Leaderboard

SSL/TLS is continuously changing with new protocols added, old ones obsoleted and rules changing. We can not ignore such changes. OCSP (Online Certificate Status Protocol) Currently, ICS supports OCSP as the way to confirm SSL/TLS certificates are legitimate and not revoked for security reasons. But the industry does not like OCSP, expensive to implement and several flaws that mean most browsers now ignore it. So Let's Encrypt is closing it's OCSP service over the next six months, ICS should gracefully ignore it as the OCSP URL disappears from X509 certificates. In theory, CRLs (Certificate Revocation Lists) are still supported, ICS has supported them since the beginning, but has never provided a means to automatically download them, it would mean an archive of CRL files for each intermediate certificate received that needed updating continually. This could be added to ICS, but would be a lot of effort and slow down connections as the files are downloaded. Google Chrome has it's own version of CRLs, where those from multiple certificate issuers are combined into a single combined list. Has anyone looked at it? The industry solution is X509 certificates with short life times that are replaced automatically regularly. Apple wants to reduce maximum life to 47 days, others want less. Let's Encrypt is planning to optionally issue six day certificates later this year which ICS will support shortly. RPK (Raw Public Keys) SSL/TLS use a private/public key pair to negotiate encryption, usually contained in an X509 certificate to also prove ownership of the server. For many local applications, ownership is less important than encryption, so self signed certificates are often used instead, but even those can be burdensome, despite ICS servers automating them. OpenSSL has now added support for Raw Public Keys, where the server uses just the private key without a certificate, and the clients have a list of acceptable public keys that can be checked to ensure the connection comes from a known private key. Supporting RPKs will involve a minor change to IcsHosts for servers and updating TSslRootCAStore to store a list of public keys that can be checked during the SSL handshake. Note RPKs are really only for app-to-app communication, browsers don't support them. I know one ICS already uses a version of RPKs by checking the public key and not the certificate, does anyone else see an application for RPKs? Let's Encrypt Changes Let's Encrypt is planning several changes this year. Closing OCSP has already been mentioned. Not sure how many ICS users actually make use of Let's Encrypt certificates, I never hear about bugs or problems, so perhaps they just work, or ICS users are still paying for commercial certificates? Let's Encrypt is adding account profiles to allow different types of certificate to be ordered. ICS will allow the profile to be selected using IcsHosts. 'Classic' profile will be the same as now, 90 day certificates. 'TLSServer' profile will be simplified certificates missing the Common Name that servers shouldn't use and several other fields will go, all to reduce certificate size. 'Shortlived' profile will be six day valid certificates. Let's Encrypt is also planning to support IP Addresses in certificates, ICSHosts will also support this. HTTP/2 and HTTP/3 (QUIC) Adding support for HTTP/2 and HTTP/3 to ICS as Delphi code would be a major project, and the only current benefit would seem to be a small performance improvement with complex pages with hundreds of elements to download. So not planning any HTTP/2 or HTTP/3 support. Angus

Lifetime support responsibility? 😉

True, though it is inherited from TJSONValue and not specific to TJSONObject, it has a little more overhead as it performs path processing on the input string and type validation on the output value, and it requires the caller to declare a variable to receive the output value whether the caller actually wants it or not.

ICS V9.4 is now available from GetIt for Delphi 11 and 12. Angus

StellarDS.io is the fastest and easiest way to host your data in the backend for web applications as well as native cross-platform mobile and desktop applications. There are a couple of SDKs available as well as libraries / components for Delphi. Check it out. https://www.tmssoftware.com/site/blog.asp?post=1200 https://stellards.io/ Libraries for Delphi: https://stellards.io/Home/Delphi