SocketServer ------------ Added multiple SSL host support to TSslWSocketServer and to TSslHttpServer and TSslHttpAppSrv (and TIcsProxy).
Previously, although the servers supported multiple IP addresses and ports, a lot of application code was needed to support multiple hosts, SSL certificates and separate directories for separate sites. There is a new IcsHosts property which allows multiple hosts to be specified, each with one or two IP addresses and non-SSL and SSL port bindings, SSL certificates and private key, SSL context and security level, and other web server host related properties. If IcsHosts is specified, TSslWSocketServer ignores existing bindings and SslContext, and creates new bindings and initialises an SSL context for each host checking and reporting all server certificate chains. IcsHosts includes SslSrvSecurity SSL server security level, that sets protocol, cipher and SslSecLevel according to eight levels from sslSrvSecNone to sslSrvSecHigh192 to avoid needing to set protocols and ciphers in SSL context. IcsHosts includes SslCert, SslKey, SslPassword and SslInter. SslCert may be a file name or a ASCII PEM string containing an Ssl server certificate. The file may be PEM/CER/DER/PFX/P12/etc, either a single certificate or bundle with private key and any intermediates (PEM/PFX/P12 only), SslPassword is the private key password if encrypted. If a bundle is not found, SslKey is a PEM file or ASCII PEM private key, and SslInters is any intermediate SSL certificates used to sign the server SSL cert as a file name in PEM/CER/DER format or ASCII PEM. IcsHosts keeps file time stamps of SSL certificates so they can be checked to see if changed. TSslWSocketServer has new RootCA property which should be loaded with CA Root certificates to validates the server chain and new DHParams property for a context DHParams file or string. The ValidateHosts property checks all host properties and attempts to validate SSL certificate chains and hosts, it keeps certificate chain information in the IcsHosts CertInfo property and validation warnings or error in ErrInfo. ValidateHosts has options to return all errors as a string instead of raising an exception on the first error. The idea is that some hosts may still work, even if one or more SSL certificates are bad. TWSocketClient includes new properties IcsHostIdx, MultiListenIdx and HostTag to identify which IcsHost and MultiListen socket accepted the connection. Published client server and remote peer address and port as CServerAddr, CServerPort, CPeerAddr and CPeerPort since many clients need this information. Note IcsHostIdx and HostTag specify the first matching ICSHost according to binding address and port, and server name indication (for SSL), but may be changed later by higher level protocols such as HTTP when a Host: header is encountered. A new method RecheckSslCerts should be called at least once a day (after midnight) to check if new SSL certificates are available and if old ones have expired. A new method MultiListenEx opens all possible sockets ignoring errors, which are returned as a string, rather than raising an exception. The idea is that some hosts may still work, even if one or more bindings are unavailable. A new method ListenAllOK returns true if all sockets are listening OK, note starting a multilistener server does not give errors if some listeners fail due to port conflicts. A new method ListenStates returns a multiline string listing the IP, port, SSL and state of all socket listeners, for periodic reporting. A new function IcsLoadIcsHostsFromIni loads a IcsHosts collection from an open INI file to simplify application creation. This is used in the OverbyteIcsProxySslServer1.pas sample to load the proxy sources and in OverbyteIcsSslMultiWebServ1.pas to load the web server hosts. Web Server components --------------------- TSslHttpServer uses TSslWSocketServer and exposes the IcsHosts collection for multiple SSL host support. If IcsHosts is specified, TSslWSocketServer ignores existing bindings and SslContext, and creates new bindings and initialises an SSL context for each host checking and reporting all certificates. For HttpSrv, IcsHostCollection includes seven new properties, WebDocDir, WebTemplDir, WebDefDoc, WebLogDir, WellKnownPath, WebRedirectURL and WebRedirectStat which set the client DocDir, TemplateDir and DefaultDoc (and four matching properties) according to the request Host, so the server supports multiple web sites. Note IcsHosts is only in the SSL server TSslHttpServer but may be used for HTTP or HTTPS connections. Added .well-known directory support. If WellKnownPath is specified as a path, any access to /.well-known/xx is handled locally either in the OnWellKnownDir Event or by returning a file from WellKnownPath instead of DocDir. This is primarily for Let's Encrypt challenges. The sample web server applications illustrates checking a challenge. Method Start is now a function that optionally opens all possible sockets ignoring errors, which are returned as a string. This is primarily when using MultiListeners where one failing no longer stops all of them. TSslHttpAppSrv is a decedent of TSslHttpServer and has also the same new IcsHosts support. So the URLHandler can support multiple hosts, there is a new HostTag parameter added to AddGetHandler, AddPostHandler and AddGetAllowedPath which will cause that handler to be matched against an IcsHosts HostTag to support multiple hosts per server. A new function IcsLoadTHttpAppSrvFromIni loads HttpAppSrv from an open INI file to simplify application creation, it is used in OverbyteIcsSslMultiWebServ1.pas to load the web server general configuration (but not IcsHosts). New Multi Web Server Sample --------------------------- There are currently four different web server samples, with slightly differing features. The new OverbyteIcsSslMultiWebServ multi web server sample combines features of the existing samples adding multiple host support using the new IcsHosts collection. The new sample is non-interactive, web servers are normally run as windows background servers. All the server settings come from an INI file which will need to be edited before the sample will successfully run. A bare sample INI file is included which will be copied into the ICS shared INI directory on first run, with the actual file name shown when you start the application, and that is the file to edit. Unlike the other web server samples, this one uses Hosts to support multiple addresses and ports and SSL certificates, but all of these must exist and not being used by other applications, otherwise the server will not start. To use SSL, an SSL certificate must exist for the host name used, IP addresses don't really work with SSL, the OverbyteIcsPemtool sample allows self signed SSL certificates to be created for testing. Up to 100 hosts can be specified, you can edit the Windows HOSTS file if necessary to create alternate host names for your PC, if you don't have a local DNS server to do it. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
