Angus Robertson

Look at the IP addresses, totally different for control and data channels.  Perhaps you are accessing FTP via a NAT router that can cause problems. 

Angus

If you allow an HTTPS request to be made, you must load OpenSSL before that happens. 

Or use the modern component TSslHttpRest which handles all the SSL stuff for you.

Angus

I assume you are talking about a websocket client component, there is such a new component in ICS V8.71 not released yet but can be downloaded from the overnight zip or SVN. 

The new client is in OverbyteIcsWebSocketCli.pas with a sample in OverbyteIcsHttpRestTst.dpr (because it descends from the HTTP REST component). 

It's been tested against a couple of public websocket servers, and both of the ICS server implementations, one is new and built into the multi web server sample.  It's also running on one of my public web sites, which the sample tests against.

Angus

Much of my code is similar to yours, except it uses different methods that do vastly more complicated things than the simple methods in the older component.  Just build it and run it, with a log window, and it will just download a file.  Or you can run the OverbyteIcsXferTst.dpr sample that does the same thing.

It will be in SVN in a few days when I've done more snippets.

Angus

Uses   OverbyteIcsWsocket, OverbyteIcsFtpcli, OverbyteIcsFileCopy, OverbyteIcsFtpMulti;

procedure TSnippets.AddLogText(const Line: String);
begin
    LogWin.Lines.Add(Line);
end;

procedure TSnippets.onXferEvent (LogLevel: TIcsCopyLogLevel ; Info: string ; var Cancel: boolean) ;
begin
    if (LogLevel = LogLevelInfo) or (LogLevel = LogLevelFile) then
    begin
        AddLogText (Info) ;
        LabelProgress.Caption := Info ;
    end ;
    if (LogLevel = LogLevelProg) then
    begin
        if Info <> '' then
            LabelProgress.Caption := 'Progress: ' + Info
        else
            LabelProgress.Caption := '' ;
    end ;
    if (LogLevel = LogLevelDiag) and ShowDiags.Checked  then
        AddLogText (Info) ;
    if AbortFlag then
        Cancel := true ;
end;


procedure TSnippets.doFtpDownOneFileClick(Sender: TObject);
var
    FtpMultiClient: TIcsFtpMulti ;
    taskres: TIcsTaskResult ;
    myftppath, myftpfile, myfiletarget: String;
    myftphost, myftpusername, myftppassword: String;
    myftptype: TFtpType;
    myfilereplace: TIcsFileCopyRepl;
begin

// parameters for the single FTP download operation
    myftppath := '/testing' ;        // FTP server path for file
    myftpfile := 'speed50meg.zip';   // FTP file to download
    myfiletarget := IncludeTrailingPathDelimiter(DirTemp.Text) + myftpfile;  // where we download to
    myftphost := 'ics.ftptest.org' ;   // supports IPv4 and IPv6
    myftpusername := 'anonymous' ;     // no uploads
    myftppassword := 'icssnippets' ;
    myftptype := FtpTypeAuthSslBoth;  // or FtpTypeNone, FtpTypeConnSslBoth  (no SSL or only SSL)
    myfilereplace := FCReplAlways;    // or FCReplNever, FCReplNewer

// create component and events to see progress
    FtpMultiClient := TIcsFtpMulti.Create (self) ;
    FtpMultiClient.CopyEvent := onXferEvent ;
    doFtpDownOneFile.Enabled := false ;
    AbortFlag := false ;
    LabelProgress.Caption := '' ;
    try
        try
         // essential FTP parameters
            FtpMultiClient.SocketFamily := sfIPv4;  // or sfIPv6 or sfAny
            FtpMultiClient.HostName1 := myftphost ;
            FtpMultiClient.FtpType := myftptype ;
            FtpMultiClient.UserName := myftpusername ;
            FtpMultiClient.PassWord := myftppassword ;
            FtpMultiClient.MaxAttempts := 2 ;  // logon attempts, may try IPv6 then IPv4
            FtpMultiClient.FailRepeat := 2 ;   // retries for failed xfers
            FtpMultiClient.PassiveX := True ;  // must be after connection type
            FtpMultiClient.FtpSslVerMethod := ftpSslVerBundle;  // or ftpSslVerNone to skip checking certificates
            FtpMultiClient.FtpSslReportChain := False;  // true to list SSL certificates
            FtpMultiClient.SrcDir := '/' ;   // required
            FtpMultiClient.BulkMode := BulkModeDownload ;   // required

          // connect, login, get features
            taskres := FtpMultiClient.FtpLogon ;
            if taskres = TaskResOKNew then
            begin
                taskres := FtpMultiClient.FtpDownOneFile (myftppath, myftpfile, myfiletarget, myfilereplace) ;
            end ;
            AddLogText ('Task Result: ' + IcsGetTaskResName (taskres)) ;
            AddLogText (FtpMultiClient.ReqResponse) ;
        except
            AddLogText ('FTP Error - ' + IcsGetExceptMess (ExceptObject)) ;
        end ;
    finally
        FtpMultiClient.FtpLogoff ;
        FreeAndNil (FtpMultiClient) ;
        LabelProgress.Caption := 'FTP Completed' ;
        doFtpDownOneFile.Enabled := true ;
    end ;
end;

This code is from a new ICS snippets application that has simple examples of many common ICS tasks, this one downloads a single file using SSL from one of my public FTP servers, using the modern TIcsFtpMulti component.  It only needs a couple more properties and it will download multiple directories of files.

Angus

Most ICS high level protocol components provide both sync and async methods, the former are often easier to work with for many applications. 

Impossible to say why the presented code is not working, since there are no given parameters or any logging of what the component actually does. 

It is also the old way to create FTP applications.  You should build the sample OverbyteIcsXferTst.dpr which uses the modern TIcsFtpMulti component.  Look at the Single FTP tab and the

doFtpDown1Click method which shows how to download a single file, although it is just as easy to tell it to download a complete directory structure of thousands of files,

I appreciate OverbyteIcsXferTst.dpr is a complex sample illustrating several different components, I'll do a simple FTP snippet later today. 

Angus

LocaleCharsFromUnicode was available in XE2 so is now used from that version.  A lot of conditional code has now gone. 

Angus

OpenSSL has released a new version 3.1.0, Windows binaries are available in SVN and the overnight zip file and separately from

http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp

This is a minor release that does not require a new version of ICS, the main improvement is a FIPS 140-3 compliant FIPS Provider, 3.0 was FIPS 140-2.  Note the ICS Windows build can not be FIPS approved.  There have been numerous performance improvements implemented compared to the OpenSSL 3.0 release.
 
Plans for future OpenSSL releases are at: https://www.openssl.org/roadmap.html

Angus

Quote

System module already have crossplatform versions of functions WideCharToMultibyte and MultiByteToWideChar.

Now perhaps, maybe not 10 years ago when this stuff was written, but I'll bring the unit up to date shortly.

Angus

ICS V9 is https://svn.overbyte.be/svn/icsv9/

But maybe I've set permissions for private access until more of it is completed. 

Angus

There is a Linux package that allows me to fix non-Windows build issues since I don't have any Apple hardware so not allowed to build for that. 

But the low level messaging functions are MacOS specific and simply don't work on Linux, so sockets don't work. 

There is an ICS V9 in SVN which does work on Linux, but so far only socket samples, no protocols yet, needs a lot of work.

Angus

ICS is nor currently supported on Linux, only MacOS.  A new V9 version plans Linux support, but it is a long way from release. 

Some of the ICS functions may work on Linux, in OverbyteIcsUtils.pas please note the comment 'Charset conversion functions optionally may use GNU iconv library (LGPL) by explicitly defining conditional "USE_ICONV".  Otherwise ICS attempts to use Windows APIs or just dies.

Angus

The new websocket client component does not have a public or private Timer property, you will need to be more specific. There is FPeriodicTimer but that is internal use. 

Angus

Looking at the OverbyteIcsHttpRestTst sample, it seems client certificate was never tested since the private key is not loaded, it needs a one line change.   Client certificates were originally tested with an older sample.   Even with the fix, it would not have worked unless PemTool can see the private key. 

I'm improving both samples at the moment with more error handling, will be in SVN within a couple of days. 

Angus

Quote

private key was None

So your real problem is a private key that OpenSSL does not recognise or is for a different certificate. 

Without seeing the actual files, no-one can help you.  That is why I suggested asking your supplier for a bundle file so the files can not get mixed up.

You can email them to me, original files not the bundle you created and I'll check.

Angus

The ICS SMTP and MailQueue components will send email using Office365, again provided all the permissions are set in Azure.  Look at the OverbyteIcsMailQuTst.dpr sample which allows two different SMTP servers to be specified and will retry both multiple times to send email.

In Azure, set Supported account types to All Microsoft account users, then in Graph permissions enable all of these (probably too many...);

email, Mail.Read, Mail.ReadWrite, Mail.Send, MailboxSettings.Read, offline_access, openid, POP.AccessAsUser.All, profile, SMTP.Send, User.Read 

REST, SMTP and POP3 should then work with OAuth2.

Angus

Almost certainly your REST email problem is down to the complexity and multitude of Azure permission settings.  Hard to be specific without knowing the email account type, that must match the permissions. 

I've tried to explain it as best I can in the 'Google and Microsoft OAuth2 Email Application Accounts' comments in the OverbyteIcsSslHttpOAuth.pas unit,

Angus

I used shared memory 20 years ago, but there is no queuing as such. 

So my later applications use sockets, specifically the ICS IP Log Streaming Component that handles all the connection and retries if lost (when the service stops) with minimal application code and events, with my own simple ASCII protocol on top for different messages.  Being TCP, queuing is automatic, buffer sizes permitting.  ICS has a sample that illustrates this.

Angus

The ICS download page is http://wiki.overbyte.eu/wiki/index.php/ICS_Download

The latest is V8.70 which added more features for Office 365 User Authorities. 

Angus

ICS will open PKCS7 files as well, but they are usually certificates only, no private key.  If you have a P12 file, that is the same as PFX, use it as the bundle.

The SslCliCert property of the TSslHttpRest component can be loaded with certificate and private key from separate files, with the LoadFromPEMFile() and PrivateKeyLoadFromPemFile() methods, but this is not done in the sample since a bundle is safer, once you have a bundle. 

The PEM Tool will also open all these files and save a bundle file, look at the Create Certificates tab.  There are dozens of fields and buttons because there are so many options, But you just need to specify Cert File, click Load Certificate and it will be displayed in the yellow box, then Prv Key File, click Load Key and it will be displayed, then Inter Certs Fiie, click Load Inters, and you should now see all three components displayed.  At the bottom, specify PEM Certs File and PKCS12 Certs File, tick Save Private Key in Cert File and Save Inter Certs, then click Save PEM Cert and save PKCS12 Cert and you will have two new bundles.  

You don't need anything else, but this tool will also create new certificates, private keys and certificate requests, and sign requests to issue private certificates for LANs. It will also install certificates into the Windows store and display the various stores and read the contents.

Angus

If the private key contains a public key that matches the public key first certificate, the tools will say so.  If you built the PEM file by hand, it could be failing because you missed a single character somewhere, done that myself.  But without the real certificates, this is all guess work. 

You really should ask the API supplier to provide a proper bundle file, ideally PFX/PKCS12 format (which Windows also prefers) which is harder to corrupt.

Angus

Usually the private key is placed after the certificate in the bundle file, otherwise tools would have to look ahead at all certificates in the file. 

Angus

Not seen five year code signing certificates before, my Sectigo certificate does not expire for another two years and there is nothing to stop me using ir during that time.  Once signed, it is not possible to know how it was done, unless Windows keeps a database of intermediates and dates or something. 

SignMyCode does appear to offer prices very similar or cheaper than K-Software for Sectigo,, but never heard of them before, hope it is not a scam. 

I'd avoid the even cheaper Certera code signing certificate unless you find out who actually issues it. 

Angus

Never heard of Exchange Web Service protocol, but ICS has a TIcsRestEmail component that uses the graph.microsoft.com/v1.0/me/sendMail API, there is a sample in OverbyteIcsHttpRestTst,dpr.

Angus

I renewed with K-Software a year ago and don't seem to have noted which URL created the private key, but it probably worked with Firefox which is my standard browser.  There are only a couple of sites I need to use Edge to access. 

Angus