.ConfigureUDPBindings(const AListener: TIdIPMCastClient);
var
LHandle: TIdSocketHandle;
I: Integer;
begin
AListener.Bindings.Clear;
for I := 0 to FLocalAddresses.Count - 1 do
begin
LHandle := AListener.Bindings.Add;
LHandle.IPVersion := FLocalAddresses.Addresses[I].IPVersion;
LHandle.IP := FLocalAddresses.Addresses[I].IPAddress;
LHandle.Port := AListener.DefaultPort;
end;
end;
oops
not that good with gitter
procedure TNetworkingModel.ConfigureUDPBindings(const AListener: TIdIPMCastClient);
var
  LHandle: TIdSocketHandle;
  I: Integer;
begin
  AListener.Bindings.Clear;
  for I := 0 to FLocalAddresses.Count - 1 do
  begin
    LHandle := AListener.Bindings.Add;
    LHandle.IPVersion := FLocalAddresses.Addresses[I].IPVersion;
    LHandle.IP := FLocalAddresses.Addresses[I].IPAddress;
    LHandle.Port := AListener.DefaultPort;
  end;
end;
that's how I'm configuring the bindings
DelphiWorlds
@DelphiWorlds
if I don't attempt to bind the IPv6 addresses, no error