Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 17:13
    rlebeau edited #91
  • 08:23
    markhumphreysjhc commented #377
  • 08:22
    markhumphreysjhc commented #377
  • 08:21
    markhumphreysjhc commented #377
  • 01:28
    pmanion commented #374
  • 00:07
    pmanion commented #374
  • Sep 16 16:12
    rlebeau commented #377
  • Sep 16 16:04
    rlebeau labeled #377
  • Sep 16 16:04
    rlebeau labeled #377
  • Sep 16 16:01
    rlebeau commented #374
  • Sep 16 10:44
    markhumphreysjhc commented #377
  • Sep 16 09:34
    markhumphreysjhc commented #377
  • Sep 16 09:32
    markhumphreysjhc opened #377
  • Sep 15 22:34
    pmanion commented #374
  • Sep 15 20:16
    rlebeau commented #374
  • Sep 15 20:15
    rlebeau commented #374
  • Sep 15 16:46
    pmanion commented #374
  • Sep 13 23:16
    rlebeau commented #375
  • Sep 13 19:27
    SARTrack commented #375
  • Sep 13 18:36
    rlebeau commented #299
Justin
@klsyzzz
@mezen thank you I will try to see what the exact error is.
DelphiWorlds
@DelphiWorlds
@rlebeau When you have time, can you clarify something for me? Using another (Windows) NNTP client, I get this error when attempting to connect:
"Error connecting with SSL. - error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small"
When I researched this earlier, it seems to indicate that EMBT have not updated their SSL libraries on the forums server. I'd like to be able to send a rocket their way and have someone fix it, if that is indeed the case
(If it isn't clear: I mean connecting to EMBTs newsgroups)
Remy Lebeau
@rlebeau
@DelphiWorlds The DH error is a known issue, and a simple workaround: https://forums.embarcadero.com/thread.jspa?threadID=249192#884029 "A simple client fix is to change the OpenSSL cipher list to exclude DH ciphers, by adding :!DH: within the existing cipher list, I've just changed mine to: 'ALL:!ADH:!DH:RC4+RSA:+SSLv2:@STRENGTH' and now the latest OpenSSL 1.1.0e connects". You can use the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.CipherList property for that.
DelphiWorlds
@DelphiWorlds
Is there a particular message in that thread that refers to these details? when I go to that link, it takes me to the first message.
Remy Lebeau
@rlebeau
@DelphiWorlds The link I gave you above should jump right to the specific message that explains the issue and the CipherList workaround (the jump works fine for me). If your browser is not jumping to that message, your browser is being stupid. Just read the message from Angus Robertson on Apr 20 2017, it explains the DH issue and gives the workaround
DelphiWorlds
@DelphiWorlds
Why is the workaround necessary for EMBT's server?
DelphiWorlds
@DelphiWorlds
Never mind.. the answer is in his details.. which I have already read before. I blame the 'flu that I'm recovering from ;-)
Remy Lebeau
@rlebeau
@DelphiWorlds Yes, per the discussion: "The essential issue is the server is using DHParams with less than 768
bits
, which are needed to support DH ciphers. To prevent the Logjam attack, OpenSSL 1.0.2e and later will not connect
with DHParams less than 768 bits, giving dh key too small
... The proper fix would be to create new DHParams for the Jive server,
with 1,024 bits or later
"
DelphiWorlds
@DelphiWorlds
thanks
DelphiWorlds
@DelphiWorlds
...and fixed :-) Just tested EMBTs forums with OpenSSL 1.0.2k.. all good
mezen
@mezen
Does the proxy authentification in IdHTTP work with NTLM? And if, what have I to do? Just simple put Username and Password to IdHttp1.ProxyParams.ProxyUsername and IdHttp1.ProxyParams.ProxyPassword? For my bad I have no proxy with ntlm authentification here for testing and it seems that setting up a squid with ntlm is a little bit complicated :(
Remy Lebeau
@rlebeau
@mezen Proxy auhentication uses the same mechanism as normal HTTP authentication - Indy's TIdAuthentication classes. TIdHTTP only supports BASIC authentication (TIdBasicAuthentication) by default, but adding additional IdAuthentication... units to your uses clause will activate other classes. NTLM is handled by the TIdNTLMAuthentication class in the IdAuthenticationNTLM unit, which is actually untested and thus is not registered in the IDE by default, but you can try adding it to your projct manually and see if it works.
mezen
@mezen
@rlebeau if I want to use IdAuthenticationNTLM or IdAuthenticationSSPI (which also contain NTLM?), do I still have to set ProxyParams.BasicAuthentication := True; or is NTLM not considered as Basic authentication?
(My Target Platform is only Win32, maybe Win64 someday in a far future)
Mark Humphreys
@mmarquee
I am trying to add client certificates to a solution using TIdTCPServer that already has SSL connections - based on an answer given in Embarcadero forums. I have setup OnVerifyPeer events, and set VerifyMode to [sslvrfPeer], but it is currently allowing connections when there is no client certificate. What have I done wrong / missed ?
mezen
@mezen
sslvrPeer: A Request from a client certificate will be sent to the client. The client may opt to ignore the request, but if a certificate is sent back, it will be verified.
sslvrfFailIfNoPeerCert: only used for server when sslvrPeeris set. Use of this flag will cause the handshake to terminate immendiatly if no certificate is provided by the client.
sslvrfClientOnce: only used for server when sslvrPeeris set. Use of this flag will prevent the server from requesting a certificate from the client in the case of renegotiation. A certificate will still be requested during the initial handshake
@mmarquee so you have to set VerifyMode to [sslvrfPeer, sslvrfFailIfNoPeerCert]
mezen
@mezen
Good source is https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_verify(3)
SSL_VERIFY_NONE is VerifyMode := [];
Mark Humphreys
@mmarquee
@mezen Super, setting those values will disable connection until a correct client certificate it sent. Been looking at this for hours working out what was wrong. Thanks
Remy Lebeau
@rlebeau
@mezen BASIC is an actual authentication scheme of its own. Setting BasicAuthentication=True just means that TIdHTTP is allowed to fall back to BASIC if not using any other authentication
DelphiWorlds
@DelphiWorlds
I have an application that "advertises" itself by way of a UDP broadcast.. if I call Broadcast on TIdUDPClient, is it supposed to broadcast on all bindable IP addresses, or does it just pick the first one, or something else? Is using UDP an advisable way of doing this in the first place? I note that for IPv6 networks I'll have to use multicast anyway
Note that the comms is (for now) just happening on the local network
DelphiWorlds
@DelphiWorlds
I think I might need TIdIPMCastClient/Server.. just need to work out how to use them
DelphiWorlds
@DelphiWorlds
I'm attempting to bind all local addresses to the TIdIPMCastClient, but it fails with socket error 10049
Not sure what value I should be putting for MulticastGroup in the server, either
DelphiWorlds
@DelphiWorlds
ok.. that error happens on iOS Simulator.. not on Win32
DelphiWorlds
@DelphiWorlds
...and also errors on iOS
Remy Lebeau
@rlebeau
@DelphiWorlds Sending a UDP broadcast will go out on a single IP interface of the OS's choosing, unless you bind the socket to a specific interface beforehand, or use the broadcast IP of a specific subnet rather than the generic 255.255.255.255 broadcast address. If you want to broadcast on all available interfaces, you have to send a broadcast to each one individually.
Remy Lebeau
@rlebeau
@DelphiWorlds I can't comment on your 10049 error without seeing how you are binding the IPs to begin with. The MulticastGroup is the network multicast IP address that you want to send/receive packets on (the IP that routers watch for on packets), which is different than the local IP address that you bind sockets to. IPv4 multicast group addresses are in the 224.x.x.x to 239.x.x.x range. IPv6 multicast group addresses are in the FF0x:x:x:x:x:x:x:x range
DelphiWorlds
@DelphiWorlds
I'm not going beyond the router, so I assume I won't need multicast? I just need to make sure the broadcast is seen through the correct connection..
I need to loop through the available IPs and send on each
DelphiWorlds
@DelphiWorlds
ok.. I need multicast because IPv6 is involved
procedure TNetworkingModel.ConfigureUDPBindings(const AListener: TIdIPMCastClient);
var
LHandle: TIdSocketHandle;
I: Integer;
begin
AListener.Bindings.Clear;
for I := 0 to FLocalAddresses.Count - 1 do
begin
LHandle := AListener.Bindings.Add;
LHandle.IPVersion := FLocalAddresses.Addresses[I].IPVersion;
LHandle.IP := FLocalAddresses.Addresses[I].IPAddress;
LHandle.Port := AListener.DefaultPort;
end;
end;
oops
not that good with gitter
procedure TNetworkingModel.ConfigureUDPBindings(const AListener: TIdIPMCastClient);
var
  LHandle: TIdSocketHandle;
  I: Integer;
begin
  AListener.Bindings.Clear;
  for I := 0 to FLocalAddresses.Count - 1 do
  begin
    LHandle := AListener.Bindings.Add;
    LHandle.IPVersion := FLocalAddresses.Addresses[I].IPVersion;
    LHandle.IP := FLocalAddresses.Addresses[I].IPAddress;
    LHandle.Port := AListener.DefaultPort;
  end;
end;
that's how I'm configuring the bindings
DelphiWorlds
@DelphiWorlds
if I don't attempt to bind the IPv6 addresses, no error
DelphiWorlds
@DelphiWorlds
TIdIPMCastServer also errors if attempting a Send on an IPv6 address

Debugger Exception Notification

Project dyld_sim raised exception class EIdSocketError with message 'Socket Error # 49

Cannot assign requested address.'.

Break Continue Help

DelphiWorlds
@DelphiWorlds
even if I ignore the IPv6 addresses, my client (192.168.56.100) doesn't receive a broadcast from the server (192.168.56.1)
Remy Lebeau
@rlebeau
@DelphiWorlds how are you sending the broadcast? What does that code look like?
DelphiWorlds
@DelphiWorlds
Francesco Marano may have given me a solution in the forums.. the thread starts here:
https://forums.embarcadero.com/message.jspa?messageID=887844&tstart=0
I neglected to consider that the IPMCast classes have their own IPVersion property, as well as MulticastGroup property.. doh
DelphiWorlds
@DelphiWorlds
if you read Francesco's last reply, his example code works on Windows, fails on iOS.. same error
It fails when setting the client active
DelphiWorlds
@DelphiWorlds
TIdStackVCLPosix.GetLocalAddressList fails to retrieve any addresses for me on my Android 7 device, so I've created this Gist, in case it's of any use:
https://gist.github.com/DelphiWorlds/0733b6611707c8d5725ee42fd1ae01fd