Angus Robertson

I'd make the general point that ICS is an async library, generally you should never use Sleep(), but events. If you want to delay something, use triggers within a timer. Having multiple ProcessMeesages everywhere is also bad design. Your code should be packaged into an object with events, called before a single message loop. In fact, this design would mean you can test and debug your WS code in a simple GUI before using it in a DLL. From your various comments, I gather you are writing a Websocket client DLL that sends large binary blocks of data to a server, All my testing and the ICS samples are server to client communication, although in theory the code is two-way and similar in client and server. But I simply don't have a way to easily test your requirement. Angus

Sorry, no idea off hand, not used Websockets for sending large binary blocks, only simple ANSI/HTML packets. Reproducing your scenario is not trivial and would take some effort, I'll put it on my list, but it might take a while. Are both server and client ICS WS apps? Angus

I've seen problems with Cloudflare and ICS, it can be sensitive to the User-Agent or strange request headers, it tries to be too clever and fails. Using a real browser User-Agent might help. Angus

Try Sleep(0) or MsgWaitForMultipleObjects before calling the pump, that is what the ICS synchronous methods do. BTW, Snippets is simple examples. Angus

ICS has a specific component for sending email, TIcsMailQueue, it uses a thread with a TSslSmtpCli component to send email previously saved in EML files, using multiple servers and retries over many hours to ensure email is sent. It handles all the SSL stuff for you. The main sample is OverbyteIcsMailQu which has OAuth2, but the component is also used in several server samples. Haven't written an ISAPI for many years, but the component should run in a DLL easily. Angus

ICS has a component TIcsBlackList that can be used by servers to count access attempts by IP address, and block after a specified number of attempts until after several hours of inactivity. It's use is illustrated in the OverbyteIcsSslMultiWebServ sample. Just noticed these lines in the log for one of my web servers, someone using Alibaba Cloud in Hong Kong has made almost three million access attempts to my web site over several weeks, trying to read access data that is limited to 50 accesses per day. And still trying despite those requests being rejected. 47.76.209.138 attempts 1,481,269, first at 12:18:52, last at 20:00:17 BLOCKED 47.76.99.127 attempts 1,478,638, first at 12:04:36, last at 19:58:57 BLOCKED Should really be reporting the date of first access, but don't normally see hackers continuing this long. The sample shows various ways to detect hackers, such as web site access by IP address instead of host name, that stops hundreds daily on my sites (no HTTP allowed). Angus

CloudFlare is the obvious solution for most commercial web sites, although I find my link site checker app being blocked from some sites CF 'protects'. But this is an ICS web server, and developers have vastly more control over checking and blocking connections than sites using Apache, etc, that need extras to protect them. Although I get the usual general hackers, they are normally easy to block, anyone accessing the SSL site using an IP address immediately goes on the blocked list, or trying to access CGI script, etc. Anagus

Thanks for the thoughts. The user agent strings are partly randomised, lots of different Chrome/xx versions, the Safari version seems to be the same, but is probably legitimate. The SSL HELO packet has some unknown EC groups, but Chrome often has test groups. The ALPN is always blank, and the requests use a URL without www, but blocking either of those would also hit legitimate API users. The server does not currently log any request headers, not sure if VPNs would add anything to identify themselves, as proxies normally do. One possible solution would be counting IP accesses within a /24 or larger block, although that might include some corporates with outgoing blocks, I'd need to update my white lists as well. Don't want to spend too much time on a rare problem... Angus

My Chinese hackers have changed strategy to get around my IP address blocks and access my web site database, that restricts free access to 50 requests a day, paying for unlimited access seems beyond them. So now they are using VPNs, making two requests at a time from thousands of different IP addresses around the world, 3,500 over the last 48 hours, with requests now repeating after 24 hours, |previously I cleared the block list after six hours of no repeat access. I've not yet managed to define an automated strategy to block relatively random IPs, a CAPTCHA would work, but don't want to annoy my users, likewise giving them a free login. Has anyone got a better strategy for blocking unwanted access by IP? Meanwhile, I'll add /24 level IP blocks manually for a few dozen VPN ranges, to means the server will immediately close any connections from those ranges. Last time I did this to block TOR nodes, I accidentally blocked some large corporates resulting in some interesting telephone calls. Angus

That sort of error usually happens if you don't open the form in the IDE, and the new properties are not saved to the DFM, so fail to be read when executed. That property was added six months ago, and no-one else has reported a problem in that time. Angus

Sorry, not sure what point you are making here. The SslCipherList13 property was added in V9.3 and defaults to sslCipherSuitesTLS13, they both exist in V9.4. Angus

Is the server dead once the problem arises, or does it start accepting connections again at some point? The backlog of 15 suggests the default is not being changed, but it is set immediately before Listen so can not be skipped. There is a fix in V9.4 relating to the wrong connection state when connections open very quickly, usually localhost, that could stall WSocket, not sure if it applies to your situation. Angus

Bug now fixed, it was a late change in V9.,4 flushing the log file to disk in case the request failed, but not actually checking the log was opened. You can fix it by removing the lines marked with V9.4. Angus

How do you propose I reproduce that problem? It is most likely something specific to your installation. That URL works fine here: Built With Delphi 11.3 Win64 12:36:51 Opened log file: D:\weblogs\ics\https-rest\ics-httprest-2025-02-25.log 12:36:51 25/02/2025 12:36:51 Starting REST request for URL: https://jsonplaceholder.typicode.com/users 12:36:51 GET https://jsonplaceholder.typicode.com/users 12:36:51 https://jsonplaceholder.typicode.com/users, Getting headers 12:36:51 Async REST request started 12:36:52 Connected OK to: jsonplaceholder.typicode.com (104.21.48.1) Edit; thinking back, it might be first time issue saving INI settings or something, Is it repeatable? Angus

Strangely, that function was on my screen, I've just added some more parameter encoding and decoding functions to that unit. I've removed the / after text, it's a pretty basic function to avoid trying to convert images and files into unicode. Not sure why V9.3 changed anything, that text/ check was previously in the TriggerRequestDone2 function. Angus

Treat API keys and tokens as if they are passwords, and encrypt them, as we have forever, at least in properly written applications. The type of encryption and how you protect the key really depends on your security threat level. Angus

Refreshing the access token (expires within a day) using the refresh token (may not expire for a year or more) is a standard part of any proper OAUTH2 implementation. But getting that refresh token usually requires a browser login, either embedded Edge or separate browser. The ICS library has several examples for OAUTH2 with refresh tokens. Angus

Correct, provided you use the RestRequest method. The data received during the request is handled internally, and made available from various properties, ResponseRaw, ResponseStream, ResponseOctet and ResponseJson, depending on what you want to do with it, or might have been written to a file. Because TSslHttpRest descends from TSslHttpCli, it publishes all it's properties and events, so you can use it without RestRequest is required. Angus

SSL/TLS is continuously changing with new protocols added, old ones obsoleted and rules changing. We can not ignore such changes. OCSP (Online Certificate Status Protocol) Currently, ICS supports OCSP as the way to confirm SSL/TLS certificates are legitimate and not revoked for security reasons. But the industry does not like OCSP, expensive to implement and several flaws that mean most browsers now ignore it. So Let's Encrypt is closing it's OCSP service over the next six months, ICS should gracefully ignore it as the OCSP URL disappears from X509 certificates. In theory, CRLs (Certificate Revocation Lists) are still supported, ICS has supported them since the beginning, but has never provided a means to automatically download them, it would mean an archive of CRL files for each intermediate certificate received that needed updating continually. This could be added to ICS, but would be a lot of effort and slow down connections as the files are downloaded. Google Chrome has it's own version of CRLs, where those from multiple certificate issuers are combined into a single combined list. Has anyone looked at it? The industry solution is X509 certificates with short life times that are replaced automatically regularly. Apple wants to reduce maximum life to 47 days, others want less. Let's Encrypt is planning to optionally issue six day certificates later this year which ICS will support shortly. RPK (Raw Public Keys) SSL/TLS use a private/public key pair to negotiate encryption, usually contained in an X509 certificate to also prove ownership of the server. For many local applications, ownership is less important than encryption, so self signed certificates are often used instead, but even those can be burdensome, despite ICS servers automating them. OpenSSL has now added support for Raw Public Keys, where the server uses just the private key without a certificate, and the clients have a list of acceptable public keys that can be checked to ensure the connection comes from a known private key. Supporting RPKs will involve a minor change to IcsHosts for servers and updating TSslRootCAStore to store a list of public keys that can be checked during the SSL handshake. Note RPKs are really only for app-to-app communication, browsers don't support them. I know one ICS already uses a version of RPKs by checking the public key and not the certificate, does anyone else see an application for RPKs? Let's Encrypt Changes Let's Encrypt is planning several changes this year. Closing OCSP has already been mentioned. Not sure how many ICS users actually make use of Let's Encrypt certificates, I never hear about bugs or problems, so perhaps they just work, or ICS users are still paying for commercial certificates? Let's Encrypt is adding account profiles to allow different types of certificate to be ordered. ICS will allow the profile to be selected using IcsHosts. 'Classic' profile will be the same as now, 90 day certificates. 'TLSServer' profile will be simplified certificates missing the Common Name that servers shouldn't use and several other fields will go, all to reduce certificate size. 'Shortlived' profile will be six day valid certificates. Let's Encrypt is also planning to support IP Addresses in certificates, ICSHosts will also support this. HTTP/2 and HTTP/3 (QUIC) Adding support for HTTP/2 and HTTP/3 to ICS as Delphi code would be a major project, and the only current benefit would seem to be a small performance improvement with complex pages with hundreds of elements to download. So not planning any HTTP/2 or HTTP/3 support. Angus

I understand some commercial certificate suppliers are now using the ACME system designed by Let's Encrypt to automatically issue certificates. Presumably adding an authentication step for payment, this might be something ICS should be supporting. Angus

The issue here is how much time I can spend attempting to support long obsolete versions of Delphi, instead of concentrating on new features and stuff. My time is free and not unlimited. I have not yet removed support for these old Delphi versions from ICS, but those using them need to help investigate problems, not just report them. Angus

The large change with V9.3 was consolidating many type definitions into the Types unit, with their original versions commented out with (* *). I then remove old code a release or two later. Comparing the prior unit with the latest, I see there are a couple of embedded (* *) pairs I did not disable, near lines 1428 and 1467, maybe D2010 has trouble there. Try removing all that code. Or indeed any code that is commented out, which I'll do for the next release anyway. As I said earlier, I can not test this since my D2010 license no longer works. Angus

Do you mean you are using Caddy or nginx as a proxy in front of non-SSL ICS servers? Angus

Clearly some minor recent change in OverbyteIcsWinsock.pas has upset Delphi 2010, but seemingly not older or newer compilers. But our support of ancient compilers is limited, it is more important to support newer compilers. So please look back at the last ICS version you installed in D2010, see what has changed since, and fix it. Angus

The new certificate issued this morning is fine, but the server should really be setup to automatically renew it a few days before it expires, rather than waiting until after it has expired, I saw the expiry warning this morning as well. Angus