Angus Robertson

Sorry, I don't do C++ so someone else will need to reproduce and fix the error, ideally within the next two weeks for the next release. Angus

The OAuth units were last updated in January, and I've rebuilt the packages dozens of times since, including today. Have you got the ICS source directory in your path? Or perhaps there is something strange about the new community edition. Angus

You need to build the IcsCommonD110Run package, which includes OverbyteIcsTicks64, before the VCL/FMX packages. The 64s refer to Int64, not Win64. Angus

I do test that new releases of ICS still build on Delphi 7, and it did last time several months ago. Not aware it's been broken since, but I will test it again next week. Delphi 2007 gets tested a lot more often. Meanwhile, just comment out anything that does not work, unless you need that feature. Angus

How often are new connections being opened? There is a ListenBacklog property that is supposed to limit the pending queue of unaccepted new connections, before windows rejects new connections. It defaults to 15 in new versions of ICS. I'd also suggest using a thread for long actions, the ICS FTP server does so for certain commands that take a while on massive files. There is also a threaded server component that uses one thread per client, but it's not been tested in several years. I'm planning a new threaded server component to allow use of multiple CPUs,. Angus

I've explained the latest version in SVN will not build on C++, the packages are not complete. You would be better with V8.70. For a web server application, the MsSslUtils and wincrypt units are only needed to support Let's Encrypt certificates, so undefining AUTO_X509_CERTS in OverbyteIcsDefs.inc will avoid all those problems. Angus

There are several points here. The HTTP server does not support OAuth2. The THttpServer component does not even handle SSL. That is TSSslHttpServer. OAuth2 in V8.70 does not support any embedded browsers, and does not use Edge. I've just searched the 560 files in the ics\packages directory, vcl.edge does not appear anywhere, vcledge does appear in packages for the next release only. So I've no idea why your installation requires vcl.edge. Angus

The poster has yet to say which version of ICS he is trying to install. The latest V8.70 release does not access Edge or Web Browser so won't need them. The unreleased SVN and overnight zip version does use Edge, but only has packages for Delphi 2007, 10.4 and 11, nothing for C++ which might explain all the errors. It should be released later this month when the hundreds of package files for dozens of compilers will be updated. Angus

ReceiveTB was added in V8.70 but is used by (I believe) only one other component, not the HTTP applications. What were you building when you got those errors. Although the error message you posted about does not say ReceiveTB but has a strange unicode character embedded. Angus

No quick answer, you are using 10 year old C++ samples with the latest Delphi components. Try undefining AUTO_X509_CERTS, build the library and see if that is any better. Angus

If you only use VCL, you don't need to build or install the common, vcl or fmx libraries, or use any units with fmx in the name. Try CBD101Install.groupproj instead which builds OverbyteIcsCBD101Run and OverbyteIcsCBD101Desgn. Currently there are no CBD packages for later versions of C++ because they have not been contributed by C++ users, but hopefully that will get fixed in May. Angus

The ICS web server supports client certificates, but this scenario seems to be using an old SOAP server that does not support SSL/TLS. Angus

Think there are two issues here: You are probably using an older ICS version that I am, there are a lot of OAuth changes in V8.71 including an embedded window so no browser needed, it is available in the overnight zip and many others are using it but won't be released until late May (and the Delphi 2010 packages are not done yet). There is one bug fix that might be effecting you. V8.71 has been tested by Delphi 2007 so should be okay on 2010. Also I don't really know what errors you are getting since you have not posted any proper logs, you can email them to me, but I'm not going to look closely unless they are from V8.71 and I can reproduce the error. Angus

These are the pertinent arguments from my successful login this morning: &redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fmicrosoft%2F&state=ICS-232524578&scope=offline_access%20https%3A%2F%2Foutlook.office.com%2FSMTP.Send%20https%3A%2F%2Foutlook.office.com%2FPOP.AccessAsUser.All&prompt=select_account&access_type=offline You could try removing the URL and just use SMTP.Send. Angus

You got a scope error, so that is the parameter to adjust until it works. Try a single scope without any spaces. The scopes need to match the settings in the Azure account, but you only need those for the current task. Angus

Just signed into my live.com account ok, try using the scope: offline_access https://outlook.office.com/SMTP.Send https://outlook.office.com/POP.AccessAsUser.All Note no escaped spaces, they probably got double encoded. Angus

From your description, I'm not sure how anything is set-up here, or why you are using an OpenSSL tool for testing. The proxy server needs it's own SSL/TLS certificate matching the host name localhost which you seem to have created, but this will fail validation by clients unless those clients have the root certificate installed, Personal Root CA in your case. But this is unrelated to the client certificate which should be installed in the Firefox certificate store, and then validated by the proxy server. Your openssl c_client command line does not have a client certificate which is the reason for the errors. Angus

Thanks, always useful to know new ICS components have been tested in wider environments than my own servers. The final release is planned for May, once one more new sample is finished. Angus

The important word there is 'should', many Windows APIs are considered historic and obsolete but are widely used and supported. Angus

Check the WM_POWER message as well. Angus

ICS V8.66 has been released at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio and 10.4 Sydney, and C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio and 10.4 Sydney. ICS supports VCL and FMX, Win32, Win64 and MacOS 32-bit targets. The distribution zip includes the latest OpenSSL 1.1.1k win32, with other versions of OpenSSL being available from the download page. Changes in ICS V8.66 include: 1 - Added a new TIcsInetAlive component to check for IPv4 and/or IPv6 internet connectivity, using Ping and/or HTTP, defaulting to www.msftconnecttest.com run by Microsoft for Windows 10 alive checking. The online and offline check intervals may be set, and event fires when online state changes. Sample OverbyteIcsHttpRestTst has a demo for new component. 2 - OpenSSL 1.0.2 and 1.1.0 ceased security fix support over 12 months ago so ICS now only supports 1.1.1, with 3.0 support due in the next few months. This removes a lot of legacy code and functions, and several old ICS functions needed for backward compatibility. Two components only used for 1.0.2 have been removed, TSslStaticLock and TSslDynamicLock which may give an error loading forms, until they are removed. SslContext SslOptions is now ignored, use SslOptions2 instead which has more modern options. Can not remove SslOptions because it's saved on too many DFMs. Most modern applications should not be using SslConext, but IcsHosts for servers for high level client components like TSslHttpRest. 3 - Undertook a major clean-up of OpenSSL functions that may require end user application changes if low level OpenSSL functions have been used, hopefully very rarely. All OpenSSL functions have been renamed to their original names removing ICS f_ prefix for commonality with other Delphi applications. Renamed literals BIO_CTRL_PENDING_, CRYPTO_NUM_LOCKS_, CRYPTO_LOCK_, OPENSSL_VERSION_ with underscore to avoid conflicts with functions of the same case sensitive names. Removed unit OverbyteIcsLibeayEx not used for a while. Most OpenSSL type pointers to Dummy array are now simple Pointer type. Changed most OpenSSL var parameters to pointers for commonality. New TSslWSocket method SslOK is TLS/SSL negotiated OK. LoadVerifyLocations no longer lets OpenSSL use default CA folder locations which is potentially a security risk. 4 - Bring server SSL/TLS security levels up to latest Mozilla recommendations. In 2021 Mozilla now recommends TLSv1.3 as modern ciphers and TLSv1.2/1.3 as Intermediate supporting all browsers from last five years, so IcsHosts now use sslCiphersMozillaSrvTLS12 as Intermediate level, also Mozilla recommends no cipher server preference so changed that. Updated SslSrvSecurity levels: sslSrvSecInter, sslSrvSecInterFS and sslSrvSecHigh now all the same TLSv1.2 or 1.3, sslSrvSecTls12Less now TLSv1.2 only, sslSrvSecSsl3 not supported, only sslSrvSecBack supports TLSv1 and 1.1, sslSrvSecTls13Only unchanged TLSv1.3 only. 5 - Added support for YuOpenSSL which provides OpenSSL in a pre-built DCU statically linked into applications, rather than using external OpenSSL DLLs. This make application distribution more reliable since it can not fail by users deleting the DLLs or copying incompatible versions into the directory. YuOpenSSL is a commercial product from https://www.yunqa.de/ and is supplied as separate compiled DCUs for Delphi 5 to 10.4. DEFINE YuOpenSSL in Include\OverbyteIcsDefs.inc determines whether the DCU is linked or the external DLLs. Note only one version of OpenSSL can be linked with YuOpenSSL, whereas different DLLs can be supported. Apart from setting the define and adding a path to YuOpenSSL.dcu, no other application code changes are needed unless you check or report the DLL directory, when GSSLStaticLinked can be checked to see if OpenSSL is statically linked. Also worth noting that YuOpenSSL provides access to the all OpenSSL APIs, while ICS only accesses those DLL APIs needed for functionality we support. 6 - Added a better way of configuring Socks proxy and HTTP Tunnel proxy settings in TWSocket, similarly to that added for THttpCli in V8.62. The new ProxyURL property sets SOCKS or HTTP Tunnel proxy settings using a single URL, ie proto://[user:password@]host:port where proto is socks5 or http. Also added new methods SetSocks and SetHTTPTunnel to set proxy properties in a single call. Socks proxy and HTTP tunnelling again support host names, broken in V8.56. The sample OverbyteIcsSocksTst has been updated to demonstrate use of the new ProxyURL property and also now supports HTTP Tunnel proxy. 7 - TIcsRestEmail has new OAAuthType property and event for OAuth2 browser URL perhaps via email for servers. TIcsRestEmail now sets OAuth2 errors, and clears old tokens. Increased default timeout for TIcsRestEmail AOuth2 login to 120 seconds since several web page warnings may be seen while attempting to login through the web page. 8 - TIcsHttpMulti has a new ParseLevels property that follow links on a parsed web page to lower level pages, which are also parsed, looking for files to download with a specific file extension, ie .avi. It ignores parent links without a file extension, and external links. This allows the component to download files indexed using HTTP from CCTV camera memory cards. 9 - In TSslHttpRest ensure SSL is initialised for non-REST HTTP requests like GET, POST and PUT. 10 - In TSslWSocketServer, added better error handling when IcsHosts SslCert is blank, so SslContext is still created for automatically created self signed certificates. 11 - In TSslWSocketServer, TSslHttpAppSrv and TSslHttpSrv, added new onBeforeCtxInit event which if set is called once before each IcsHosts SslContext is initialised to allow the context parameters to be adjusted for special ciphers or protocols. 12 - In THttpCli, AddrResolvedStr is now still available after the connection closes to report the IP address used for the connection. When using an HTTPS proxy with the CONNECT command don't send host and port which some servers are unable to handle, probably broken with V8.64. 13 - In TIcsMailQueue, added a new method CheckOAuthLogins that should be called before the queue starts when using OAuth2 email logins, which allows interactively checking with a browser of any OAuth2 login credentials, avoids asking for login first time email sent maybe days later. 14 - In TSslX509Certs, When starting the local web server for file challenges, check the server IP address still exists or change to 0.0.0.0, may not work if multiple IPs exist. 15 - Updated to OpenSSL 1.1.1k with two high security fixes, one introduced in the last version relating to a certificate chain validation that ICS does not use, the other relating to servers using TLSv1.2 and renegotiation, and that feature is removed in V8.66.

The new ProxyURL property is currently only for simple proxy servers in the HTTP client component, for SOCKS you set the SocksServer, SocksPort, SocksLevel, SocksAuthentication, SocksUserCode and SocksPassword properties, as shown in OverbyteIcsHttpsTst.dpr sample. As the source comment suggests, the single ProxyURL property could be updated to support more proxy options like SOCKS, but no-one has asked about it before. Angus

Your changes are now in SVN and the overnight zip, with several other DNS query improvements, including support for trying lists of DNS servers where one or more don't respond. It is also easier to access the arrays of different DNS answers. These have all simplified DNS lookups in the Mail Queue and X509 certificate ordering components. Angus

TX509Base has dozens of methods for loading, saving, and examining certificates, but was never properly documented. However, virtually all these properties and methods are used in the OverbyteIcsPemtool,dpr sample, also the TSslCertTools derivative that allows creation and signing of certificates. Angus

The SslCertX509 property is type TX509Base and has methods to load, save and examine the content of the certificate and private key, IsCertLoaded, IsPKeyLoaded and IsInterLoaded say what has been loaded, so in your case nothing because you have not yet called InitContext, only created it in your code snippet. If you just want to examine a certificate text, load it into a TX509Base object instead with the LoadFromTextEx method which will return any errors. Angus