Angus Robertson

So now you are using a recent ICS version with OpenSSL 3, since you are connecting with TLSv1.3?

But you are probably using the old TSslFtpClient low level component that requires you to send to the correct FTP command in the correct order. 

As the error message suggests, you have not sent the PROT command with Protlevel=P. 

If you use the TIcsFtpMulti high level component instead, this is all done for you, see the sample OverbyteIcsXferTst.

Or if you want a simpler sample, build  OverbyteIcsSnippets and click the FTP Download One File button, the code is in a single function.

Angus

ICS V9.,1 does not support old versions of OpenSSL and will never attempt to open them, I assume you've modified the source code in an attempt to do so. 

Did you attempt to connect to our server with your original application that failed with Filezillar server?

Angus

It is much easier and safer to use the TIcsMailQueue component, so email is sent even if the mail server is not immediately available.  

Look at the OverbyteIcsMailQuTst sample, or one of the server samples like OverbyteIcsSslMultiWebServ that also use mailqueue to call home when in trouble, 

Angus

Look at the OverbyteIcsJoseTst sample which has a button that decodes your JWK using the function I mentioned, and displays it raw, while the OverbyteIcsPemTools sample does certificate and key conversions.

ICS V9.1 has a new TX509Base method X509PubKeyTB that returns the public key in DER that can be used to compare with another public key or converted to Base64 which is PEM.

Angus

ICS has various Jose and PEM functions that will read and create Json Web Keys.

IcsJoseJWKGetPKey reads the Json text and saves the key as type TX509Base.

TX509Base has methods to save certificates, private and public keys in numerous formats. 

What do you want to do with the public key?  This may be better discussed in the ICS support forum .

Angus

If you are attempting to locate COM ports on Windows, I suggest you use the Magenta Serial Port Detection Component from https://www.magsys.co.uk/delphi/maghardware.asp

It has an event that triggers as ports arrive and disappear. It returns an array with information about each port, and whether enabled or hidden:

COM1, Enabled=Y, Communications Port (COM1), (Standard port types), Serial0, ACPI\VEN_PNP&DEV_0501,
COM2, Enabled=Y, PCIe to High Speed Serial Port (COM2), ASIX Electronics Corporation, StnSerial0, MCS9950MF\STN_CASCADE_COM,
COM3, Enabled=Y, PCIe to High Speed Serial Port (COM3), ASIX Electronics Corporation, StnSerial1, MCS9950MF\STN_CASCADE_COM,
COM4, Enabled=Y, Prolific USB-to-Serial Comm Port (COM4), Prolific, ProlificSerial0, USB\VID_067B&PID_2303&REV_0400, Port_#0004.Hub_#0007
COM5, Enabled=Y, Prolific USB-to-Serial Comm Port (COM5), Prolific, ProlificSerial1, USB\VID_067B&PID_2303&REV_0400, Port_#0001.Hub_#0007
COM6, Enabled=Y, Conexant USB CX93010 ACF Modem, Conexant, USBSER000, USB\VID_0572&PID_1329&REV_0100, Port_#0007.Hub_#0001
COM7, Enabled=Y, USB Serial Device (COM7), Microsoft, USBSER000, USB\VID_1546&PID_01A8&REV_0201, Port_#0002.Hub_#0007

Angus

Works for me, using OpenSSL v3, also connects with TLSv1.3.  Can not test with old versions of OpenSSL, ICS does not work with them any longer. 

19:01:16:550 Connect/Logon to FTP Server: ns130.askia.com:5022
19:01:16:591 < 220-FileZilla Server 1.8.1
19:01:16:591 < 220 Please visit https://filezilla-project.org/
19:01:16:591 FTP Control Session Connected OK to: 85.13.217.130:5022
19:01:16:611 > AUTH SSL
19:01:16:641 < 234 Using authentication type TLS.
19:01:16:722 ! SSL Connected OK with TLSv1.2, cipher ECDHE-RSA-AES256-GCM-SHA384, key auth RSA, key exchange ECDH, encryption AESGCM(256), message auth AEAD
19:01:16:722  Connected OK Again

Try connecting to the ICS FTP server on ics.ftptest.org.  It may log something useful.

Angus

ICS checks the OpenSSL version on start-up and fails if it does not support the version found, so he could not use 1.0.2 if ICS did not support it.  The 2008 date might be wrong since that comes from a file resource, and ICS does not set any versions or dates in file resources, or if it does I've not updated them in 15 years.  Date and versions are important in our applications, but not packages.

Angus

He is not using 0.9.8 but 1.0.2zg, although is not a version we ever supported (it's a privately supported version).

The last public release was 1.0.2u.  All versions of 1.0.2 support TLS/1,2 and modern ciphers so should work with all servers today. 

Angus

You've already said all that, but that is not an OpenSSL error message, and the file description of a package file is not an ICS version number.  A package created in 2008 would have been ICS V7, long obsolete, numerous SSL/TLS improvements since then. 

Angus

The cipher list is highly unlikely to be causing your connection failure, unless the server is actually reporting cipher errors, such as: version too low, no shared cipher, unsupported protocol, wrong SSL version, bad key share, which are errors from one of my ICS servers this morning, probably hackers. 

You really need to get the real handshake error, but I can not help since you have not explained what ICS version from what date you are using, from the FTP unit.

Angus

OpenSSL "1.0.2zi" is not a free public release, it is only available to organisations that pay OpenSSL for premium level support, which costs $50,000 per year. 

I'd guess there is a support contract involved that prevents such software being distributed outside those organisations. So it should not be published.  

Angus

For clients, it is easier to allow all supported ciphers to be used, and let the server select the best cipher, if you want a connection.  Only worry about cipher lists if the server uses poor ciphers by default, which is rare.

Angus

Sorry, we really can not support very old ICS versions, you don't give the ICS version, but OpenSSL 1.0.2 has not been supported for a few years. 

If you report a better handshake error, as later ICS versions do, you might get more information about the error.  It might simply be an expired SSL certificate.  Or 100 other things.

Angus

Quote

Is this a different server than http://svn.overbyte.be:8443/svn/ 

That is an old URL for the same server, it still works but https://svn.overbyte.be/svn/icsv9/ is preferred (or http) and it takes you to the correct repository, there are now several. 

The strange 8433 port was 15 years ago before I got a dedicated rack server with lots of IPv4 addresses. 

Angus

This is a simple function I wrote 20 years ago, should work to read strings from HLM keys with any login or none, only writing HLM is protected.

function MagGetRegHlmStr (const RegKey, RegValue: string): string ;
var
    IniFile: TRegistry ;
begin
    result := '' ;
    IniFile := TRegistry.Create ;
    Try
    with IniFile do begin
        try
            RootKey := HKEY_LOCAL_MACHINE;
            Access := KEY_QUERY_VALUE ;
            if OpenKey (RegKey, false) then begin
                if ValueExists (RegValue) then begin
                    if GetDataType (RegValue) = rdString then
                                   result := ReadString (RegValue) ;
                end;
            end ;
            CloseKey ;
        except
        end ;
    end ;
    finally
        if Assigned (IniFile) then IniFile.Free;
    end;
end ;

Angus

ICS V9.1 is almost ready for release.  Although there are no new components, there are many other SSL/TLS changes that will affect existing applications, but make ICS easier to use and support for the future.

Before the final release in a week or two, I'd appreciate some feedback from user installing V9.1 using the new packages, and update one or more old SSL/TLS applications, it may help future users if I can improve the documentation.

Please read readme9.txt and these note about V9.1 carefully when upgrading existing applications, you may get build errors that need minor code changes.  But new applications should need be easier to create.

1 - Delphi 10.4 and later now use the same install groups and packages, IcsInstallFmx, IcsInstallVcl and IcsInstallVclFmx, making support a lot easier. Version specific groups remain for Delphi 10.3 and earlier, with new groups D(X)InstallVcl for VCL only replacing the old OverbyteIcs(X) groups, again to simplify support.

2 - The old samples directory has gone and many of the older and little used samples have been archived to a separate download.  The active samples used to test and demonstrate all ICS components are now split into the following paths, in the ICS root directory:

demos-delphi-vcl - 45 VCL samples for Windows.
demos-delphi-extra - four VCL samples that need third party components to build.
demos-delphi-fmx - seven FMX samples for Windows, not yet tested on MacOS.
demos-cpp-vcl - all old C++ samples that have not been tested for 10 years, need help.
demos-data - data files for samples, such as web pages.

All these samples can now be built for Win32 and Win64 platforms.

3 - To ease development, linking and future support, some new units have been added by splitting existing units with multiple components, unfortunately this means many existing projects will need one or more of the new units adding to their uses section.  Apologies for the pain, but this should have been done a long time ago.  The main change is splitting out much of the SSL/TLS related code from the massive OverbyteIcsWSocket unit to a new unit OverbyteIcsSslBase.

4 - Distribution of the ICS OpenSSL files has changed.  Earlier ICS versions required the OpenSSL DLLs to be distributed with applications, and a root CA bundle file to verify SSL/TLS connections, and these needed to be loaded using code.  There was little standardisation over where the OpenSSL DLLs were located, applications tended to keep their own copies alongside other executables, leading to multiple DLL copies and needing the public variable GSSL_DLL_DIR set to a specific directory before OpenSSL was loaded.  Likewise, root CA bundle directories had to be distributed with applications and loaded with code. ICS V9.1 allows five different ways of loading OpenSSL:

1 - DLLs linked into application as resource files
2 - DLLs loaded from common directory C:\ProgramData\ICS-OpenSSL\
3 - OpenSSL DCU linked into application using commercial YuOpenSSL
4 - DLLs loaded from location specified in public variable GSSL_DLL_DIR
5 - DLLs loaded according to path, may be found anywhere on PC

Which method ICS uses to load OpenSSL depends upon several defines in the .\Source\Include\OverbyteIcsDefs.inc file, please see the readme9.txt file for details. ICS currently includes resource files for three different OpenSSL releases, 3.0`13. 3.1.5 and 3.2.1, which version is linked is controlled by a define. If the OpenSSL DLLs are linked into the application, they are extracted to a version subdirectory, ie C:\ProgramData\ICS-OpenSSL\3012\ so different applications can use different OpenSSL versions.  This happens only once if the files have not already been extracted.   When updating existing projects without using any new defines, the ICS old behaviour of methods 3, 4 and 5 above remain with no changes needed.

5 - A common IcsSslRootCAStore component is now created at application start-up, to avoid different components needing their own CA stores to verify SSL/TLS certificates, and for applications to load those stores.  The three different CA stores included with ICS are now supplied as resource files, with a define determining which is linked into applications.
Another define causes OpenSSL and this store to be loaded at application startup, so OpenSSL is available for all components, without it needing to be loaded again, perhaps repeatedly.  Without new defines, a CA Store can be loaded manually into IcsSslRootCAStore. The ICS servers use CA Stores now use IcsSslRootCAStore and no longer load any files specified.

6 - All SSL/TLS servers need a certificate and private key to start, even when testing.  Previously ICS supplied some self signed certificates for testing, and also created such certificates automatically if they were missing or if the server was about to order a Let's Encrypt certificate.  Accessing such servers for testing using browsers raised various warnings.  ICS now has it's own SSL root certificate 'ICS Root CA' and two intermediates, 'ICS Intermediate' and 'ICS Intermediate Short', the last of which includes a private key so can be used to automatically sign new certificates by ICS server applications, rather than just self signed certificates as before. If the 'ICS Root CA' certificate is installed in the Window Store and browser stores, it should stop certificate warnings appearing. ICS applications automatically trust the ICS root, so will give no warnings. The short intermediate has a maximum 100 day expiry, so new versions will be issued regularly. There is a single function CreateSelfSignCertEx that created signed certificates, and another IcsInstallIcsRoot that installs the ICS root into the Windows Store, so easy to use. It is possible to replace the ICS root with your own private root certificate and have servers create their own certificates against that root, for internal networks.

7 -  The TSslHttpRest component now allows TRestParams to be created as content type 'Form-Data Body' to create MIME multipart/form-data parameters that may include new TParamType of RPTypeFile that specifies a file name whose binary content will be added to the parameters as a file upload, allowing multiple files and extra parameters. TRestParams are now built into a TStream rather than a string to allow larger parameter sizes, tested up to 8GB. The ICS web server samples have improved MIME decoding to accept massive uploads.

8 - Several client and server components have a new property NoSSL which if set will prevent those components using SSL/TLS for HTTPS or FTPS, even if the application is linked with OpenSSL code.  Beware the IcsSslRootCAStore component must not be initialised by the application.

9 - Updating projects to V9.1:

Applications that have TSslContext on a form will need to be opened so the new unit OverbyteIcsSslBase is automatically added to the users clause. Units that reference TX509Base or TX509List mostly for the OnSslHandshakeDone event, may need OverbyteIcsSslBase adding manually if they don't also have TSslContext.

The other new units are OverbyteIcsHtmlUtils (for TextToHtmlText, IcsHtmlValuesToUnicode, IcsFindHtmlCharset, IcsFindHtmlCodepage, IcsContentCodepage and IcsHtmlToStr), OverbyteIcsDnsHttps (for TDnsQueryHttp and IcsDomNameCacheHttps) and OverbyteIcsSslUtils (for TOcspHttp). Applications that use IcsExtractURLEncodedValue, ExtractURLEncodedParamList or GetCookieValue may need OverbyteIcsUrl adding to projects.

When updating projects using a TSslContext component, setting the new property UseSharedCAStore to True causes the properties CAFile, CALines and CAPath to be ignored, and the new IcsSslRootCAStore component will be used instead, being automatically initialised if not done at program start-up.  Don't use UseSharedCAStore for server components.

High level ICS components such as TSslHttpRest that have an internal TSslContext component all set UseSharedCAStore and ignore properties like SslRootFile to load a root CA bundle.  If a specific bundle is required, it may be loaded to IcsSslRootCAStore.

With V9,1, the global variables GSSLEAY_DLL_IgnoreNew and GSSLEAY_DLL_IgnoreOld are ignored since only different minor versions of OpenSSL 3 are supported.

V9.1 can be downloaded from SVN at https://svn.overbyte.be/svn/icsv9/

or the overnight zip at https://wiki.overbyte.eu/wiki/index.php/ICS_Download

Angus

Why not just use one of several open source serial port components for your communication?  No-one will want to debug your code. 

I've been using Async Pro for 20 years, you can install it from GetIt.

Angus

STM32 seems to be an ARM based microcontroller, which is not a supported platform for Delphi. So no Delphi applications will run on it. 

The STM32 should be running an OS of some sort, probably several available, which may run an IP stack to support Ethernet or Bluetooth, in which case numerous Delphi components can be used to communicate with it remotely from Windows or other supported Delphi platforms.

Angus

Is it just me, or do the posts by techdesk seem to be written by an AI?  I've never seen a developer write such prose.  Lots of words, but says very little. 

Angus

I told you before that the ICS MIME sample does not display file content. 

Exactly which ICS functions are you using to decode this file>  What size is it supposed to be?  Which online decoder is able to decode this MIME correctly, without editing?  Just telling me it does not work is not helpful.

Angus

Quote

hold off doing that until some  new "in-line registration" 12.x is released,since that would require uninstalling and reinstalling, which means reinstalling all the GetIt packages, no

Only if you installed 12 from GetIt/online originally. 

I always install from the ISO, and yesterday updated with patch 1 (it is not 12.1) and several component updates using GetIt.

Angus

Can not recall what I said in my previous posts here, but can only reiterate that for serving files, threads are not necessary, there is minimal blocking activity.  There is a limit to how many new SSL/TLS connections can be accepted each second due to the processing, but once the connection is open, hundreds of connections can run in a single thread. 

Threads are necessary to make use of more than one CPU.   ICS does have a threaded server component, but it does not support SSL/TLS or the web server and has not been tested for 10 years. 

If you use threads in ICS, each thread has its own message queue and handler, so you can not send from a different thread.

Angus

As I wrote, ICS decodes your file correctly into two parts, how your application is supposed to understand such an encoded attachment is a different issue. 

Angus

The ICS components are event driven, so have various state variables for control, they will need careful manipulation if opening a connection is skipped.  Basically, test, fix, repeat.

Angus