Angus Robertson

Your issues are now fixed in SVN and will be zipped overnight. The GET and DELETE methods now support REST PContBodyJson, PContBodyUrlEn and PContBodyXML content types, beware web servers may not support this. The ICS web server also now supports body content with GET and DELETE requests, provided there are UrlJHandlers for these methods or the application handles the content stream. The TRestParams component has a new RParamFmt property that for Json only defines whether nested objects or an array should be formatted, default is RPFmtNestObj (Nested Objects, same as previously), or RPFmtArrayVal (Array of Values) if first element is any array, or RPFmtArrayObj (Array of Objects) where each element is treated as object in the array. Note RPFmtArrayObj allows duplicate names in Add methods, since output into different objects. For instance: RPFmtNestObj: {"field1":"data1","field2":"data2","field3":[data1, data2, data3]} RPFmtArrayVal: [data1, data2, data3] RPFmtArrayObj: [{"field":"data1"},{"field":"data2"},{"field":[data1, data2, data3]}] Angus

Your change is now in SVN, but you'll need a new DEFINE OpenSSL_Deprecated to use it. I've moved about 130 OpenSSL deprecated 3.0 exports to a new table only loaded with the new define, and fixed two units that still used deprecated EC_x exports. Not sure if all these deprecated exports will disappear in OpenSSL 4.0 due next April, but at least ICS is now ready. Angus

Decoding just the inline MIME file name does work: Unicode Header: TaWa für HG-SV 352 vom 20.06.2025 09_49_08.pdf [CharSet=utf-8] The forum problem is extra stuff being added: n\n\n\n\t\u00a0\n\n\n\n----boundary_51 Angus

The TMimeDecodeW.PartNameW property should decode the inline MIME correctly, although PartName should have returned the encoded version. This is because the unit was written in AnsiString times, and unicode added later to the W . It's possibly due for rewrite to remove AnsiStrings. However I'm not sure about the quotes around the name, I don't think we expect them for inline MIME. I can not test your MIME because DelphiPraxis has corrupted what appears to be fixed text with hidden unicode characters that can not be pasted into Delphi, or easily removed, so our MimeDemo sample is unable to decode your name value. Angus

This is fixed in SVN and the overnight zip, took a while to find all the horrible LongInt casts being used to handle unsigned 32-bit IPv4s. Mar 04, 2025 V9.5 Using TIcsIPv4Address instead of TIPAddr (longint) to avoid range errors. You should be able to just use the new ICMP unit with V9.4. Angus

ICS V9.4 has been released at: https://wiki.overbyte.eu/wiki/index.php/ICS_Download ICS is a free internet component library for Delphi 7, 2006 to 2010, XE to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12 and C++ Builder 10.4, 11 and 12. ICS supports VCL and FMX, Win32 and Win64 targets. The distribution zip includes the latest OpenSSL 3.0.16, 3.2.4, 3.3.3 and 3.4.1 for Win32 and Win64. Changes in ICS V9.4 include: 1 - Completed the ICS Application Monitoring system added in V9.3, designed to locally and remotely monitor ICS servers and applications, and to locally restart applications on demand or if they crash. It comprises a small TIcsAppMonCli client monitoring component that is added to ICS applications, usually Windows Servers, but also client applications. This client component communicates with a TIcsAppMonSrv server component, usually running as a Windows Service on the same server so it is able to restart applications, but can also support clients on a LAN. The monitoring server has web and Websocket servers, allowing remote browsers to view the state of all applications being monitored by the server with a continually updated web page. There is also ICS Application Monitor - Remote Manager application that provides remote monitoring of multiple ICS Application Monitor servers using Json web and Websocket requests on a single screen. 2 - The SMTP client component fixes a bug introduced in V9.3 which could corrupt the Content-Transfer-Encoding header line. 3 - In TWSocket, fixed a potential problem using multiple threads where a new connection opened very quickly (ie localhost) and then stalled due to an unexpected connection state. Made DataToString Unicode compatible, only used for diagnostic dump logs. 4 - In the HTTP client, fixed a check for an overflowing buffer when receiving very long headers that could cause failure detecting headers end. Made several URL validation functions public: GetProtocolPort, IsSSLProtocol, IsKnownProtocol and IsKnownProtocolURL. 5 - When creating PKCS12/PFX certificates, change the 3DES cipher to AES256 if the legacy provider is not loaded. 6 - In the TIcsFtpMulti component, skip download of zero length file by creating an empty file, previously this got SSL handshake error. Don't report directories as being downloadable, they are not. If extended passive mode allowed, send EPSV ALL at start so firewalls and NAT routers can handle sessions more efficiently. Added CheckBadUnicode property defaults to false, so that checks for bad Unicode to Ansi conversions with ? are skipped, allowing more complex paths without errors. 7 - The FTP server FEAT request now returns EPRT and EPSV which have been supported for IPv6 for years, but were not advertised for IPv4. 8 - The OverbyteIcsSnippets sample adds two new simple REST snippets to Get/Post Parameters that send them to an ICS server, and the server echoes back those params so you can check what was actually sent. 9 - When loading the OpenSSL DLLs, no longer check they are digitally signed for Windows XP, 2003, Vista and 2008, they don't recognise SHA-256 code signing, never tested since no longer have those old versions available. 10 - The TRestParams method AddItemSO to add a SuperObject now has an Escape parameter defaulting to True, so non-ASCII characters are escaped by default. 11 - The Proxy component TProxyTarget now has a SocketFamily property so target connections can be restricted to TSocketFamily values. Added property SrvTotSess count of server session connections for logging. 12 - In the HTTP Application Web Server, fixed a memory leak with multiple virtual PUT and POST documents. 13 - The OverbyteIcsJoseTst sample 'Sign/Verify Data' tests now support hashes other than SHA-256, selected from the Key and Signing Hash Algorithm drop down list. Also, a private key matching that selection is created automatically, including X25519. 14 - There is a new unit OverbyteIcsWinUtils that contains Windows API functions, built from selected Magenta Systems libraries, with functions needed to build and control Windows Service applications, accessing the Windows registry, Windows firewall, Windows tasks, hardware, and with simple encryption for passwords. Most of these functions are used by the TIcsAppMonSrv server component and IcsAppMon sample, but should have much wider use for Windows Service server applications in particular, like allowing firewall access. It's planned to move most other Windows specific function here for ICS V10. 15 - In the ICMP component, fixed a problem setting property PingMsg to the text to ping. 16 - In the TIcsIpStrmLog component, added method ListenStates which for logprotUdpServer and logprotTcpServer returns a multiline string listing the IP, port, SSL and state of all socket listeners. The CurSockets property now reflects actual TCP Server clients. 17 - In the TIcsMailQueue component, don't keep retrying email that is too short to send with no body or with no sender headers. Added more error handling if the SMTP component fails to build the EML spool file. 18 - In OverbyteIcsUtils, finished the cleanup of old Base64 functions by adding new IcsBase64 functions using TBytes internally to replace old Base64 functions that used AnsiChars, with no overloaded versions for simplicity. Old Base64 versions retained as deprecated for user applications, please update to the IcsBase versions. Added IcsTBytesCompare to compare two TBytes. Added IcsOutputDebugStr for Posix and Windows. Added IcsDateToAStr and IcsDateTimeToAStr with alpha month (Jan/Feb). 19 - The ICS C++ packages for C++ 10.4 and later have been updated with the correct paths for the three supported platforms, and all build and install correctly for Win32. Win64 should also build, but not Win64x Modern which needs fixes in a future release of C++ 12. The release notes for V9.4 are at https://wiki.overbyte.eu/wiki/index.php/ICS_V9.4 All ICS active samples are available as prebuilt executables, to allow ease of testing without needing to install ICS and build them all. There are four separate zip files split into clients, servers, tools and miscellaneous samples which can be downloaded from https://wiki.overbyte.eu/wiki/index.php/ICS_Samples Angus

Yes, you need a Google account with credit card details, but there is no charge for ACME issued certificates. I just used my Google Play account from Android (I think), or maybe my Google maps account (they send an invoice monthly, for zero), somehow the Command Line Tool just worked, I explain briefly in the supplier notes in the OverbyteIcsSslX509Certs unit, but will do it properly in a wiki page, or look at: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial The product manager made some interesting comments about Google's intentions at https://community.letsencrypt.org/t/acme-support-in-google-s-ca/174736/38?page=2 Angus

Currently, SSL/TLS certificates may be issued for a maximum period of 398 days, before renewal is required. The CA/Browser Forum recently voted to reduce this life span period in steps over the next four years. From 15th March 2026, life span is reduced to 200 days. From 15th March 2027, life span is reduced to 100 days. From 15th March 2029, life span is reduced to 47 days, but only 10 days for domain control validated certificates, such as most free certificates. These reduced life times reduce the effort needed to block compromised certificates, but also make manually updating server certificates more onerous. The Automatic Certificate Management Environment (ACME) developed by Let's Encrypt and used by many web servers, is now supported by other certificate vendors to issue free and commercial certificates automatically, and will hopefully be fully integrated with all major web servers by 2029. Let's Encrypt is adding a certificate profile to the ordering process, allowing alternate certificate types to be ordered, including six day life certificates later this year. It has also added a ACME command to get recommended renewal information, which is currently 30 days before a 90 day certificate expires. Applications are recommended to check renewal information regularly, currently every six hours, to check if certificates have been revoked. This will be important this summer when Let's Encrypt closes down the Online Certificate Status Protocol currently used to check if certificates are validly issued. A new version of the ICS TSslX509Certs component is currently being tested with these new ACME features, it will also attempt to support ordering certificates from Bypass, ZeroSSL, Google, DigiCert and ssl.com, although these most of these need accounts to be opened at the issuer before the ACME protocol can be used, so testing will not be quick and not all may be available initially. The main difference from Let's Encrypt is external accounting fields to link to the supplier's account, instead of just a public key. Minor changes to IcsHosts are needed for the ICS web server to handle certificate profiles and alternate suppliers, and to regularly update renewal information. These changes are already done in the OverbyteIcsX509CertsTst sample that is used to create ACME accounts and place certificate orders, that can be validated by an internal web server, external web servers such as Windows IIS and Windows Apache, and by Windows DNS server for wild card certificates. The sample supports multiple accounts for different suppliers, listing the status of all orders for those suppliers, and allowing ordering and renewals with a few clicks. I'll update this topic when the ICS web server is updated, hopefully within a week or two, meanwhile could anyone that has looked at alternate ACME suppliers let me know, to help with testing. Angus

SVN and the overnight zip have been updated with a new ICS beta, with a lot of SSL/TLS changes. Took a little longer than expected due to adding support for new certificate suppliers and a major sample upgrade. Since Let's Encrypt introduced the ACME (Automatic Certificate Management Environment) protocol to download SSL/TLS certificates, other suppliers have added automated ordering using the same API, mostly with extra account information for commercial certificates. ICS has been tested successfully with free certificates from Google Trust Services and Buypass, and should work with DigiCert, ZeroSSL and SSLcom, but these last three are primarily commercial suppliers and need prepaid accounts, so not tested yet. Google Trust Services offers an excellent alternate to Let's Encrypt and offers almost the same free certificates up to 90 days with multiple wildcards, but allows the expiry days to be specified during ordering, down to three days. Some companies were reluctant to use Let's Encrypt when there was no alternative in case of extended down time, now Google offers that alternate. Bypass is a Norwegian business, offers free 180 day certificates but no wild cards and only five domains per certificate, but may be suitable for those that don't want to use American certificates. Apart from Let's Encrypt and Buypass, suppliers use ACME external accounting to tie the ordering process to web site accounts, which is explained in comments in the OverbyteIcsSslX509Certs unit, more information will be added and the wiki pages updated before release. Google needs the Google Cloud CLI Windows application installing, type a few commands and you get the external account information Acme needs. The OverbyteIcsX509CertsTst sample has a major revision to support multiple account suppliers and to specify the external accounting information. The sample needs to be run on any servers that will order certificates to create the initial Acme account (except for Let's Encrypt), and includes a web server allowing test certificates to be ordered provided DNS points to a public IP on the server. Most suppliers provide a testing endpoint which is listed in OverbyteIcsX509CertsTst so you can order fake certificates to understand the process. OCSP is being deprecated by the industry in favour of shorter expiry certificates, Let's Encrypt stopped adding an OCSP URL to certificates in May 2025 and will turn off it's OCSP servers in August 2025. This means OCSP Stapling no longer works, nor checking OCSP during chain verification. ICS has two new defines OpenSSL_OcspStaple and OpenSSL_OcspChains defaulting to false, that need to set to enable ICS to continue using OCSP for any suppliers still supporting it. The default saves a lot of extra OCSP code being linked into applications. When existing projects with server components are opened, 'Error reading: xx: Property OcspSrvStapling does not exist' may appear, just click past it and the property will be removed from the form. To replace OCSP for servers, the ACME specification now supports a renewal information API, that for each certificate provides a recommended date range when the certificate should be renewed, which may change dynamically if the certificate is revoked. ICS servers now check certificate renewal information, usually every six hours. ACME certificate profiles are now supported, currently Let's Encrypt only, default classic, optional tlsserver and shortlived (7 day, not yet available). Angus

I only use 125% scaling on my 4K monitor, but it is 49 inches, my old Toshiba TV (got a larger one). But my second side monitor is 32in at 100% scaling, so I can move applications sideways to easily check the form positioning is correct. Having started my development life in 1980 with 80x24 terminals, then 14in PC monitors, having large screens with so many open windows side by side really does make life so much easier. Angus

On reflection, I will add your new prototypes to ICS. I was going to suggest you created your own import table with the RSA functions, similarly to the OpenSSL engine table that requires a define conditional to import. But ICS has a problem with the OpenSSL import tables getting larger as new functions are added, but old ones rarely disappear when they cease being used. So I'll create a new import table that will have most of the RSA_, ECDA_, DH_., EC_KEY_, EC_GROUP_ and DSA_ exports, with a new define around all those functions and the table, to ensure that none are currently being used by ICS. I already had to remove some EC_GROUP_ exports that have disappeared from some Linux distributions. Should be in SVN in a couple of days. Angus

You should be able to use the IcsAsymVerifyDigestTB function to replace your old code, passing it the RSA key as EVP_PKEY. Angus

RSA_verify is a deprecated low-level signing function, you should be using the EVP_VerifyFinal and related EVP functions. Not sure that we want to add deprecated functions, ICS has already been updated to stop using most of them. Angus

The release announcement for 3.4.0 last October said 'Also note when building the ICS packages for the first time with 3.4.0, there may be a dialog 'entry point could not be located', because the new DLLs are only extracted from the resource files when the first application is run, but the packages have built OK'. Your original error was a mismatch of the two DLLs, an old export had gone from one which the other expected, once both DLLs matched the problem went away. Don't recall the second error, but probably related. The problem might relate to your other component package using different versions of OpenSSL in a different location. Angus

I saw this once a few months ago, when updating to a new release of OpenSSL, but it goes away when you run an application built with the latest ICS that has the latest OpenSSL, which updates the OpenSSL DLLs the first time it runs. If you have not copied the latest DLLs from the distribution into C:\ProgramData\ICS_OpenSSL Angus

If you are using ICS created Let's Encrypt certificates in Windows IIS web server, you may find web sites no longer work correctly, giving a certificate error. This is because Let's Encrypt had discontinued it's OCSP service as a means of determining if certificates have been revoked. In each IIS site bindings, for each listener, you need to tick 'Disable OCSP Stapling', and the certificates should work again. Happened here after a reboot for patch Tuesday. I did not see any OCSP errors or warning in the IIS or Windows event logs, but knew about OCSP being abandoned. I've already added conditionals to the next ICS release to remove our OCSP code. Angus

There is also the risk when using non-standard protocol extensions that firewalls, proxies, load balances, etc, may reject or corrupt the requests. If an API needs to delete a massive number of files, it should use an HTTP POST request with the Json including a delete command, not the HTTP DELETE request with content. But I will look at adding this to the ICS client and server, so we can at least test what happens when content is sent with GET and DELETE. Angus

Please make sure you are using MQTT from SVN or the overnight zip, I did a major rewrite a couple of months ago that is not yet released. Coming back to your original problem, the best solution will be a new wrapper component around the ICS MQTT client, that handles reconnection if the connection drops, including using a list of IP addresses for multiple servers. This will avoid applications needing to handle all the reconnection stuff, which is tedious. I'll put it on my list, but it may not make the next release, which is already overdue. The TIcsIpStrmLog client component already does reconnections, just need to take those properties and methods. Angus

I said that TRestParams can not currently create an array of Json objects, at least without nesting multiple components, but it may in the future, Angus

Not sure how quickly your network will recognize that an IP address has moved between devices, that is something that does not happen very often. Each client will need to refresh its ARP cache table to find the MAC of the new PC. WMI can be used to change IP addresses, ICS has a free WMI component and sample that sets IP addresses and gateway. A better solution would be for the clients to know about each server, and use the secondary if the primary fails to respond. Angus

You just build a Json string with your parameters, you can use some helpers from TRestParams.GetParamStream like IcsEscapeJson if your content needs such processing. Then pass the string as RawParams in RestRequest(), the component then builds a stream for you. But this will fail for DELETE as discussed above. Can you please check the API server really is expecting content, do you get a 204 error, does the API documentation actually say content is needed for DELETE? I'm not going to update the component unless I can test it and know the change is really needed. Angus

Anything that crashes the ICS web server is something that should be fixed, if you are sure GET with body is fatal, I'll put it on my list to test and try and fix. I get thousands of hacking attempts on my public server daily, even have a dynamic blacklist to block repeats accesses, currently 4,600 IPs blocked for the last thee days. Angus

I'm not aware that the DELETE request is allowed to submit data as a body, this is not mentioned at: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/DELETE Which is why PContBodyJson is ignored. If a body is allowed for DELETE, ICS will need to be updated TRestParams does have an array method, RPTypeArray, used by AddItemAR(const aName: String; aValue: TStrings), but there is currently no way to create an array of objects in the manner you require, sorry I simply never anticipated it when designing the component, there are simply too many ways to build Json. I'll put it on my list, but it may take a while. Meanwhile, you could build the Json with SuperObject or manually. Angus

I've removed the unwanted DCR and -k, did not show up because Build Groups stops on the first error, so never got to build all the different versions. I fixed the MQTT warning yesterday and have just done the AnsiString warnings, so C++ Win32 now builds without any warnings or errors. Win64 fails completely because dcc64.exe seems to have disappeared with D12.3, think they want us to use Win64 Modern only now, but I get the same error with Win64 Modern. Sorry, no time to mess any more now. Can not upload anything to SVN until I've finished some testing, early next week. Angus

I've just built V9.5 for Win32 using C++12.3 without any errors, just a couple of deprecated warnings. As I did before the V9.4 release. I have removed the -r argument. So maybe you had old versions of these files somewhere, I'll be updating SVN in the next few days, and I'll make sure my work C++ library files are in the SVN directory. Angus