Angus Robertson 606 Posted Tuesday at 12:41 PM SSL/TLS is continuously changing with new protocols added, old ones obsoleted and rules changing. We can not ignore such changes. OCSP (Online Certificate Status Protocol) Currently, ICS supports OCSP as the way to confirm SSL/TLS certificates are legitimate and not revoked for security reasons. But the industry does not like OCSP, expensive to implement and several flaws that mean most browsers now ignore it. So Let's Encrypt is closing it's OCSP service over the next six months, ICS should gracefully ignore it as the OCSP URL disappears from X509 certificates. In theory, CRLs (Certificate Revocation Lists) are still supported, ICS has supported them since the beginning, but has never provided a means to automatically download them, it would mean an archive of CRL files for each intermediate certificate received that needed updating continually. This could be added to ICS, but would be a lot of effort and slow down connections as the files are downloaded. Google Chrome has it's own version of CRLs, where those from multiple certificate issuers are combined into a single combined list. Has anyone looked at it? The industry solution is X509 certificates with short life times that are replaced automatically regularly. Apple wants to reduce maximum life to 47 days, others want less. Let's Encrypt is planning to optionally issue six day certificates later this year which ICS will support shortly. RPK (Raw Public Keys) SSL/TLS use a private/public key pair to negotiate encryption, usually contained in an X509 certificate to also prove ownership of the server. For many local applications, ownership is less important than encryption, so self signed certificates are often used instead, but even those can be burdensome, despite ICS servers automating them. OpenSSL has now added support for Raw Public Keys, where the server uses just the private key without a certificate, and the clients have a list of acceptable public keys that can be checked to ensure the connection comes from a known private key. Supporting RPKs will involve a minor change to IcsHosts for servers and updating TSslRootCAStore to store a list of public keys that can be checked during the SSL handshake. Note RPKs are really only for app-to-app communication, browsers don't support them. I know one ICS already uses a version of RPKs by checking the public key and not the certificate, does anyone else see an application for RPKs? Let's Encrypt Changes Let's Encrypt is planning several changes this year. Closing OCSP has already been mentioned. Not sure how many ICS users actually make use of Let's Encrypt certificates, I never hear about bugs or problems, so perhaps they just work, or ICS users are still paying for commercial certificates? Let's Encrypt is adding account profiles to allow different types of certificate to be ordered. ICS will allow the profile to be selected using IcsHosts. 'Classic' profile will be the same as now, 90 day certificates. 'TLSServer' profile will be simplified certificates missing the Common Name that servers shouldn't use and several other fields will go, all to reduce certificate size. 'Shortlived' profile will be six day valid certificates. Let's Encrypt is also planning to support IP Addresses in certificates, ICSHosts will also support this. HTTP/2 and HTTP/3 (QUIC) Adding support for HTTP/2 and HTTP/3 to ICS as Delphi code would be a major project, and the only current benefit would seem to be a small performance improvement with complex pages with hundreds of elements to download. So not planning any HTTP/2 or HTTP/3 support. Angus 2 Share this post Link to post
omnibrain 15 Posted Wednesday at 05:31 PM On 2/18/2025 at 1:41 PM, Angus Robertson said: Not sure how many ICS users actually make use of Let's Encrypt certificates, I never hear about bugs or problems, so perhaps they just work, or ICS users are still paying for commercial certificates? I'm having Caddy in front of everything. Our customers either use Caddy or nginx. Share this post Link to post
Angus Robertson 606 Posted Wednesday at 05:39 PM Do you mean you are using Caddy or nginx as a proxy in front of non-SSL ICS servers? Angus Share this post Link to post
omnibrain 15 Posted Wednesday at 08:02 PM (edited) 2 hours ago, Angus Robertson said: Do you mean you are using Caddy or nginx as a proxy in front of non-SSL ICS servers? Yes. It's not only reverse-proxing ICS based servers/APIs, but also other processes and serving static files. Everything in one place. I can imagine others working like this as well. In my case Caddy handles the certificates (via ZeroSSL) automagically. Edited Wednesday at 08:03 PM by omnibrain Share this post Link to post
Angus Robertson 606 Posted yesterday at 09:16 AM I understand some commercial certificate suppliers are now using the ACME system designed by Let's Encrypt to automatically issue certificates. Presumably adding an authentication step for payment, this might be something ICS should be supporting. Angus Share this post Link to post
![Delphi-PRAXiS [en]](https://en.delphipraxis.net/uploads/monthly_2018_12/logo.png.be76d93fcd709295cb24de51900e5888.png){kind=logo}
