Angus Robertson

How do you propose I reproduce that problem? It is most likely something specific to your installation. That URL works fine here: Built With Delphi 11.3 Win64 12:36:51 Opened log file: D:\weblogs\ics\https-rest\ics-httprest-2025-02-25.log 12:36:51 25/02/2025 12:36:51 Starting REST request for URL: https://jsonplaceholder.typicode.com/users 12:36:51 GET https://jsonplaceholder.typicode.com/users 12:36:51 https://jsonplaceholder.typicode.com/users, Getting headers 12:36:51 Async REST request started 12:36:52 Connected OK to: jsonplaceholder.typicode.com (104.21.48.1) Edit; thinking back, it might be first time issue saving INI settings or something, Is it repeatable? Angus

Strangely, that function was on my screen, I've just added some more parameter encoding and decoding functions to that unit. I've removed the / after text, it's a pretty basic function to avoid trying to convert images and files into unicode. Not sure why V9.3 changed anything, that text/ check was previously in the TriggerRequestDone2 function. Angus

Treat API keys and tokens as if they are passwords, and encrypt them, as we have forever, at least in properly written applications. The type of encryption and how you protect the key really depends on your security threat level. Angus

Refreshing the access token (expires within a day) using the refresh token (may not expire for a year or more) is a standard part of any proper OAUTH2 implementation. But getting that refresh token usually requires a browser login, either embedded Edge or separate browser. The ICS library has several examples for OAUTH2 with refresh tokens. Angus

Correct, provided you use the RestRequest method. The data received during the request is handled internally, and made available from various properties, ResponseRaw, ResponseStream, ResponseOctet and ResponseJson, depending on what you want to do with it, or might have been written to a file. Because TSslHttpRest descends from TSslHttpCli, it publishes all it's properties and events, so you can use it without RestRequest is required. Angus

SSL/TLS is continuously changing with new protocols added, old ones obsoleted and rules changing. We can not ignore such changes. OCSP (Online Certificate Status Protocol) Currently, ICS supports OCSP as the way to confirm SSL/TLS certificates are legitimate and not revoked for security reasons. But the industry does not like OCSP, expensive to implement and several flaws that mean most browsers now ignore it. So Let's Encrypt is closing it's OCSP service over the next six months, ICS should gracefully ignore it as the OCSP URL disappears from X509 certificates. In theory, CRLs (Certificate Revocation Lists) are still supported, ICS has supported them since the beginning, but has never provided a means to automatically download them, it would mean an archive of CRL files for each intermediate certificate received that needed updating continually. This could be added to ICS, but would be a lot of effort and slow down connections as the files are downloaded. Google Chrome has it's own version of CRLs, where those from multiple certificate issuers are combined into a single combined list. Has anyone looked at it? The industry solution is X509 certificates with short life times that are replaced automatically regularly. Apple wants to reduce maximum life to 47 days, others want less. Let's Encrypt is planning to optionally issue six day certificates later this year which ICS will support shortly. RPK (Raw Public Keys) SSL/TLS use a private/public key pair to negotiate encryption, usually contained in an X509 certificate to also prove ownership of the server. For many local applications, ownership is less important than encryption, so self signed certificates are often used instead, but even those can be burdensome, despite ICS servers automating them. OpenSSL has now added support for Raw Public Keys, where the server uses just the private key without a certificate, and the clients have a list of acceptable public keys that can be checked to ensure the connection comes from a known private key. Supporting RPKs will involve a minor change to IcsHosts for servers and updating TSslRootCAStore to store a list of public keys that can be checked during the SSL handshake. Note RPKs are really only for app-to-app communication, browsers don't support them. I know one ICS already uses a version of RPKs by checking the public key and not the certificate, does anyone else see an application for RPKs? Let's Encrypt Changes Let's Encrypt is planning several changes this year. Closing OCSP has already been mentioned. Not sure how many ICS users actually make use of Let's Encrypt certificates, I never hear about bugs or problems, so perhaps they just work, or ICS users are still paying for commercial certificates? Let's Encrypt is adding account profiles to allow different types of certificate to be ordered. ICS will allow the profile to be selected using IcsHosts. 'Classic' profile will be the same as now, 90 day certificates. 'TLSServer' profile will be simplified certificates missing the Common Name that servers shouldn't use and several other fields will go, all to reduce certificate size. 'Shortlived' profile will be six day valid certificates. Let's Encrypt is also planning to support IP Addresses in certificates, ICSHosts will also support this. HTTP/2 and HTTP/3 (QUIC) Adding support for HTTP/2 and HTTP/3 to ICS as Delphi code would be a major project, and the only current benefit would seem to be a small performance improvement with complex pages with hundreds of elements to download. So not planning any HTTP/2 or HTTP/3 support. Angus

I understand some commercial certificate suppliers are now using the ACME system designed by Let's Encrypt to automatically issue certificates. Presumably adding an authentication step for payment, this might be something ICS should be supporting. Angus

The issue here is how much time I can spend attempting to support long obsolete versions of Delphi, instead of concentrating on new features and stuff. My time is free and not unlimited. I have not yet removed support for these old Delphi versions from ICS, but those using them need to help investigate problems, not just report them. Angus

The large change with V9.3 was consolidating many type definitions into the Types unit, with their original versions commented out with (* *). I then remove old code a release or two later. Comparing the prior unit with the latest, I see there are a couple of embedded (* *) pairs I did not disable, near lines 1428 and 1467, maybe D2010 has trouble there. Try removing all that code. Or indeed any code that is commented out, which I'll do for the next release anyway. As I said earlier, I can not test this since my D2010 license no longer works. Angus

Do you mean you are using Caddy or nginx as a proxy in front of non-SSL ICS servers? Angus

Clearly some minor recent change in OverbyteIcsWinsock.pas has upset Delphi 2010, but seemingly not older or newer compilers. But our support of ancient compilers is limited, it is more important to support newer compilers. So please look back at the last ICS version you installed in D2010, see what has changed since, and fix it. Angus

The new certificate issued this morning is fine, but the server should really be setup to automatically renew it a few days before it expires, rather than waiting until after it has expired, I saw the expiry warning this morning as well. Angus

ICS V9.4 is now available from GetIt for Delphi 11 and 12. Angus

ICS has always supported the Content-Disposition: form-data header for POSTing files, but seems to bypassed Content-Disposition as a HTTP response header, declaring content as inline or attachment with a file name so it can be saved. We tend to look at Content-Type to determine if content should be saved. So I plan to add web server support to send Content-Disposition: inline and Content-Disposition: attachment, and client support to parse the header and file name. But also wondering whether Content-Disposition should be sent as a request header when POST/PUTing a single file as binary, to avoid needing to base64 encode it within form-data, which is a major overhead for gigabyte sized uploads. Actually easy to add to the REST component that already has such an upload and the web server samples that save such data, but taking the file name from a URL parameter. Done a little Googling, but can not see any official use of Content-Disposition as a request header, maybe I missed something? Any thoughts, is it worth adding to ICS? Angus

The release notes and DelphiPraxis announcements covered that: Also note when building the ICS packages for the first time with 3.4, there may be a dialog 'entry point could not be located', because the new DLLs are only extracted from the resource files when the first application is run, but the packages have built OK. Angus

Sorry, unless I reproduce bugs, hard to fix. Angus

xx{ $ENDIF MSWINDOWS} initialization {$IFDEF MSWINDOWS} xx {$ENDIF MSWINDOWS} Angus

The new ifdef should be one line lower. Angus

I tested D9.4 building OK in D2007, but I no longer have a license for D2010. Line 3825 is beyond the end of the unit. It could be the compiler does not like the if/ends You could try adding a new {$ENDIF} before initialization and {$IF MSWINDOWS} after. Angus

The OverbyteICSNetMon sample builds fine for Win64, built it two days ago. But there is a comment in the sample 'Pending - NPCap does not seem to work on Win64, needs more testing', and I've never had time to look into it. This code was written 20 years for Pcap and quickly updated for NPcap, perhaps I missed some stuff. In particular, it uses Windows magic to assume that a Win64 version of packet.dll is found., Angus

OpenSSL has released maintenance versions of the four currently supported versions, 3.0.16, 3.2.4, 3.3.3 and 3.4.1. There is one high security fix for 3.2 and later relating to Raw Public Keys (RPKs), but these are disabled by default and not yet used in ICS, and a low level timing side-channel in ECDSA signature computation fix that needs hardware access to exploit. These OpenSSL versions are included with the final ICS V9.4 release. Windows binary zips are available from https://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp In addition to the three DLL files, the zips include compiled RES resource files that contain the same DLLs, text files and version information, see the RC file. The RES file may be linked into application EXE files and code then used to extract the DLLs from the resource to a temporary directory to avoid distributing them separately. ICS V9.1 and later optionally support loading the resource file. Beware OpenSSL 3.4 exposed a minor ICS bug creating X509 certificate requests and creating CA signed certificates, which is fixed in V9.4. or a one line change for earlier versions. Also note when building the ICS packages for the first time with 3.4, there may be a dialog 'entry point could not be located', because the new DLLs are only extracted from the resource files when the first application is run, but the packages have built OK. ICS V9.4 defaults to using OpenSSL 3.4.1, provided the new OverbyteIcsDefs.inc files is installed, with an earlier version optional by changing the Defs file. Angus

I use this function to disable and reanable all controls in a container: procedure EnableOrDisableChildren (Container: TWinControl; Enabled: Boolean) ; var index: integer; aControl: TControl; isContainer: boolean; begin for index := 0 to -1 + Container.ControlCount do begin aControl := Container.Controls [index] ; isContainer := (csAcceptsControls in aControl.ControlStyle) ; if NOT isContainer then aControl.Enabled := Enabled; //recursive for child controls if (isContainer) AND (aControl is TWinControl) then begin EnableOrDisableChildren (TWinControl (aControl), Enabled) ; end; end; end; Angus

All those checks for ? relate to non-unicode compilers converting UTF8 file names to ANSI with substitutions for bad characters, so I've made them conditional on a new property that will need be enabled for Delphi 2007 and earlier to get the same 'Skipped Inaccessible Unicode Name' error. Angus

Thanks, I'll look at this for next release due this week. Angus

You would be better to avoid using LineMode if the lines are 'unusual', always read all received data, buffer it, and check for end of line/row/packet yourself, which can be multiple methods. That is what the TIcsIpStrmLog component does, but you may need to copy the code to add more flexibility. Angus