Angus Robertson

We build IcsCommonD110Run almost daily during development of ICS.  Many others have installed it without any errors reported. 

This would suggest you either have a corrupted version of ICS, unlikely since GetIt also failed, or something is strange about your installation.

Angus

The content of the ICS packages has not changed in over 10 years or longer, since Delphi XE2 except for new units being added.  

If you want only VCL you install only the two  OverbyteIcsDxx packages, if you want FMX as well you only install the three IcsCommonDxx packages, as explained in the readme8 file.

Using the install groups is much easier, DxxInstall or DxxInstallVclFmx.  There is a Build Group in modern compilers, so a couple of clicks builds all the packages for Win32 and Win64.

GetIt is the same, VCL only or VCL/FMX. 

Angus

Did Sectigo also ask you for a selfie with your passport?

On a general note, worth mentioning that buying Code Signing certificates will become more expensive and difficult from this autumn when software private keys are banned, you'll need to buy your certificate on a physical dongle probably adding $100 or more to the price, plus shipping and customs hassle for those outside the country where the certificate is sold.  This was the reason I bought a three year certificate earlier this year. 

Angus

Never used Windows Mailslots, don't see any advantage over using sockets, they are limited to messages no more than 424 bytes, and I'd guess are dependent on various network services running.  Microsoft recommends named pipes or sockets as the modern replacement. 

Angus

K-Software support is almost non-existent, totally automated, probably how they are able to offer code signing certificates vastly cheaper than anyone else. 

I bought a three year certificate in January, it all worked, they resell Sectigo, you should get an email from certs@ksoftware.net with a link that starts the process, which is fun since it requires Internet Explorer that has now been discontinued.  Eventually Sectigo will contact you to confirm your personal identity using your passport and the certificate will be issued, that is why I paid $188 for three years ($500 from Sectigo) to put off doing it all again. 

Good luck.

Angus

I have the same opinion of Github, it's fine for complex projects with lots of contributors, but far more complicated than SVN for projects with a small number of trusted contributors. Github may be safer, but at the expense of extra time for project owner merging contributions. 

I only contributed to a Github project once, it was so tedious I now just email the project owner who is welcome to ignore my contributions. 

That is why ICS still uses SVN, which I host on my own public servers (mostly runs itself).  But I'm also retired and not willing to spend much time learning new technology.

Angus

The log shows a single un-authenticated request resulting in a 401 response, no attempt to send authentication or repeat the request.  The sample would have brought up a dialog box asking for a password to be entered and repeated the request.  

Sorry, but there is no point in posting logs that don't illustrate any real activity or problems. 

BTW, beware of posting real authentication details in an open conference. 

Angus

The IcsLogger is designed for low level SSL development, not application protocol debugging. 

Try reproducing the problem using the OverbyteIcsHttpRestTst sample with debug logging set to HTTP headers and set a log directory, then send the complete log, not selected extracts, indicating where it fails.  If you can not reproduce the bug in that sample in V8.69, the problem is your code.

Angus

If I can not reproduce a problem, I can not fix it.  You will need to reproduce using a public server.  

Or against the ICS web server sample which supports all authentication methods.

Angus

If you want me to investigate a possible authentication issue, I'll need a failing example to test, my private email is in the ICS source code files, specifically a URL and login that works and fails, not interested in any source code.

Angus

You should build the OverbyteIcsIpStmLogTst.dpr sample, and run it on two or more PCs.  It uses the TIcsIpStrmLog component, which can be configured as a TCP or UDP, client or server, and sends lines of text between instances, with just a few lines of code for client or server. 

As François says, your main PC can broadcast UDP packets periodically to the clients running a UDP server, they then return their IP address, which you log.   The client PCs also run a TCP Server, which the main PC then sends messages to, TIcsIpStrmLog can send to a list of IPs. 

Or your main PC can be a TCP server, and the client PCs keep a permanent connection open for messages, avoids needing to keep IP addresses.  If the TCP client connection from TIcsIpStrmLog drops, there are settings to make it repeatedly retry connections until the server comes back. 

All this can be tested without any coding using the OverbyteIcsIpStmLogTst.dpr sample. 

If you decide the clients should be servers and you need their addresses, you can instead use the Address Resolution Protocol (ARP) that runs on all network devices to keep track of IP addresses and MAC addresses on the local LAN, it is how ethernet works.  I have an Internet Protocol Helper Component that gets the ARP table.  In the next few weeks, this will get added to ICS with a new sample to list the ARP and IP routing table, current TCP and UDP connections and network adaptors. 

Angus

The ICS mail components do not automatically MIME encode unicode text for email headers. 

If you look at the OverbyteIcsMimeDemo.dpr sample in the MailNewsDemos sample folder, there is a button Encode One Header which will inline MIME encode the Text you specify using various methods, such as ?utf-8?B? or ?utf-8?Q?. 

The actual inline encoding is done by HdrEncodeInLineEx in OverbyteIcsMimeUtils, and you set the output to the mail header property.

Angus

The Web Socket Server was written by Stan Korotky some time ago, and adds a protocol on top of the normal TWSocketServer component, so you can not use client methods.

But the component only sends AnsiStrings, so just copy your binary data into an AnsiString and send that. 

Angus

You didn't give any information on the device you are collecting files from, except the file was an image. 

If this is a CCTV camera, the OverbyteIcsXferTst sample and the TIcsFtpMulti and TIcsHttpMulti components it uses may be used to download images and movies from many CCTV cameras automatically, with a few lines of code.  The sample is over complex, due to it supporting lots of different features and components. 

I have SV3C cameras, which allow downloads using a web server, TIcsHttpMulti indexes the web pages and downloads new images and movies every two hours, about 20GB a day, the cameras also upload motion capture images automatically to the ICS FTP server.  TIcsFtpMulti  will do the same thing for cameras with an FTP server. 

Angus

If ICS allowed to you send an empty password, you'd still get an error from the server. 

Your code is specifically sending the password command with FFTP.PassAsync;, remove that, and you won't get an error. 

You are using the low level FTP component, the example you should be looking at is OverbyteIcsXferTst.dpr which uses the high level FTP component that hides much of this complexity from you.

Angus

That log says your download worked fine, so the authentication was ignored. 

Angus

It is common for servers to bypass authentication, usually by ignoring any authentication information passed. 

With FTP, this is usually called anonymous authentication, you pass any user name and the password anonymous.

You say 'device not requiring password' which I would interpret as any password used is ignored, so just use xxx and the component will be happy.  

If you mean the device actually requires a specific zero length password, null, space, or the PASS command not to be sent, that will require a change to the component.

Angus

No, those events are totally unrelated and have no relationship, except they are called by the same object. 

Angus

I never setup 2FA unless I can not avoid it.  The 'Google App Password' concept seems like a bodge, effectively it's an App Token being used without client secrets, so legacy applications can cope, I assume mainly for large corporates.  

Angus

Quote

Google is not requiring OAuth2

I have two Gmail accounts, one had high security and always required OAuth2, the second I never upgraded and worked with plain authentication until June 2022 when password authentication started failing.  So my experience is that plain password support was automatically removed without my changing anything. 

Do you have a Goggle reference that states in what circumstances plain passwords are supported?

Angus

I guess there is more than one component called TComPort, I was referring to the Winsoft version, but that seems to be called ComPort. 

A quick search of TComPort does not find any setupdi functions.  Nor support for modern compilers.

Angus

TComPort is a commercial component, you should have the source code, so you can check if it uses SetupDiGetDeviceProperty and remove it and any other similar functions that XP does not support.

Angus

What Delphi component are you using to log data, a serial port component? 

It's possible the Delphi component is calling SetupDiGetDeviceProperty , one of my serial port components uses SetupDiGetDeviceRegistryProperty from the Jedi library SetupApi.pas.  My Jedi version does not include SetupDiGetDeviceProperty, but it's possible a later version might.   You might be able to just remove it from the library unit.

Angus

In June 2022 Google stopped accepting traditional authentication methods for it's SMTP and POP3 email servers, instead requiring OAuth2, and I believe Microsoft is doing the same from October 2022.

The main different with OAuth2 is the application does not store the account password so is unable to share it.  Instead the user is directed to a sign-in web page from Google or Microsoft where the account details are entered and the application receives limited life tokens that are used instead of the password.  For this to work, the developer needs an application account at Google or Microsoft to obtain a application client ID and secret, which need to saved securely and sent as part of the OAuth2 sign-in. In theory, Google and Microsoft need to approve applications using the account client details, and will give warnings during sign-in after a grace period.

If sign-in works, the application receives an access token usually with a life of a few hours, and a refresh token that may be stored securely like a password and may have a life of several months and which may be used to obtain a new access token without a new sign-in.  Note the refresh token may be cancelled at any time requiring a new sign-in.  The refresh token may also be shared between different applications using the same client details and email account, for instance with servers where interaction is not possible.

ICS added support for OAuth2 with version V8.65 in November 2020 to the TSslSmtpCli, TSslPop3Cli and TIcsMailQueue email components, by adding the TIcsRestEmail component to projects with some extra code, as illustrated in the samples OverbyteIcsMailQuTst, OverbyteIcsSslMailSnd and OverbyteIcsSslMailRcv.

But the ICS server samples using email were not updated at the time, so have now been done for the forthcoming V8.70 release which is available from SVN and the overnight zip, OverbyteIcsSslMultiWebServ, OverbyteIcsDDWebService and OverbyteIcsSslMultiFtpServ.

Since other developers may similarly need to add OAuth2 support for email applications, this is a quick guide.

1 - For the TSslSmtpCli, TSslPop3Cli or TIcsMailQueue component, add an onOATokenEvent handler.

2 - Drop a TIcsRestEmail component named IcsRestEmail and add onEmailNewTokenEvent and onEmailProgEvent handlers.  The LoginTimeout property defines how long the component will wait for an interactive browser OAuth2 login, if necessary, defaulting to 30 seconds.  If this happens the onEmailNewTokenEvent is called allowing the application to save the new refresh token to avoid further interaction.

3 - In the onOATokenEvent event, call the IcsRestEmail.GetNewToken method and set the handler properties Token, TokExpireDT and TokAccount, see any of the samples.

4 - Set the IcsRestEmail component properties RestEmailType, ClientId, ClientSecret, and RefrToken, there is a function IcsLoadRestEmailFromIni that does this from an INI file for the server samples (without encryption).

5 - Set SMTP AuthType to smtpAuthXOAuth2 or POP3 AuthType to popAuthXOAuth2 with the appropriate host.  This causes onOATokenEvent to be called when an access token is needed.

Angus

OpenSSL has released new versions of the two supported branches, 3.0.5 and 1.1.1q, Windows binaries are available from

http://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp .

OpenSSL 3.0.5 fixes a serious bug on some X86_64 CPUs in 3.0.4, a version we never released.  Also a moderate security bug relating to AES OCB encryption, but this is not used by TLS ciphers.
Also a moderate security bug with the c_rehash script that allows command injection, we don't use that either.

OpenSSL 1.1.1q fixes the AES OCB and c_rehash bugs.

Separately YuOpenSSL has released both these versions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.

Angus