Angus Robertson

So you are looking for the friendly names for serial COM ports? There are various methods to find them, depending on how were installed: 1 - Enumerate HLM\HARDWARE\DEVICEMAP\SERIALCOMM registry 2 - Enumerate Device Installation Class 'Ports' which finds most serial ports including USB 3 - Optionally add Disabled 'Ports' (hardware not currently installed) 4 - Enumerate Device Installation Class 'CNCPorts' (used by com0com serial port emulator) 5 - Enumerate Device Installation Class 'Modem' which finds USB and internal modems I have an old component that does all this, never got around to publishing it, maybe in December. Angus

You would be better starting with the OverbyteIcsHttpRestTst.dpr sample, even if you don't actually make use of the REST features. The TSslHttpRest component is a high level version of THttpCli that bundles all the extra components for extra functionality, including SSL configuration and certificate validation with a root bundle, SSL session caching, content compression, content code page decoding, persistent cookies, Json handling, logging, client SSL certificate. You ignore SslContext and SslVerifyPeer, and just set CertVerMethod to CertVerBundle or CertVerWinStore and all the chain checking is done for you. You still need to implement your SSL pinning in your own onHandshakeDone event, checking whatever aspect of the server certificate you have been given. My very brief reading about HPKP suggests you hard code a hash of the public key, not a hash of the certificate, so you will need to calculate that yourself, ICS does not have a method to get that hash. But all browsers have abandoned HPKP so I'm not sure what you are trying to achieve. If you are trying to ensure your SSL connection has not been intercepted by an SSL proxy or firewall that has generated a fake local SSL certificate, you can check the server certificate is signed by the expected root authority, although the chain should fail verify anyway if you are using CertVerBundle with the ICS built-in bundles since they won't include the private root certificate used to fake the SSL certificates in the proxy or firewall. Beware this is my understanding of how SSL certificates are faked, I've no direct experience of such corporate environments. Angus

ICS does not provide any built-in support for HTTP Public Key Pinning (HPKP), which is now deprecated in favour of Certificate Transparency. Most client applications should set SSLVerifyPeer since this causes the server certificate chain to be checked against the roots you supply, with the onHandshakeDone event being called, you can then check your pinning public key hashes or Certificate Transparency server in that event. Support for Certificate Transparency is on the ICS wish list, it involves checking the SSL certificate received from the server for the URL of the CT server, then doing another HTTPS request to that server and checking the response, so can cause a significant overhead in performance unless a local database is used to cache results, and then periodically updated. But no-one has ever asked for Certificate Transparency or HPKP support before, so not done anything. Angus

I have tested the threaded multi FTP component with hundreds of simultaneous sessions to the ICS FTP server, but not using a tiny pool of 10 ports, as I thought I explained clearly. I would have been mostly testing SSL which always uses passive mode. That tiny port pool and always starting from the beginning of the pool is your design failure in attempting to support multiple sessions. Sure the component handling of in-use ports could be better, but should rarely be needed in well designed applications. Angus

Which resets the port pool to the start, it is not necessary to continually recreate components. As Remy pointed out, Windows can listen on the same port more than once deliberately, but applications are mostly written to avoid that happening and use unique ports. Your use of the component is exposing the difficulties in handling these errors. The solution is to use the component properly so that errors don't happen, as I've tried to explain. I will update with FTP client with ExclusiveAddr to stop duplicate listeners, but you should not rely on this. Angus

ICS does have a property ExclusiveAddr which sets SO_EXCLUSIVEADDRUSE, but it's not used by the FTP client, mostly by servers. FTP client is really half client half, server in active mode. I've still not had a proper response to how this application is designed, but it sounds like there are multiple instances of the FTP client running in the same thread, sharing a small pool of 10 ports, and each client starts from the beginning of that pool for each transfer getting errors if the port is in-use, then trying the next port. If it was a single client, the ports would simply increment each time, ditto if Windows was allowed to assign the port. This scenario really requires a common port pool between clients, but nobody has reported this problem before. But I'm not looking at this further until I understand what problem we are trying to fix. One simply solution is for each FTP client to use a separate range of 10 ports, 21001 to 21010, 21011 to 21020, etc. That avoids all conflicts and errors. Angus

So you may have several copies of your FTP application running at the same time, uploading to the same server in parallel Why not run a queue so the files are uploaded sequentially. Angus

It would be really cool if Embarcadero broke with tradition of ignoring anything older than one year and included a unified include file that provides all the conditions that numerous third party libraries need to keep supporting multiple compilers, which Embarcadero then updated and included with each new release. We could even write it for them. Component vendors would need a one-off update to the new format, and to include the initial version for the existing users, but would no longer need to keep updating their own versions. Angus

What is your FTP actually attempting to do? Download from multiple FTP servers at the same time? In one thread? It's unlikely I'll have time to investigate this or look at your logs or code unless this is a widespread problem. Angus

If you want to avoid third party components, you are stuck with TNetHTTPClient which is a bare bones solution requiring extra code. That is why there are several better third party components, some free, some expensive. I support the free ICS which has a forum here, it includes a component that accesses the GMail API with OAuth2, most other Google APIs are probably similar in concept. Angus

TNetHTTPClient uses different technologies on different platforms. Never used it myself since it did not exist 20 years ago when I stated writing internet applications, but understand it uses SChannel for SSL on Windows, so capabilities will vary dependent upon Windows version. I have a lot of problems with IIS SSL on Windows Server 2012, each time Windows Update runs and I reboot, I lose all my ECDSA ciphers and the web server does not start since I use ECDSA certificates. Those are the sort of support headaches you get from using the native functionality and why most people use alternates. Angus

Which Delphi HTTP client component are you talking about, there are many different ones from component packages. Angus

If you want to avoid OpenSSL DLLs, you can buy YuOpenSSL from https://www.yunqa.de/ which is separate compiled DCUs for Delphi 5 to 11.0, offering the two latest OpenSSL releases for 1.1.1 and 3.0. Available for ICS, Indy and Synapse. With ICS, you just change a define, and YuOpenSSL works without any other code changes. While using the OS HTTP client may seem easier, you may hit limitations or bugs that take years to get fixed, like access to new protocols like TLS/1.3. Angus

Suggest you follow the recommendations previously suggested, like reporting logs without SSL, or using the OverbyteIcsXferTst sample instead. Some of the things you've reported simply can not happen, like opening old OpenSSL DLLs with the current ICS version, so something is seriously wrong. Angus

GetIt has ICS V8.67, but only for the last couple of Delphi releases, they don't update for out of support releases. If you downloaded OpenSSL 3.0 separately, that is the version that would be reported, ICS no longer opens the 1.0 DLLs, so you are still picking up something ancient randomly installed on your PC. Angus

Thanks, updated my copy, should be in SVN in a few days. Angus

Something is very wrong, OpenSSL can not report 1.0.2 for the 1.1 DLLs. Make sure you have the latest libcrypto-1_1.dll and libssl-1_1.dll in the same directory as the exe, which can be fun with modern versions of Delphi that use lots of project sub-directories. Otherwise ICS may open random versions of OpenSSL that are in the Windows path. To avoid this, set GSSL_DLL_DIR to your application directory before loading OpenSSL, as happens in the OverbyteIcsHttpsTst sample. Angus

All those OpenSSL versions are very old, current versions of ICS don't even support 1.0.2. The long term support version is 1.1.1.12 which is correctly known as 1.1.1l., there is also 3.3.0 now but that it is very new. The ICS V8.67 download includes 1.1.1l so I'm guessing you are using old ICS as well. You really need to get up to date. The OverbyteIcsHttpsTst sample illustrates version logging, in this case whether we are using OpenSSL DLLs or statically linking a the YuOpenSSL DCU from https://www.yunqa.de/. LoadSsl; if NOT GSSLStaticLinked then begin if NOT FileExists (GLIBEAY_DLL_FileName) then DisplayMemo.Lines.Add('SSL/TLS DLL not found: ' + GLIBEAY_DLL_FileName) else DisplayMemo.Lines.Add('SSL/TLS DLL: ' + GLIBEAY_DLL_FileName + ', Version: ' + OpenSslVersion); end else DisplayMemo.Lines.Add('SSL/TLS Static Linked, Version: ' + OpenSslVersion); Your original problem appears to happen the moment OpenSSL is loaded so something is probably corrupted, changing SSLType should have moved the error elsewhere which is why the logs are important. Angus

What did the log show when you turned off SSL? The component would no longer be sending the AUTH TLS command where it currently stalls. It's best if applications log the OpenSSL version, although the FTP sample doesn't, because often it's not loaded since SSL is not used, and you can not get the version until it's loaded. But you should know what version you are distributing! Angus

It's not a firewall issue, the server is simply failing to negotiate SSL without any errors, so nothing to diagnose. You could try changing to sslTypeImplicitso it connects to port 990 instead, or reducing the SslCliSecurity level to see if any older protocol works. Are your other clients connecting to the same server with the same settings? Which version of OpenSSL? Angus

The onCopyEvent is specifically a logging event, with multiple outputs at different levels, fully illustrated in the OverbyteIcsXferTst sample where lots of stuff flashes past on the screen. All the new high level components I've added in the last two or three years have a single similar logging event, to avoid needing to add logging into different specific events and format the data. Angus

The IcsLogger is primarily for internal SSL development and testing, not for end user applications. I need to see the component log from the event handler I mentioned which probably has an SSL after the AUTH TLS is sent. BTW, it is quite hard to turn off the Windows Defender FIrewall, the service manager does not allow you to stop the service, you have to change a registry setting. Turning it off in the GUI may be ignored. If you email I'll send the firewall unit, the delay is writing documentation and web pages for a few pending components. Angus

You need to implement logging in the component, using onCopyEvent, see the sample application for an example, which logs all the FTP commands, responses and errors, that is only way to diagnose FTP issues. As Francois said, almost certainly Windows firewall or a network router blocking the FTP protocol. I wrote a unit MagFireWall a couple of years ago which lists and adds firewall rules (admin access required), should really put it on my web site, next month. Angus

The most affordable disk image solution is the one that comes with Windows 10/11, 'Backup and Restore (Windows 7)' which does full images every night here. Angus

Thanks again for the C++ changes, they are all now done and in SVN and the overnight zip, so ICS should install correctly on C++ Builder for 10.4 and 11.0. Angus