Angus Robertson

In June 2022 Google stopped accepting traditional authentication methods for it's SMTP and POP3 email servers, instead requiring OAuth2, and I believe Microsoft is doing the same from October 2022. The main different with OAuth2 is the application does not store the account password so is unable to share it. Instead the user is directed to a sign-in web page from Google or Microsoft where the account details are entered and the application receives limited life tokens that are used instead of the password. For this to work, the developer needs an application account at Google or Microsoft to obtain a application client ID and secret, which need to saved securely and sent as part of the OAuth2 sign-in. In theory, Google and Microsoft need to approve applications using the account client details, and will give warnings during sign-in after a grace period. If sign-in works, the application receives an access token usually with a life of a few hours, and a refresh token that may be stored securely like a password and may have a life of several months and which may be used to obtain a new access token without a new sign-in. Note the refresh token may be cancelled at any time requiring a new sign-in. The refresh token may also be shared between different applications using the same client details and email account, for instance with servers where interaction is not possible. ICS added support for OAuth2 with version V8.65 in November 2020 to the TSslSmtpCli, TSslPop3Cli and TIcsMailQueue email components, by adding the TIcsRestEmail component to projects with some extra code, as illustrated in the samples OverbyteIcsMailQuTst, OverbyteIcsSslMailSnd and OverbyteIcsSslMailRcv. But the ICS server samples using email were not updated at the time, so have now been done for the forthcoming V8.70 release which is available from SVN and the overnight zip, OverbyteIcsSslMultiWebServ, OverbyteIcsDDWebService and OverbyteIcsSslMultiFtpServ. Since other developers may similarly need to add OAuth2 support for email applications, this is a quick guide. 1 - For the TSslSmtpCli, TSslPop3Cli or TIcsMailQueue component, add an onOATokenEvent handler. 2 - Drop a TIcsRestEmail component named IcsRestEmail and add onEmailNewTokenEvent and onEmailProgEvent handlers. The LoginTimeout property defines how long the component will wait for an interactive browser OAuth2 login, if necessary, defaulting to 30 seconds. If this happens the onEmailNewTokenEvent is called allowing the application to save the new refresh token to avoid further interaction. 3 - In the onOATokenEvent event, call the IcsRestEmail.GetNewToken method and set the handler properties Token, TokExpireDT and TokAccount, see any of the samples. 4 - Set the IcsRestEmail component properties RestEmailType, ClientId, ClientSecret, and RefrToken, there is a function IcsLoadRestEmailFromIni that does this from an INI file for the server samples (without encryption). 5 - Set SMTP AuthType to smtpAuthXOAuth2 or POP3 AuthType to popAuthXOAuth2 with the appropriate host. This causes onOATokenEvent to be called when an access token is needed. Angus

I never setup 2FA unless I can not avoid it. The 'Google App Password' concept seems like a bodge, effectively it's an App Token being used without client secrets, so legacy applications can cope, I assume mainly for large corporates. Angus

I have two Gmail accounts, one had high security and always required OAuth2, the second I never upgraded and worked with plain authentication until June 2022 when password authentication started failing. So my experience is that plain password support was automatically removed without my changing anything. Do you have a Goggle reference that states in what circumstances plain passwords are supported? Angus

I guess there is more than one component called TComPort, I was referring to the Winsoft version, but that seems to be called ComPort. A quick search of TComPort does not find any setupdi functions. Nor support for modern compilers. Angus

TComPort is a commercial component, you should have the source code, so you can check if it uses SetupDiGetDeviceProperty and remove it and any other similar functions that XP does not support. Angus

What Delphi component are you using to log data, a serial port component? It's possible the Delphi component is calling SetupDiGetDeviceProperty , one of my serial port components uses SetupDiGetDeviceRegistryProperty from the Jedi library SetupApi.pas. My Jedi version does not include SetupDiGetDeviceProperty, but it's possible a later version might. You might be able to just remove it from the library unit. Angus

OpenSSL has released new versions of the two supported branches, 3.0.5 and 1.1.1q, Windows binaries are available from http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp . OpenSSL 3.0.5 fixes a serious bug on some X86_64 CPUs in 3.0.4, a version we never released. Also a moderate security bug relating to AES OCB encryption, but this is not used by TLS ciphers. Also a moderate security bug with the c_rehash script that allows command injection, we don't use that either. OpenSSL 1.1.1q fixes the AES OCB and c_rehash bugs. Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs. Angus

Never noticed that behaviour in Windows before, but it is obvious when you look closely. I assume it was introduced when Microsoft decided Windows should have curved corners rather than rectangular, so perhaps style related. Angus

'Colin Wilson's Components' I'm afraid, he had several different packages of low level components, all open source. Angus

20 years ago Colin Wilson offered a wide range of low level Windows NT components, all free, his web site http://www.wilsonc.demon.co.uk/ disappeared years ago, but you'll still find his components on Torry and such places. Certainly Net Users, Groups, Servers, etc, but this might predate active directory. Angus

Can you please confirm you are using ICS V8.69? I did a major rewrite of Digest authentication in that version to support modern standards, including adding authentication to the three main HTTP client samples and extensive testing with ICS servers, but not Apache. Angus

No idea what order you are making those requests, but you only send authentication in Sopaui2request.txt which works fine. Authentication has nothing to so with TSslContext. Angus

If you connect to an SSL server, several events may be called to allow you to check ALPN and SSL certificate chain, but they are optional. There are several SSL demos that illustrate all this. Angus

The response from the server is slightly misleading, context does not refer to the ICS context component, but to the server itself being unable to authenticate the request, thus the 401 error. So the real error could be a bad login or password, or the server requires authentication in a different way to the clear text basic authentication you are using, which is rare in the modern world. Angus

YuOpenSSL is C code compiled into a Delphi DCU, it is not a translation of C to pascal code. There are several other C libraries similarly built into Delphi, like ZLIB. But you can not just download OpenSSL from Github and compile it for Delphi, some magic is required, and that required a lot of effort to achieve. Angus

Sorry for the delay, ICS V8.69 is now available for automated install from GetIt for Delphi 10.4 and 11. Once installed, you should find the SSL demo sample group in a directory similar to: C:\Users\angus\Documents\Embarcadero\Studio\22.0\CatalogRepository\ICS_FMX-8.69-11\Samples\Delphi\SslInternet\SslDemos.bpg Angus

YuOpenSSL is supplied as dozens of compiled DCUs for Delphi 6 and later, with Win32 and Win64 versions. I'm told a lot of preprocessing of the original OpenSSL code is required before it will compile, for instance there is heavy use of macro expansion statements that need converting into pure C. But this is automated, and new versions of YuOpenSSL usually appear within hours of a new OpenSSL release, one is due next week. The original OpenSSL can be built for multiple platforms, but I guess doing so for Delphi is a commercial decision, depending on demand. BTW, I'm just a YuOpenSSL user, it's not my project. Angus

There is a commercial solution to statically linking OpenSSL with three different Delphi internet components from https://www.yunqa.de/delphi/products/openssl/index But they don't support OpenSSL 1.0.2 which is long obsolete and has no recent security fixes. But YuOpenSSL includes a new Indy OpenSSL 1.1.1 IOHandler so it can handle TLSv1.3 and YuOpenSSL supports OpenSSL 3.0 for ICS. Angus

RFC 9114 for HTTP/3, aka QUIC/UDP has only just been released. Earlier versions of QUIC are supported in various browsers, but are really only beneficial for complex web pages with hundreds of elements, not sure how relevant to the users of ICS, no-one has ever asked for HTTP/2. There is a fork of OpenSSL by Google, Microsoft and Akamai supporting QUIC, but the committee did not like the design and refused to merge it, instead starting a fresh QUIC design: https://www.openssl.org/blog/blog/2021/12/03/starting-the-quic-design/ No specific news about a release date, although lots of activity on GitHub, so probably months away from release. Waiting for OpenSSL is probably the safest long term solution for HTTP/3. Angus

What are you wanting to achieve? Angus

Sorry, downloading from GetIt is after the web sites, and even longer when I forget to notify them. Angus

SVN has been updated with a fix to create period decimal points instead of commas, using a simple version of TFormatSettings, thanks for finding this and the fix suggestions. When I change the test app locale to Hungarian, I noticed the strange date formatting with spaces, fortunately ICS uses it's own masks and functions for internal date formats. Angus

Unfortunately, ICS claims to still support Delphi 7, and I did build V8.69 on it last week to check, so any fixes need to be backward compatible, although there are one or two features not supported on D7. I'll look at this next week, long holiday weekend in the UK. Angus

That change was to allow the unit to be used on non-Windows systems, gcvt is a Windows API. The dirty way to fix this is to replace a comma with a period immediately after the FloatToText statement, I'll investigate if there is a non-localized FloatToText alternate. Angus

If I improve the JSON sample, I'll explain the improvements. Angus