Angus Robertson

I'd first make the general comment that it is always best to develop and test the two parts of client/server applications separately, against known working versions. In this case, with the ICS OverbyteIcsSslMultiWebServ and OverbyteIcsHttpRestTst samples. Don't know if C++ allows you to build them, but the wiki site allows you to download prebuilt executable files. Your settings are missing a websocket path or page, just ws://127.0.0.1/ so you are assuming the web server default HTML page is actually a Websocket request, this was never testing with the ICS web server, perhaps my fault for not expecting anyone to try that. Since you set default page to index.html, I assume that is the websocket URL you are checking for, but you don;t show any of that code. I find it best to use a virtual path /websocket/ to clarify that such requests from HTML. Angus

I have no idea of the procedures used by certificate authorities with dongles. But technically, the end user creates a certificate signing request using the private key in the dongle, that is sent to the CA that creates a certificate with the details and public key from the CSR and signs the new certificate that is returned to the purchaser and is loaded back into the dongle. The CA is not allowed to see or keep private keys, in the past millions of certificates have been cancelled when a CA was found to kept private keys it issued online. In practice, to make life easy for purchasers they want to ship a dongle with a new private key and certificate loaded, which is effectively a manual process, someone needs to plug the dongle into a PC or appliance and run an app to do it all. Thus the horrible cost. Angus

One interesting concept of the Azure code signing certificates is they expire within two days, effectively created daily on demand. While such a short expiry is impractical for servers, code signing relies on a time stamp, so applications can be used for many years beyond the certificate life. Angus

Sure you can copy a certificate from a token, the certificate is also in every program you sign. But the token keeps the certificate private key secure so it can not be copied, shared or stolen, which means you can only sign code with the token, which actually handles the sign operation, the private key never leaves the token. There are ways to remotely sign code using the cloud or remote servers, suggest reading https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens Microsoft also has a remote signing solution https://learn.microsoft.com/en-gb/azure/trusted-signing/ Angus

Another define to kill, OpenSSL_Check_SignCert will stop the verify trust check, usually that only fails on very old versions of Windows. OAuth2 uses two tokens, when you authenticate with a login and password a refresh token is generated which usually has a very long expiry, maybe years, and is used to generate an access token which is short lived, an hour to a day, and a new one is generated regularly by ICS from the refresh token. So you save securely the refresh token, not the access token. Angus

I suspect that is a fault in K-Software's automated systems, not been updated since tokens became mandatory. The web site does say 'Secure token available' which means is not really optional. My three year K-Sotfware certificate expires next month, so just about to go through the same process. Angus

The price increase is down to code signing certificates needing to be shipped on USB dongles instead of as files. Angus

Be careful with OAuth2 refresh tokens, they do make authentication very simple and usually remain valid for months or even years. But you must have some code in place for the day the token becomes invalid without notice, immediate emails to the system admin (using the IcsMailQueue component), because otherwise you are going to have hundreds of failed requests very quickly. Perhaps dummy requests during the night so you get a warning before the rush. Angus

You should also undefine OpenSSL_AutoLoad_CA_Bundle. This causes OpenSSL to be loaded when any ICS application is loaded, even if no ICS components are used. This define is usually best since otherwise OpenSSL can be loaded and unloaded repeatedly if not done manually once before making any SSL calls. I've never tried using ICS in an ISAPI, only simple DLLs, they are not quite standard with a few special exports. All my Windows 2025 servers run an ISAPI I wrote 20 years ago and last compiled in 2005, never needed to touch it, just keeps working, fortunately Microsoft does not mess with IIS, so nothing ever breaks. Angus

webview2loader.dll is used to load the Edge browser, no way that will run as a Windows service, no Window. You can use ICS OAuth2 stuff in services, but only with saved refresh tokens obtained from another application. If you are using a recent ICS version, the loading problem is probably ICS trying to extract the OpenSSL DLLs from the DLL, never tested that, try disabling define OpenSSL_Resource_Files. The component itself runs fine in a normal DLL, I recently updated OverbyteIcsConHttp.dpr Angus

Help & Manual allows you to output CHM, PDF and HTML versions of the same help content, used it for 15 years or more. And probably more formats I don't need. But it keeps the content in XML, so might not be a quick import from your existing DOCs or whatever. Angus

Sorry, no quick answer. The issue here is avoiding multiple escaping with nested escaped objects. which is why some AddItem overloads have an ARaw parameter to skip escaping, but not AddItemSO. I'll need to look carefully at this so as not to break anything, mat be a while. Angus

This error often happens with older versions, but usually just means the property is lost for the old version, which only matters if you have been already set it specifically for the newer version. I often open applications in both Delphi 11.3 and 2007, and ignoring properties never causes a problem. What is more annoying is the IDE inability to cope with a lot of similar errors, insisting on presenting dozens of modal dialogs if you open a large project group, you have to be so careful if what you click to avoid components not being removed from forms if they are not currently installed in the IDE. Angus

Just keep the time or tick count before you make the request, and again afterwards. The component can do this internally for sessions, bur not single requests. Angus

I have implemented extended passive (and port) mode for the ICS client for IPv4 connections, however I'm not sure if it will fix the original poster's problem since it will only be used if the server FEAT command advertises availability, so it is unlikely to fail. If it does fail, there is a new option that stops the EPSV and EPRT commands being used. I asked for an FTP log that would have shown the FEAT command and failure response, but can not guess what is happening. The ICS FTP server already supports EPSV for IPv4, unfortunately the developer that added it missed updating the FEAT command so it's not advertised, and few FTP clients will use it for IPv4, now fixed as well, will be in SVN once more testing is done. Angus