Angus Robertson

ICS has a function IcsBuiltWith that uses a lot of defines to get the version, ie 12.2, but not patches. Not much code, but it does need an insert file that does most of the version checking. Several ICS samples report the Delphi version, which is useful. Angus

I mentioned here in October that the beta version of ICS in SVN and the overnight zip now builds (mostly) correctly for C++ and D12.2, V9.3 does not! But I've had zero feedback from C++ users, despite at least three users agreeing to test it. So please stop reporting C++ problems with ICS versions known not to work, and help test the official version. Angus

The Code Sign check is probably failing due to Windows 2008 not understanding the cryptography used, specifically the SHA-256 algorithm. You may have the same problem using other modern signed applications. I don't plan to change anything, we can not support old compilers and operating systems forever. Angus

It is not unusual for applications developed on newer versions of Windows to be used on older versions, Windows 2008 did not even support TLSv12 so using OpenSSL was a way to keep it running, that's what I did for some years. The original problem here loading OpenSSL DLLs can probably be fixed by the method used by all the samples until this year, disable all the new SSL DEFINES and set GSSL_DLL_DIR to the directory for the DLLs, usually that of the application, then load OpenSSL. This is explained in readme9, search for GSSL_DLL_DIR. Angus

I would recommend you use the TIcsIpStrmLog streaming log component, look at the doSocketRemoteClick function in the Snippets sample which is TCP so needs a one line change for UDP, then data just arrives in an event. Angus

OpenSSL loading was totally rewritten in the last year. Angus

I'll look at the logs later, but ICS is not tested on Windows 2008 which is years beyond end of life. My first public server was Windows 2008, but I closed it down in 2019. It was based on Vista, which we don't support either. Windows 2008 R2 was much better, based on Windows 7 which I do still test, since I have a VM with all the old compilers. The problem might be file paths, c:\ProgramFiles did not exist 20 years ago. Windows 2008 was the last Win32 server OS Microsoft sold, only Win64 onwards, which is why some people still use it, on ancient hardware. Angus

Indeed, the EmbeddedWB component wraps the old Internet Explorer stuff which is long obsoleted by Edge, it still works for Microsoft APIs, but not for Google APIs, you need to use Edge. Angus

False virus alarms are a way of life due to the different ways of attempting to detect malicious files. You could try updating to the latest OpenSSL files to see if the problem goes away. I believe I have Windows Defender running on my servers, since Sophos now refuses to run on servers, and I've not seen any reports or issues, nor has anyone else reported problems with OpenSSL for many years. Goggle once decided a five year old OpenSSL DLL on my web site was malicious and immediately flagged my entire web site as malicious when anyone visited it, took a few days to get the block removed, but that is why downloading files from my site now requires a password, to stop Google accessing them with it's flaky detection techniques. Angus

Testing your own client against your own server makes debugging harder. You should test your client against the ICS multi web server sample, specifically post to https://localhost/postinfo.html which logs all URL or POST parameters passed to it, and returns them as a web page, so you know exactly what the client is sending. The server code is in OverbyteIcsSslMultiWebUploads.pas and illustrates how to untangle parameters. For the client, you should be using the TSslHttpRest component which requires less code, look at the doHttpSimpleUploadClick function in the snippets sample, you build your parameters and then simply POST them. SslHttpRest.RestParams.PContent := PContUrlEncoded; SslHttpRest.RestParams.AddItem('FileTitle', mytitle); StatCode := SslHttpRest.RestRequest(httpPOST, myurl, False, ''); You can test all this against your server using the OverbyteIcsHttpRestTst sample. Angus

You need a data centre hosted server, either a physical machine you rent or own, or a virtual private server running on data centre hardware, you then have complete control over what applications are installed, not sure why you want FMX unless for Linux. I have a hosted Dell rack server in one data centre, and a secondary VPS in another, running all my Delphi servers. But many companies just order virtual servers from Azure, AWS and others, which have the benefit of scaling, but can be horribly expensive. Azure seems easy to buy, I've been getting spam emails from 50 or more Azure VPSs in India, USA, Netherlands and the UK, Microsoft seems to sell VPS to anyone. Angus

But that low end testing may also be done in a virtual machine with minimal resources, at least for applications that don't need specific hardware resources. I still have my ancient Windows 7 development PC that I mainly use for burning DVD off-site backups. But also for some backward testing, don't power it up very often. Angus

There are several ways to use the HttpRest component, it is possible events may sometimes be called more than once. Is it a problem? Angus

I integrated YuOpenSSL into ICS three years ago and alternate using it and OpenSSL for testing. ICS also allows the OpenSSLs to be compiled into applications as resources to ease distribution and DLL hell, all three variants work identically. But applications are larger with YuOpenSSL or resource files. Using SChannel may seem simpler, but your cryptography and updates are then locked to the OS, Microsoft only reluctantly support TLS/1,2 With Windows 2008 but did not support EC certificates, and TLS/1.3 took a long time to arrive. In ICS, I've worked with many of the Windows crypto APIs, and they are horrible. Angus Angus

This was a bug I introduced in V9.3 attempting to reduce the amount of string casting by avoiding AnsiStrings which normally give compiler warnings, but not in the case of bad pointer casting, and the SMTP unit is unique in building strings using pointers. The AnsiString cast mentioned earlier fixes the problem, not in SVN yet. Angus

Historically there were several Base64 implementations in different units, which I've been slowly consolidating. I did look at the email MIME stuff briefly, but it was too convoluted to update to TBytes, and also lacks means to test stuff easily without building emails. But I will look at AnsChar casting, that code is probably unchanged for 20 years. I never write code using null terminated strings, unless needed for APIs. Angus

Sorry, that message is far too long for me to read and digest. I have other priorities. ICS contains a lot of historic code written over 25 years, sometimes it's worth the effort to clean it up, sometimes too dangerous if it can be easily tested, sometimes not worth the effort. Angus

I asked for the date in the unit, not for you to waste space here copying text from the unit. If you can reproduce the problem using the OverbyteIcsMimeDemo sample, I will put it on the list to investigate. Angus

There were massive changes to Base64 to use TBytes due to your complaints about it not working with AnsiChars, although no problems were ever found. What is the last history date in the Utils unit? Angus

OpenSSL has released a new feature version 3.4.0 (no security fixes). It includes support for integrity-only cipher suites, a random seed source JITTER, and other new crypto functions. Also support for X509 attribute or authorization certificates, that may be used to control installation of software on devices from software stores, ICS does not support AC yet. The QUIC server implementation planned for this release has been postponed to 3.5 in April 2025. Windows binaries are available in SVN and the overnight zip file and separately from https://wiki.overbyte.eu/wiki/index.php/ICS_Download or https://www.magsys.co.uk/delphi/magics.asp In addition to the three DLL files, the zips include compiled RES resource files that contain the same DLLs, text files and version information, see the RC file. The RES file may be linked into application EXE files and code then used to extract the DLLs from the resource to a temporary directory to avoid distributing them separately. ICS V9.1 and later optionally support loading the resource file. These OpenSSL versions are included with ICS V9.4 beta available from SVN and the overnight zip. Beware OpenSSL 3.4.0 has exposed a minor ICS bug creating X509 certificate requests and creating CA signed certificates, which is fixed in SVN for V9.4. or a one line change for earlier versions. Also note when building the ICS packages for the first time with 3.4.0, there may be a dialog 'entry point could not be located', because the new DLLs are only extracted from the resource files when the first application is run, but the packages have built OK. ICS V9.4 beta now defaults to using OpenSSL 3.4.0, provided the new OverbyteIcsDefs.inc files is installed. Angus

ICS V9.3 has been released at: https://wiki.overbyte.eu/wiki/index.php/ICS_Download ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12 and C++ Builder 10.4, 11 and 12. ICS supports VCL and FMX, Win32 and Win64 targets. Beware C++ have not been tested recently due to lack of support from such users. The distribution zip includes the latest OpenSSL 3.0.15, 3.2.3 and 3.3.2, for Win32 and Win64. Changes in ICS V9.3 include: 1 - V9.3 continues the simplification of use of ICS components by consolidating many types and constants into the OverbyteIcsTypes unit, avoiding projects needing to find and add specific units before they will build. For XE2 and later, OverbyteIcsTypes and OverbyteIcsSslBase will be added automatically when components needing them are dropped on a form, or that form accessed for existing projects. One benefit of this change is removing dependence on several units for many components and applications, it should be possible to remove OverbyteIcsWinsock, OverbyteIcsLIBEAY, OverbyteIcsSSLEAY and OverbyteIcsLogger from most applications, and also other units. See https://wiki.overbyte.eu/wiki/index.php?title=Updating_projects_to_V9.3 for more information. 2 - Previously, the Windows Certificate Store was supported on Windows for all components and samples, despite it not always being required. There are three new defines {$DEFINE MSCRYPT_Clients}, {$DEFINE MSCRYPT_Servers} and {$DEFINE MSCRYPT_Tools) that determine which components can use the store, at least one must be set or applications that need the store will fail. Although these new defines all default to enabled in the OverbyteIcsDefs.inc supplied with V9.3 and later, unless this file is installed, Windows Certificate Store will be unavailable. These defines are disabled for non-Windows platforms and for C++ Builder which has bugs. 3 - Added new application independent monitoring, comprising a client component and server sample. The ICS Application Monitor TIcsAppMonCli client component is designed to report to an ICS Application Monitor server, which will ensure the main application remains running. The ICS Application Monitor server IcsAppMon.exe is designed to monitor ICS applications using the TIcsAppMonCli client component, and ensure they remain running, restarting the application if it stops or becomes non-responsive, or on demand. Primarily to keep ICS server Windows services running non-stop, but may also be used for network wide monitoring of ICS applications. Client and server both use the TIcsIpStrmLog component with a simple TCP protocol. More information at https://wiki.overbyte.eu/wiki/index.php?title=FAQ_ICS_Application_Monitoring 4 - The HTTP client components TSslHttpCli and TSslHttpRest have new RespMimeType and RespCharset response properties parsed from the Content-Type header to avoid applications needing to parse this headers. Fixed a problem in V9.2 where a missing / was added to the start of the request path, but was not needed for absolute paths used for proxies. 5 - The TIcsIpStrmLog streaming log component has improvements for TCP Server mode when multiple remote clients connect. Previously the same data was sent to all remote clients (the original concept being remote logging), but now applications can send data to specific remote clients, and more easily check which remote client is receiving data. This change means TIcsIpStrmLog can be used as the core of many TCP servers with different protocols, such as the new IcsAppMon sample, see above. 6 - The TSslHttpRest and component has a new way for applications to check SSL certificate chains themselves, ignoring OpenSSL bundle checks, usually for self signed private certificates, maybe checking certificate serials, names or public key. If LogSslVerMethod = logSslVerOwnEvent, a new event OnSslCertVerifyEvent is called so the application can check the chain and change the verify result appropriately. 7 - Improved the ability to customise SSL ciphers if the ICS defaults need to be changed. TSslContext and TIcsHosts have three properties, SslCipherList for TLSv12 ciphers, SslCipherList13 for TLSv13 ciphers, and SslCryptoGroups sets the cipher curve groups allowed (like P-256 or X25519). Beware old SslContexts may include group P-512 which must be corrected to T-521. SSL handshake responses now show the curve group used for OpenSSL 3.2 and later. The OverbyteIcsHttpsTst client sample may be used to test the new cipher options, and they will be read from IcsHosts INI files for servers. 8 - Added a new web server sample OverbyteIcsBasicWebServer1.dpr which is a simplified version of OverbyteIcsSslMultiWebServ ignoring configuration INI files, security features, session data, most demo pages and most logging, and settings for localhost set in code, search for IcsHosts to change IP addresses, etc. This sample should be easier to use as a basis for new web server applications. The existing samples OverbyteIcsSslMultiWebServ and OverbyteIcsDDWebService have a new index.html template page, and default to localhost 127.0.0.1 with an internal localhost SSL certificate, so should always response to https://localhost/ without any INI file changes. 9 - Fixed an HTTP web server problem in V9.2 to avoid repeated redirection for virtual default page /, was adding /// etc. 10 - Updated OpenSSL binary and resource files to releases 3.3.2, 3.2.3 and 3.0.15, only one of which will be linked according to defines. 11 - Restored the sample OverbyteIcsConHttp.dpr which is a console example, now supports SSL by replacing THttpCli with TSslHttpRest, no longer needs any events or a message loop for a single sync request, so a less code than without SSL. Now contacts https://wiki.overbyte.eu/wiki. 12 - A lot of changes have been made preparing ICS for Linux. Corrected loading OpenSSL on Posix, now loads the system supplied OpenSSL 3 DLLs on Ubuntu 22.04. The Linux package now builds correctly, but beware WSocket is not yet supported on Linux so no protocols will work. There is a new IcsPemTest FMX sample that works on Ubuntu 22.04 and which will create ICS signed SSL certificates. Note, MacOS support is disabled pending the new Posix implementation. The release notes for V9.3 are at https://wiki.overbyte.eu/wiki/index.php/ICS_V9.3 All ICS active samples are available as prebuilt executables, to allow ease of testing without needing to install ICS and build them all. There are four separate zip files split into clients, servers, tools and miscellaneous samples which can be downloaded from https://wiki.overbyte.eu/wiki/index.php/ICS_Samples

Another ICS user attempted to add Android support to ICS last year, but it never worked, and the code has now been removed, Currently, ICS has limited support for Linux for tools and utilities only, particularly SSL/TLS certificates, but not TCP/UDP sockets. Those functions would probably also work today on Android with minor changes to look for the OpenSSL in the correct path, you should be able to debug the code yourself, but I'm not testing Android until Linux is fully working. I'm now working on the full Linux implementation, replacing the existing MacOS only support with new multiplatform support, it will be several weeks work. Angus

I just use the OnTriggerAvail event to receive all data available, add it to a buffer, locate my packet, remove from buffer, repeat. More code that, but more reliable, particularly if the packet can contain random binary data, like your triggers. Angus

Sorry, only tested creating RSASSA-PSS private keys, never signing. Angus

I don't see why another DLL or application should not load different DLLs to those ICS uses, but never tried it. Beware OpenSSL 1.1 is now out of support, so whoever supports the SSH DLL should have updated to OpenSSL 3 at least two years ago. There is little demand for SSH which is why ICS does not support it. All Linux systems using SSH should be able to use better SSL/TLS protocols as well. Angus