Angus Robertson

ICS installation errors are usually due to the library paths not being updated to that of the packages and source files. Installing using GetIt does all that automatically, although makes it harder to update to newer versions. This would be better discussed in https://en.delphipraxis.net/forum/37-ics-internet-component-suite/ Angus

Why would you think that? The last release was in November 2022 which you can install from GetIt, and the latest SVN update was last week. The latest OpenSSL DLLs are installed with the samples, updated this month. Angus

Yes, but the ICS download page is http://wiki.overbyte.eu/wiki/index.php/ICS Once you have it installed run the SSLDemos OverbyteIcsHttpRestTst sample, it does everything you need. However that sample expects your client certificate to be provided as a bundle file for ease of configuration, ie the certificate, key and intermediate in a single PEM or PFX file. The PemTool sample does all that, although a text editor also works for PEM. There is an ICS support topic here. Angus

Client certificates are unrelated to REST, OAuth2 or tokens. They are an alternate means of server authentication by HTTPS clients to HTTPS servers, not that common except for corporate VPNs and high security financial applications. It is quite hard to buy a commercial client certificate, for email for instance, they are usually issued by corporates for employees and customers. I don't use the TRestClient component, but I'm not aware it supports client certificates. You need a proper component library like ICS that has full support for REST, Auth2, tokens and client certificates. Angus

ICS V8.70 has been released at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0 and C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11. ICS supports VCL and FMX, Win32, Win64 and MacOS 32-bit targets. The distribution zip includes the latest OpenSSL 3.0.7 win32, with other versions of OpenSSL being available from the download page. Major Changes in ICS V8.70 include: 1 - V8.70 has various minor improvements providing better compatibility with modern compilers such as more unicode overloads to avoid ANSI string warnings and casts, and more use of TBytes to avoid ANSI strings. Updated various samples to use TIcsRestEmail to support OAuth2 authentication for GMail and Outlook that no longer allow old authentication protocols. 2 - The TIcsFileCopy, TIcsFtpMulti and TIcsHttpMulti file transfer components now support file zipping and unzipping using System.Zip in recent Delphi compilers, instead of the obsolete VclZip which is no longer available. Before a file copy or FTP upload, files may be automatically zipped, useful for large log files, after a file copy, FTP or HTTP download, files may be unzipped in various ways. 3 - Added support to TIcsFileCopy to copy file names longer than 259 characters by adding \\?\ to the start of long names passed to Windows APIs, if supported by the disk file system, unicode APIs only. Fixed a problem deleting empty directories after copying. Fixed a problem with BuildDirList2 with COMPILER16_UP. 4 - The OverbyteIcsXferTst sample has a new tabs, 'Single File Copy' to test the CopyOneFile method and 'Zip/Unzipping Files' to test zipping and unzipping that has always been supported by the components but not this demo. 5 - Allow content compression for HTTP and FTP using System.Zlib in newer versions of Delphi instead of the OverbyteIcsZLibObj unit to avoid duplication. Only Delphi 11.1 and later have the same ZLIB 1.2.12 as ICS, so will automatically used System.Zip. Beware a new version of OverbyteIcsDefs.inc is required to allow ZLIB to work correctly, otherwise it will default to using the DLL which is unlikely to be available, it is not in the distribution. So either install the new inc file and customise it, or copy the ZLIB changes to your own inc file. 6 - In TWsocket, added ReceiveTB(var Data : TBytes; MaxLen : Integer = -1): Integer; where MaxLen is optional, to receive TCP data into a TBytes dynamic array of bytes. Also ReceiveFromTB and ReceiveFrom6TB for UDP datagrams. The last release added similar SendTB functions, so buffer pointers and ANSI strings can now be avoided. 7 - Added UTF-8 support to TIcsIpStrmLog, to convert received lines from UTF-8 to Unicode with unicode compilers (as String) and converts sent data to UTF-8. Changed FRxBuffer to TBytes, use SendTB and ReceiveTB methods with TBytes. 8 - Updated OpenSSL to 3.0.7 and 1.1.1s. OpenSSL 3.0.6 was withdrawn shortly after release, we never distributed it. 9 - In OverbyteIcsSslHttpOAuth, added an OAuth2 and Rest Email Microsoft User Authority property to access different user authorities, defaults to 'consumers' but can be changed to 'common' or an Azure Active Directory tenant GUID for corporate accounts. 10 - Added TIcsRestEmail to support OAuth2 authentication to the OverbyteIcsSslMultiWebServ, OverbyteIcsSslMultiFtpServ and OverbyteIcsDDWebService samples, since GMail and Outlook that no longer allow old authentication protocols. 11 - In the TIcsInetAlive component, added a new method AliveMethEither so internet alive checking works if either ping or HTTP works, instead of one or the other. More detailed release notes are at http://wiki.overbyte.eu/wiki/index.php/ICS_V8.70 Angus

This will be in SVN next week, seems simpler but needs an extra line of code to check the TBytes length. Angus

COM tools of that sort from that era using type libraries were usually aimed at Visual Studio projects, specifically Visual Basic, even if written in Delphi. It was a way of extending the language with features difficult to code in Visual Basic. Also, VBScript used for ASP web applications. Not sure if that will help your searches for the product... Angus

The old SSL FTP sample has buttons named Delete and Rename which send the FTP command to delete and rename files on an FTP server. But you should really look at the OverbyteIcsXferTst sample which uses more modern techniques so you don't need to worry about sending individual commands, you can ask it to sync a local and remote directory and it will delete old files while copying new or changed files Angus

You should be using the TIcsFtpMulti component then you can use the FtpUpOneFile and FtpDownOneFile methods (or process hundreds of files in FtpDownFiles). Look at the OverbyteIcsXferTst.dpr sample. You only need a few lines of code in the application. Angus

OpenSSL has released new versions of the two supported branches, 3.0.8 and 1.1.1t, Windows binaries are available in SVN and the overnight zip file and separately from http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp These releases fix several security issues in most versions of OpenSSL, one of which CVE-2023-0286 is rated high relating to processing badly formed X509 certificates and X.400 addresses but can only be exploited if CRL checking is enabled, whereas ICS uses OCSP instead. There are other moderate rated security issues which will mostly just crash the application if exploited. Details of all fixed 3.0 security issues are at https://www.openssl.org/news/vulnerabilities-3.0.html Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Angus

Guess I'm thinking primarily from the perspective of Windows VCL and FMX packages, don't get involved in any other platforms. Angus

The concept of taking the latest packages and modifying them to be acceptable to earlier versions of RAD Studio would seem rather faster and safer than generating all those packages from scratch using templates and rules. Or at least starting from minor modification of the latest packages, such as changing a version name to a macro. The tool would then strip out new XML for platforms according to hard coded rules, depending on when they were supported, and so on. But I've no ideal how much the XML schema has changed over the years. Angus

It was the MQTT protocol I was proposing to add to ICS, WebSockets is done and dusted. Angus

Yes, as I said yesterday the Refresh Token will often stay valid for months or even years and can be treated like a password and kept securely, but unlike a password it can be revoked at any time if compromised forcing a new interactive login to get a new Refresh Token. Note you have no idea about the life of the Refresh Token, so you must allow for it to be rejected. Angus

The OAuth2 Access Token has a short life, for Google it is usually one hour, little point in saving it in a database, unless you are using that to share information between applications. That is why you instead store the Refresh Token and use OAuth2 without interaction to get a new Access Token each time you send an email. Angus

Should clarify my last message about the long lived refresh token, this is for a specific admin email account used by the server to call for help when it's unhappy. If the service application needs to send from multiple email accounts, you'll need to be more creative. Angus

Technically, you can use the event you posted to get a new token from the desktop through interaction, ICS V8.71 now uses an internal browser window that makes it seamless. But it's not really necessary, using the same secrets in service and desktop applications, get a refresh token using the desktop and manually paste that to the configuration file for the service, use the IcsLoadRestEmailFromIni function to load it from an INI file per the ICS server samples. The refresh token rarely expires so only needs to be updated if you change the secrets or deliberately invalidate it online. I've been doing this with the IcsMailQueue in my web, rest and FTP servers on all my different servers, all with the same refresh token, for two or three years. Angus

Indeed, the OverbyteIcsIpStreamLog unit builds text lines by parsing a TByte buffer one character at a time. But many quick and dirty programs accept that TCP sends full packets, like my new WebSocket sample. The other advantage of TByte is avoidance of pointer handling, all those @ and ^ symbols that really have no place in modern applications since they can be abused so easily. Ditto the Move function. ICS simply offers alternatives, choose the easiest to use. Angus

From the notes for ICS V8.70 TWSocket: Added ReceiveTB(var Data : TBytes; MaxLen : Integer = -1) : Integer; where MaxLen is optional, to receive TCP data into a TBytes dynamic array of bytes. Also ReceiveFromTB and ReceiveFrom6TB for UDP datagrams. Receiving into a fixed size buffer is more slightly more efficient, but TBytes has more RTL support for converting to strings, etc. ReceiveTB will resize the variable up to MaxLen. The new functions are used in the OverbyteIcsIpStreamLog unit which how they were tested. Angus

I accept the package structure for ICS is out of control, with over 280 dpk, dproj and cbproj files I have to update when I add a unit, even updating a single Delphi release is 10 or more packages. But for the same reason, changing it will take days of effort if we continue to support all versions of Delphi back to 7. Ideally an application should have been written years ago to create packages from a master file, as I did for the SSL/TLS root certificate packages, but it never happened. So changing it for ICS V8 is highly unlikely, but very probable for ICS V9 that will only support recent compilers so we can use new language features. Vincent's suggested package rules all make sense, for new projects. I used to create separate packages for my own ICS components without problems, but they are nearly all now part of the ICS distribution. Your MQTT project appears to be branched from the 10 year old https://github.com/pjde/delphi-mqtt and the simple way to avoid package problems in the future would be for the units and sample to be included with the ICS distribution, as I did with the new WebSocket unit recently. Angus

Highly unlikely, it will be the way you have configured the component, probably the wrong certificates or protocols, but no-one can guess what you have done wrong. Ssllabs will keep the host secret if you tick the correct box, and will almost certainly give you clues. Angus

A PCI scan will be for a public server, so why are you hiding the public host name? SSLLabs rates SSL sites and offers extensive advice about certificate errors, server misconfiguration and chain errors. The error you describe sound like the certificate is issued by an untrusted CA, but no-one can tell without seeing it. Angus

ICS has a proxy server sample that includes logging and headers and optionally bodies, I've used it for debugging SSL connections. You can even fake a server SSL certificate (and some anti-malware packages do, to intercept SSL sessions if you can not originate in HTTP. Angus

WinPCap development ceased a few years again, it was taken over by Npcap which is used by most network sniffing software, including Wireshark which is the leader. I wrote a Delphi sample packet sniffer using WinPCap and Npcap many years ago, very basic really needs better filtering and IPv6 support, must spend some time on it. Angus

I've built the ICS V8.70 and now V8.71 packages on Delphi 11.2 dozens of times since September when it was released. The new WebSocket units are only in SVN and the overnight zip, not V8.70. The package says 11.0 because Embarcadero changed the naming scheme when releasing the first update to 11, but works with all versions of 11. Sorry, no idea why it wants to rebuild the RTL package. Angus