ICS is available as source code only. You need Delphi to build the sample programs and create your own application. You will also need OpenSSL libraries if using SSL-enabled components.
ICS versions available:
- ICS-V8 for Delphi 7 / C++ Builder 2006 to Delphi XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0 / C++ Builder XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0 with FireMonkey cross platform support for POSIX/MacOS, also IPv6 support (main development tree, 32 and 64-bit).
- ICS-V7 for Delphi 7 / C++ Builder 2006 to Delphi / C++ Builder XE3 (stable release, no new development, please upgrade to V8).
- ICS-V6 for Delphi 7 / C++ Builder 2006 to Delphi / C++ Builder 2007 (discontinued and obsolete, please upgrade to V7 if you do not have to support Windows versions < W2K).
- ICS-V5 for Delphi / BCB 1 to Delphi / C++ Builder 2007 and Delphi .NET (discontinued, important bug fixes may still be backported from ICS-V7). SSL option requires at least Delphi 7 or C++ Builder 2006.
Major Changes in ICS V8.68 include:
- V8.68 is a minor release, mainly HTTP client and server improvements including new request and response headers to assist browser caching and conditional requests, improved error reporting to help diagnose failed HTTP requests, and improvements in the HTTP REST component allowing it to save files including resuming failed downloads and download files of any size. There are minor fixes in various components, and updates to installing on MacOS and C++ Builder. There is also a new File Clean-Up demo ideal for deleting the old log files that many applications (including some ICS samples) leave on systems.
- The HTTP client TSslHttpCli now keeps the Etag response header as ResponseEtag, allowing applications to save it with the page content, and when requesting a refresh to add the request method ReqIfNoneMatch or ReqIfMatch to avoid downloading the page again. Improved RequestDoneError to give more information than a simple abort, added httperrOutOfMemory and httperrBgException which happen while receiving and processing data in the OnDocData event and httperrSslHandShake. For range downloads, added the ContentIfRange request header which can send an RFC1123 date or Etag so a partial download only happens if the file is unchanged.
- Previously, the HTTPS REST client TSslHttpRest always downloaded content to a TMemoryStream with content size being limited to MaxBodySize (default 100 MByte), and generally restricted by memory to less than 250 MByte. To remove this limitation, added the HttpMemStrategy property with THttpMemStrategy on how to handle downloads: HttpStratMem only TMemoryStream; HttpStratTemp uses a work file in the system temporary directory for sizes larger than MaxBodySize; HttpStratFile always writes a named file HttpDownFileName (with .part extension during download); HttpStratResume is similar to HttpStratFile but supports resume of failed partial downloads (with .http extension for resume information). Property ResumeMinSize defines the minimum sized partial file that should be resumed, rather than start again (default 64K). Added ShowProgress property that causes download information to be sent to the OnHttpRestProg event.
- The HTTP server TSslHttpServer now supports the If-Range, If-Match and If-None-Match request headers for conditional pages using Etag or last modified date, and sends 304 not modified for matches, to help with caching. Added an ETag header to responses in AnswerStream and AnswerPage when we can create one from a file modification date and size (base64 CRC32), or if the EntityTag property is specified in the client onGetDocument event before using hgSendDoc or hgSendStream, perhaps a CRC32 of the entire content from a cache. The 304 not modified response now includes more recommended headers. Also add a Date: header to AnswerStream and AnswerPage responses to help with caching.
- The Multi HTTPS client TIcsHttpMulti has been updated to a fix a problem that meant large files failed download with only an abort error if too large for TMemoryStream, now downloaded to TFileStream with .part extension and renamed up successful completion.
- The previous ICS release added support for the OpenSSL 3.0 release. Now it's been available for three months it has been added to the main distribution, the samples SslInternet directory now has both OpenSSL 1.1.1m and 3.0.1. ICS now supports YuOpenSSL 3.0 and 1.1.1 vrsions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.
- In TIcsFileCopy, the DeleteFiles method now supports a new Zipped property so files are zipped with .zip extension before being deleted, useful for cleaning up old logs to save space (requires VCLZip). The OverbyteIcsXferTst,dpr sample has a new File Clean-Up tab to test the multiple DeleteFiles method, it allow files older than x days or a specific date range to be archived/zipped (to save space) or deleted, ideal for deleting the old log files that many applications (including some ICS samples) leave on systems.
- In the FTP client TSslFtpClient, using the PORT command to set Active mode now prevents other FTP clients sharing the same port number and address, usually only a problem with a small port pool (which is not recommended).
- Updated the trusted root certificate bundle files, lots of changes from Microsoft since June, Google is now issuing it's own certificates. Updated the build-in sslRootCACertsBundle, few gone, now total 59 certificates commonly used.
- ICS should now build with C++ for RAD Studio 10.4 and 11.0, fixed the 11.0 packages and various Windows API related units, including for Win64.
More detailed release notes are at ICS 8.68 Release Notes
Major Changes in ICS V8.67 include:
- Added support and packages for RAD Studio 11.0. Updated SSL/TLS root certificate bundles, old certificates gone, new ones added, nothing major.
- Added support for OpenSSL 3.0 which is a major new release, primarily a lot of internal changes to ease long term support. There is an optional FIPS module with 3.0 but not available here since our DLLs are not built to the standards required for certification. The old engines for special extensions are replaced by new more versatile providers of which the FIPS module is one, a provider legacy.dll has obsolete ciphers and hash digests, including MD2, MD4, Blowfish, DES, IDEA, RC2, RC4, SEED, that most applications no longer need and which needs to loaded by the application by setting global variable GSSLEAY_LOAD_LEGACY to true before loading OpenSSL.
- OpenSSL 3.0 does not offer any specific new features of benefit to ICS at present, although HTTP/3 support is planned for 3.1 or later, so the main ICS distribution retains OpenSSL 1.1.1i which is fully supported until September 2023. OpenSSL 3.0 may be downloaded from the download page.
- The main implication for ICS with OpenSSL 3.0 is for SSL/TLS certificate private keys saved with password protection, which is required for PKCS12 certificates for importing into the Windows certificate store. The new PKCS12 default password encryption AES256 is not recognised until Windows Server 2016 v1709 and Windows 10 v1709, so Server 2012, Windows 10 RTM and earlier won't load AES passworded keys, only 3DES, for which the legacy.dll must be loaded.
- There are two new classes to write and read SSL/TLS certificates to and from the Windows Certificate Store, including private keys. This is primarily so Let's Encrypt certificates can be installed automatically for use with the IIS web server.
- Various improvements for the OverbyteIcsPemTool sample. It includes new buttons to list the contents of Windows certificate and private key stores and allow old items to be deleted. This may be useful for cleaning up old certificates and private keys from the Windows stores.
- For the TX509Certs component, the default cipher for encrypting PFX/P12 files is now PrivKeyEncAES256 with 3.0 unless the legacy DLL is loaded when still PrivKeyEncTripleDES so older versions of Windows can load them. Changed extraction of download PEM bundle so that main certificate does not need to be first in file, log them all, and ignore any self signed root certificates.
- Fixed two problems in the FTP client, support option ftpFixPasvLanIP for PUT/APPE uploads as well as downloads, and support IPv6 for PUT/APPE uploads as well as downloads.
- In the Application Web Server TSslHttpAppSrv, added an optional LastModified parameter to the AnswerStream, AnswerPage, and AnswerString methods to avoid adding a custom header line with the date. Added NO_CACHE_EX and NO_STORE_EX literals. Added PUT and DELETE verb handlers, similar to GET and POST.
- For the HTTP client TSslHttpCli, fixed a relocation problem where the Location: header included a path with a space, encode the space. Fixed another relocation problem where HEAD sometimes stalled. Remove # fragment or anchor from URL in relocation, only used by browsers and not by servers.
- Added a new SSL sample, OverbyteIcsDDWebService.dpr which is very similar to OverbyteIcsSslMultiWebServ.dpr, but designed as a Windows service, although it will also run as a GUI for debugging. It requires DDService service framework to be installed from https://www.magsys.co.uk/delphi/ddservice.asp. It also includes a REST server with simple lookup responses from a SQL database, which optionally requires DISQLite3 5.36.5 or later to be installed from http://www.yunqa.de. Note this sample in not in the project groups due to these pre-requisites.
- Moved TRestParams from the OverbyteIcsSslHttpRest unit to OverbyteIcsUrl to ease circular references. Added a new method AddItemNULL to add a null, in Json this will be unquoted. Added a new TRestParamsSrv component which provides methods for creating REST server Json responses from a SQL database esultset, one or more rows, also error responses. Note this is only compiled if DATABASE is defined in OverbyteIcsDefs.inc to avoid bringing in database units that are not available on all Delphi editions. There is a REST server sample OverbyteIcsDDWebService.dpr that illustrates SQL lookups.
- In the proxy component TIcsHttpProxy, don't send an HTTP request header until after HTTP body has been processed in case the body length changes. HTTP Forward Proxy using HTTP works again, broken in V8.65. Using HTTP Forward Proxy, convert absolute URL to path only since some servers can not process an absolute URL and sulk.
- In the Jose unit, rewrote the functions converting private keys to and from Json Web Keys with new OpenSSL 3.0 provider functions. Use AnsiStrings and functions when dealing with binary data to avoid possible issues with string conversions and nulls. Json now created with TRestParams.
- Added two new sample project groups, OtherDemos64 and SslDemos64 which include Win64 versions of all the main active samples with 64 added to the project name, so they can be regularly built alongside the Win32 versions without changing platforms and overwriting executables.
More detailed release notes are at ICS 8.67 Release Notes
Major Changes in ICS V8.66 include:
- Added a new TIcsInetAlive component to check for IPv4 and/or IPv6 internet connectivity, using Ping and/or HTTP, defaulting to www.msftconnecttest.com run by Microsoft for Windows 10 alive checking. The online and offline check intervals may be set, and event fires when online state changes. Sample OverbyteIcsHttpRestTst has a demo for new component.
- OpenSSL 1.0.2 and 1.1.0 ceased security fix support over 12 months ago so ICS now only supports 1.1.1, with 3.0 support due in the next few months. This removes a lot of legacy code and functions, and several old ICS functions needed for backward compatibility.
- Undertook a major clean-up of OpenSSL functions that may require end user application changes if low level OpenSSL functions have been used, hopefully very rarely. All OpenSSL functions have been renamed to their original names removing ICS f_ prefix for commonality with other Delphi applications.
- Bring server SSL/TLS security levels up to latest Mozilla recommendations. In 2021 Mozilla now recommends TLSv1.3 as modern ciphers and TLSv1.2/1.3 as Intermediate supporting all browsers from last five years, so IcsHosts now use sslCiphersMozillaSrvTLS12 as Intermediate level, also Mozilla recommends no cipher server preference so changed that.
- Added support for YuOpenSSL which provides OpenSSL in a pre-built DCU statically linked into applications, rather than using external OpenSSL DLLs. This make application distribution more reliable since it can no fail by users deleting the DLLs or copying incompatible versions into the directory. YuOpenSSL is a commercial product from https://www.yunqa.de/ and is supplied as separate compiled DCUs for Delphi 5 to 10.4.
- Added a better way of configuring Socks proxy and HTTP Tunnel proxy settings in TWSocket, similarly to that added for THttpCli in V8.62. The new ProxyURL property sets SOCKS or HTTP Tunnel proxy settings using a single URL, ie proto://[user:password@]host:port where proto is socks5 or http.
- TIcsRestEmail has new OAAuthType property and event for OAuth2 browser URL perhaps via email for servers. TIcsRestEmail now sets OAuth2 errors, and clears old tokens.
- TIcsHttpMulti has a new ParseLevels property that follow links on a parsed web page to lower level pages, which are also parsed, looking for files to download with a specific file extension, ie .avi.
- Updated to OpenSSL 1.1.1k with two high security fixes.
More detailed release notes are at ICS 8.66 Release Notes
Major Changes in ICS V8.65 include:
- The ReadMe8.txt file has a new 'Getting Started with ICS' section listing the types of projects ICS may be used for, and suggesting the correct components to use, and their related sample applications for testing. This is recommended reading for anyone doing new ICS development since it discusses all the new high level components like TSslHttpRest added in the last few years which can reduce development effort considerably. It may also be viewed at Getting Started
- Added new TIcsRestEmail component that provides basic support for Google and Microsoft Outlook email REST APIs including OAuth2 login and refresh to get an access token for SMTP and POP3 XOAuth2 and 0AuthBearer authentication. TIcsRestEmail has methods to send and read email, to list IDs in a mailbox, read headers and message bodies by ID, send emails and delete emails.
- The SMPT, POP3 and MailQueue samples all now support XOAuth2 and 0AuthBearer authentication using the TIcsRestEmail component. The low level component call an event to get the authentication access token, which is provided by IcsRestEmail, together with a refresh token which is saved instead of a password.
- To access email using REST APIs or OAuth2/SMTP/POP3 an 'application account' needs to be created though the Google or Microsoft provider console.
- Added a new TIcsTwitter component and sample, requires a developer account from Twitter. Includes login to Twitter, send tweet, search tweets and get specific tweets, all responses are Json which the application needs to untangle.
- Improved TRestParams allowing them to save more Delphi types correctly without conversion to strings, and to save parameters in new formats. # There are various OAuth2 improvements to make it easier to implement. Added several TOAuthUri records designed to set-up common OAuth2 account settings for providers like Google, witter, Microsoft and Sipgate, by using the LoadAuthUri method.
- TSimpleWebSrv continues to get less simple, it has aWebSrvIP2 property for a second address so it can listen on IPv4 and IPv6 at the same time, with and without SSL if necessary. Setting WebSrvIP to localhost sets both 127.0.0.1 and [::1] so the browser OAuth2 redirect can choose IPv4 or IPv6.
- - Made some improvements to SuperObject, used for Json creation and parsing. When parsing Json there are new functions that return a sensible error message about parse errors and the location. There is a new object type DateTime or DT which reads or writes TDateTime to avoid the application needing to do the ISO string conversion. Json can now be parsed to a depth of 64 levels.
- Rewrote and improved the way ICS reads SSL/TLS certificates and bundles, simplifying code that has got partly duplicated over the years as new methods were added, and improving error handling so the infamous stack error should no longer appear, instead more useful messages. All certificate files are now written with the UTF8 character set for the added comments that may include non-ASCII characters.
- All the ICS root bundles are now created cleanly by an application, rather than mostly manually by copy and editing, to reduce errors. This fixed four corrupted root certificates in the older bundles, see FAQ - SSL/TLS Certificate Authority Root Stores
- Previously the Jose unit offered functions primarily for client JWS/JWT REST applications, it now includes extra functions for REST servers to check and verify the JWS/JWT sent by clients. The Jose sample application has new tests for JWS/JWT, and to parse and display Json.
- Added a new Multi Host FTP Server sample using IcsHosts. Really designed to be a Windows service application. It supports multiple SSL hosts with multiple listeners, can order it's own SSL certificates and will create self signed certificates for any missing, and will email status information and errors to an administrator.
- Fixed a long term external SSL session cache issue in some components and samples that meant if an SSL handshake fails due to a bad certificate or chain, it is necessary to remove the SSL session from cache so an immediate retry does not succeed by skipping the certificate checks. This is only a short term issue, because the cache is usually cleared after a few minutes. This will effect any client applications using the external SSL session cache including HTTPS.
- Increased the TCP send and receive buffer size to 64K in all components and samples, and generally don't allow it to be set lower. Unfortunately the default buffer size never kept up with faster internet speeds which meant some components transferred data slowly.
- Made some improvements ordering SSL/TLS certificates. Made Windows Server DNS updating using WMI more robust so wild card Acme orders work reliably.
- Made some internal changes loading OpenSSL, to avoid the two DLLs being loaded from different directories and to give better exceptions if they are missing.
More detailed release notes are at ICS 8.65 Release Notes
Major Changes in ICS V8.64 include:
- ICS now supports International Domain Names for Applications (IDNA), i.e. using accents and Unicode characters in domain names. Domain names can only contain lowercase ASCII letters and numbers and a couple of symbols, so Unicode U-Labels (nodes in a domain) must be converted to A-Labels (Punycode ASCII) with an ACE (ASCII Compatible Encoding) prefix. So www.mâgsÿstést.eu becomes www.xn--mgsstst-pwa1e4l.eu and мособлеирц.рф becomes xn--90aijkdmaud0d.xn--p1ai.
- Added a new WMI component based on the Magenta Systems WMI and SMART Component which allows listing all WMI classes, adding and updating network adaptor IP addresses, and adding and updating records in Windows DNS Server (2012 and later).
- For SSL/TLS servers, the initial client hello sent before protocol and cipher negotiation starts is now available in the onSslServerName event, when it is easier to select the SslContext to be used on shared servers supporting lots of hosts.
- There are various improvement for SSL/TLS servers using IcsHosts. NonSSlPort may be zero for to allocate a random port (not for SSL), the new BindPort and BindSrvPort properties show the real port while listening, reported by ListenStates. If SslCert can not be found the server will create a self signed SSL certificate with all the HostNames so the server can start.
- There are many X509 SSL certificate ordering improvements from Let's Encrypt using ACME. All the ACME challenges are now supported. tls-alpn-01 which works on SSL port 443 using a special self signed certificate thus avoiding a server running on port 80 as well. dns-01 which updates Domain Name Server TXT records to avoid using any servers, allowing wild card orders, currently Windows DNS Server on the same server, but Cloudfare is planned.
- TRestParams used with the TSslHttpRest component, has more parameter content types: PContXML, PContBodyUrlEn, PContBodyJson and PContBodyXML. The existing PContUrlEn and PContJson now specify REST params are sent as URL ? arguments, while the PContBodyxx version send params as content body. XLM parsing into an ISuperObject has been added so SOAP and XML REST responses can be processed similarly to Json responses.
- The TFtpServer component has a new TFtpOptions ftpsAuthForceSsl which requires SSL/TLS before allowing the LOGIN to be processed so that clear text credentials can not be sent. May also be set using IcsHosts with AuthForceSsl=True for specific Hosts only. Failure gives '533 USER requires a secure connection'.
- Added a Websocket server implementation (HIXIE and HYBIE protocols) ported from phpws project, written by Stan Korotky <email@example.com>. There is no a specific component for websockets, they are handled internally from a custom TWebSockSrvClient.
- Did a refresh of the three SSL/TLS trusted root certificate bundles included with ICS, to add new roots and remove untrusted certificates.
- Added CreateSelfSignCertEx to OverbyteIcsSslX509Utils to create self signed certificates with subject alternate names and specific key types.
Major Changes in ICS V8.63 include:
- IcsHosts is now supported in all the main ICS server components, TWSocketServer, TSslHttpServer, TSslHttpAppSrv, TIcsProxy, TIcsHttpProxy, TIcsIpStrmLog and TSslFtpServer. This simplifies server applications which do not need to setup an SSL context, can easily support multiple listeners and hosts, and can automatically order and install SSL/TLS certificates from Let's Encrypt and commercial suppliers. # There are several changes relating to automatic certificate ordering, mostly cosmetic based on experience adding the feature into more applications with a few issues fixed during testing with better logging.
- Made improvements to handle the OAuth2 version used by Google Accounts, allowing the REST component to access Google APIs such as Gmail.
- Did a major refresh of the three SSL/TLS trusted root certificate bundles included with ICS, to add new roots from Amazon and others, and remove untrusted certificates.
- There are improvements in TFtpCli to access FTP servers behind NAT routers where the internal and external IP addresses are different and not correctly handled by the FTP server.
- The TSslFtpServer component now uses the IcsHosts concept added to the web and proxy servers two years ago, see above. There is a new IcsHosts property which allows multiple hosts to be specified. Also fixed ftpsNoPasvIpAddrInLan and ftpsNoPasvIpAddrSameSubnet options to work correctly to present local passive IP address on LANs.
- The TIcsIpStrmLog component will now start despite non-fatal SSL/TLS certificate warnings, and may be used with self signed certificates. The OverbyteIcsIpStmLogTst sample shows how to restart the TCP server after the first SSL/TLS certificate is automatically installed.
Major Changes in ICS V8.62 include:
- The HTTP client has new properties. There is a new THttpAuthType of httpAuthJWT which uses the AuthBearerToken property for Json Web Token authentication. A new ProxyURL property combines four proxy properties as a URL for simplicity, ie http://[user[:password]@]host:port. The new AlpnProtocols property is a request list sent when an SSL connection starts, once connected GetAlpnProtocol returns which protocol the server wants to uses.
- Various improvements for automatic X509 SSL certificate ordering to support final ACME RFC8555. AcmeV2 now supports POST-as-GET, GET alone being removed later in 2019. Added Proxy URL support, might be needed for servers behind NAT firewalls for public access. Added support tls-alpn-01 challenge for local web server on 443, but not working yet.
- SocketServer now uses a separate local web server for servers not using ports 80 or 443 such as FTP, SMTP, proxies, etc, When ordering X509 SSL certificate using ChallFileSrv challenge.
- TWsocket now raises a background exception for user exceptions in the OnDataAvailable event rather than silently ignoring them. If IcsLogger is being used, HandleBackGroundException now logs exceptions and their source to make them easier to find.
- In the TSslHttpRest component, TRestParams can add Json parameters as PContJson which means arrays and nested Json can be added. Added a new SslAllowSelfSign property to connect OK to sites with self signed SSL certificates which would normally fail validation.
- TSimpleWebSrv now supports SSL, with certificate bundle and host name, and supports the SSL ALPN extension for automatic X509 SSL certificate ordering.
- The new TIcsSms component adds support for SMS Works bureau at https://thesmsworks.co.uk/ to send SMS messages, cheaper than Kapow, and allows sender ID to be freely changed.
- Updated all .dproj files for all samples to add the ICS source folder to the search path of each project.
- Added Time Zone support for date string conversions, to UTC time with a time zone, and back to local time using a time zone, primarily for SMTP email headers which otherwise show UTC time.
- TIcsIpStrmLog using TCP server now uses the root bundle correctly and reports the certificate chain and bindings. Ensure all listeners started for TCP Server, if more than one.
Major Changes in ICS V8.61 include:
- Added two new components using the new HTTPS REST component, which are both useful and illustrate how simply they can created, TIcsSms and TDnsQueryHttps, both in the OverbyteIcsSslHttpRest.pas unit with demos in OverbyteIcsHttpRestTst.
- The new TIcsSms component sends SMS text messages via an HTTP bureau, you will need an account. Initially supporting https://www.kapow.co.uk/.
- The new TDnsQueryHttps component makes DNS queries over HTTPS (DOH), to ensure integrity and privacy from interception by ISPs or proxies. The original TDnsQuery component has also been updated to support all the common queries and return them in using a single AnswerRecord array.
- Improved HTTP client and server NTLM authentication by adding Single Sign On with NTLM Session on Windows Domain to get credentials without needing them specified in code.
- Various improvements in the HTTPS REST, HTTP client and FTP client.
- Fixed SSL certificate ValidateCertChain to check certificate start and expiry dates in UTC time instead of local time.
- The Browser Demo sample using HtmlViewer now correctly supports authentication methods where a site requires a login, and has an improved log window that no longer slows down display of complex pages.
Major changes in ICS V8.60 include:
- Added several new components and sample applications created by Magenta Systems Ltd over the past 17 years and previously distributed and installed separately to the ICS distribution. Bundling them with ICS makes installation and updating easier, and allows existing ICS samples to make use of many the new components, such as UTF-8 file logging. All the components have new names so existing applications using the originally distributed versions will still work, but it's recommended updating existing applications for the new ICS versions. The added components include IP stream logging, SMTP Mail Queue, Time Server and Client, Whois client, blacklisting of malicious IP addresses, file logging functions, file indexing, copying and deleting, FTP indexing, multiple file uploading and downloading, HTTP page parsing and URL downloading.
- In THttpCli, only follow relocation for 3xx response codes, not 201 Created, but keep Location property for 201 which is often response to a POST and may be needed by the application.
- When starting TWSocket Connect, the IP address chosen for DNS lookup is now saved in ASCII as AddrResolvedStr which is useful in connect OK or failed events to see whether an IPV4 or IPv6 address was chosen, and which was used if DNS offered multiple IPs. AddrResolvedStr is exposed as a property in TWSocket, THttpCli, TSslHttpRest and TFFtpClient and reports in failed connection events. Other clients will be added soon.
- Various samples have been updated to ease testing of IPv6 and to save the diagnostic window activity to a disk log file, OverbyteIcsHttpsTst, OverbyteIcsHttpRestTst, OverbyteIcsTimeTst, OverbyteIcsX509CertsTst.
- Added round robin DNS lookup if DNSLookup returns multiple IP addresses, so they are used in turn after a failure when a component is called repeatedly without being freed. This is implemented in THttpCli, TSslHttpRest TFFtpClient and TIcsTimeClient. Other clients will be added soon. There is a new OnSelectDns event to override round robin lookup and make your own choice. By default, the DNS lookup in ICS components ignores IPv6 addresses and always use the first IPv4 address offered, when there is more than one. This is usually implemented in the OnDnsLookupDone event in the application or high level component. So if that first address does not respond, the application never tries any other addresses. This has become more of a problem when enabling applications for IPv6, by changing SocketFamily from the default sfIPv4, to sfAny, sfAnyIPv4 (prefer IPv4), sfAnyIPv6 (prefer IPV6) or sfIPv6 (only IPv6), when IPv6 addresses may also be returned as well as IPv4. Due to routing or firewall issues, IPv4 and IPv6 might not both be available and so connection will fail if that address is chosen first. Previously it was necessary to restrict SocketFamily so only the working family is attempted. The DNS round robin implementation relies on keeping the last successful connected IP address, so it can be re-used for subsequent connections, but looping through any alternative addresses if the last connection failed, for subsequent connection attempts. Most existing applications use the OnDnsDone event to select the connection IP address so the round robin code is added there. Newer applications making use of TWSocket ComponentOptions wsoAsyncDnsLookup should added code in OnDNSLookupDone and update the DnsResult property which is then used by Connect.
- IcsHosts supports two new TSslSrvSecurity server security levels, sslSrvSecTls12Less and sslSrvSecTls13Only, the former disables TLS1.3 in ICS servers if TLSv1.3 fails (perhaps a bad client implementation) while the second only supports TLSv1.3.
- Up to date C++ packages are included for 10.2 Tokyo and 10.3 Rio. Information on installing ICS for C++ 2007 may be found at: https://en.delphipraxis.net/topic/844-use-ics-with-c-builder-2007/ . Sorry, currently don't believe it's easy to update the ICS source code to avoid the changes needed for C++ 2007.
Changes in ICS V8.59 include:
- Now includes OpenSSL 1.1.1a and 1.0.2q binaries.
- Now builds again without USE_SSL define.
- Added AUTO_X509_CERTS define to remove a lot of units if automatic SSL/TLS certificate ordering is not required, saves up to 350KB of code in servers.
Major changes in ICS V8.58 include:
- Support for OpenSSL 1.1.1 with TLSv1.3, new cryptographic algorithms and ciphers. OpenSSL 1.1.0 and 1.0.2 also supported.
- A new client TSslHttpRest component with Json support for all compilers and integrating cookie, SSL/TLS, content decoding, content compression and logging. There are many THttpCli improvements.
- A new TRestOAuth component for OAuth2 authentication including an integrated local web server.
- JOSE (Json Object Signing and Encryption) components supporting JWT, JWS and JWK.
- Simplified client SSL/TLS security and protocol settings. Support for SSL ALPN extension.
- A new TSslX509Certs component allowing ICS servers to automatically order, download and install SSL/TLS certificates from various suppliers, including free certificates from Let's Encrypt, and commercial certificates for DigiCert, Comodo, Thawte and GeoTrust from CertCentre AG. It also acts as a private CA to issue local certificates.
Major changes in ICS V8.50 include:
- Two new components, TIcsProxy may be used to proxy any TCP protocol, TIcsHttpProxy is a full forward and reverse HTTP/HTTPS proxy with header and body parsing and processing.
- Multiple SSL host support to TSslWSocketServer and other servers through IcsHosts property, each with one or two IP addresses and non-SSL and SSL port bindings, SSL certificates, private key and security level, and host name.
- Support for both OpenSSL 1.0.2 and 1.1.0 versions, with the DLLs digitally signed and checked during loading.
- ICS applications can now use PKCS12 (PFX), PKCS8 and DER binary SSL certificates to avoid manual conversions to PEM. The server certificate chain can be validated and reported before the server starts.
- SSL certificates and requests can be created using ECC keys which use less bandwidth than RSA keys (but which few CAs support, yet) and alternate DNS names may be used as may other extended properties.
- HTML content code page detection and character set conversion to Delphi unicode strings, including converting entities (like ☍).
There are four options to obtain the source code.
ICS-V8 is the main development version and needed for RAD Studio XE4 and later. Older versions are only here for very old compilers and don't have current SSL support.
Latest Stable Version ICS V8.68 - recommended
This is the latest recommended version, which has been tested and used for various published ICS application. It is updated for new releases of RAD Studio and major changes. V8.68 is the version displayed when RAD Studio starts and by the main unit OverbyteIcsWSocket. Note these versions include the latest version of the OpenSSL DLLs at the time of release.
|ICS-V8.68||Delphi 7 to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0, C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0. Includes OpenSSL 3.0.1.|
|ICS-V8.68||Delphi 11.0 only. Includes OpenSSL 3.0.1.|
|ICS-V8.68||Delphi 10.4 Sydney only. Includes OpenSSL 3.0.1.|
|ICS-V8.67||Delphi 7 to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0, C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0. Includes OpenSSL 1.1.1i.|
|ICS-V8.67||Delphi 11.0 only. Includes OpenSSL 1.1.1i.|
|ICS-V8.67||Delphi 10.4 Sydney only. Includes OpenSSL 1.1.1i.|
|ICS-V8.66||Delphi 7 to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio and 10.4 Sydney, C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio and 10.4 Sydney. Includes OpenSSL 1.1.1k.|
|ICS-V8.66||Delphi 10.4 Sydney only. Includes OpenSSL 1.1.1k.|
|ICS-V8.66||Delphi 10.3 Rio only. Includes OpenSSL 1.1.1k.|
From XE8 onwards, Delphi includes a new GetIt tool that offers a catalog of third party components, and allows them to be automatically downloaded and installed. The same stable ICS versions listed above should be available from GetIt.
Zipped Daily Snapshots
This is the easiest way to get the latest version. These packages are built from the version control repositories automatically when they change and are refreshed once a day. To use the latest OpenSSL version, download this snapshot. Note the snapshot includes the latest version of the OpenSSL DLLs.
Version Control System
Using the version control repository is the best choice if you want to get live access to current development files. Overbyte uses a Subversion server and you need to use a Subversion client such as TortoiseSVN or your favorite browser. The URLs are as follows:
Use username = ics and password = ics for read access. Write access is only available to TeamICS.
Download OpenSSL Binaries (required for SSL-enabled components)
Please note older versions of the ICS source code had an internal check to only allow loading of the latest OpenSSL it was tested with, so you could not use new DLLs with an old application without recompiling with the latest version of ICS first.
OpenSSL 1.0.2 and later are only supported by ICS v8, v7 is no longer updated for new OpenSSL versions. The 64-bit DLLs are only for use with Delphi applications compiled for the 64-bit platform, the 32-bit DLLs work on both 32-bit and 64-bit Windows with 32-bit applications. Note that ICS V8.24 dated 3rd March 2016 and later included the latest OpenSSL 1.0.2 Win32 files to avoid a separate download. This was a long term support version for which free support ceased at the end of 2019, but paid support from OpenSSL continues for those needing it. ICS V8.65 is the last version to support 1.0.2.
OpenSSL 1.1.0 is obsolete and no longer supported. ICS V8.65 is the last version to support 1.1.0.
OpenSSL 1.1.1 is the latest long term support version and adds support for TLSv1.3 RFC8446 and various new cryptographic private key and hash digest types. Delphi applications require ICS V8.57 or later. ICS V8.57 and later include the Win32 and Win64 OpenSSL 1.1.1 files. This version will be supported until 2023. OpenSSL 1.1.1 only supports Windows Vista and later, not XP.
OpenSSL 3.0 is a major new release, primarily a lot of internal changes to ease long term support. ICS 8.67 is required to support 3.0. There is an optional FIPS module with 3.0 but not available here since our DLLs are not built to standards required for certification. The old engines for special extensions are replaced by new more versatile providers of which the FIPS module is one, a provider legacy.dll contained in the distribution has obsolete ciphers and hash digests that most applications no longer need and which needs to loaded by the application.
Firefox version 63 and Chrome 71 both support TLSv1.3 final RFC8446, note Chrome has settings for older beta versions that must be disabled.
The OpenSSL DLLs and EXE files included in the zips above are digitally code signed 'Magenta Systems Ltd', one of the organisations that maintains ICS. The Magenta Systems Code Signing Trust and Certificate Check component may be used to check the correctly signed DLLs are being used by ICS, with this functionality included in ICS V8.38 and later. Beware that Windows needs recent root certificates to check newly signed code, and may give an error if the root store has not been kept current by Windows Update, particularly on older versions of Windows such as XP, Vista and 7.
|2021-12-17||OpenSSL Binaries Win-64 3.0.1 requires ICS V8.67 or later||Built with Visual Studio Build Tools 2017||Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.|
|2021-12-17||OpenSSL Binaries Win-32 3.0.1 requires ICS V8.67 or later||Built with Visual Studio Build Tools 2017||Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.|
|2021-12-17||OpenSSL Binaries Win-64 1.1.1m requires ICS V8.57 or later||Built with Visual Studio Build Tools 2017||Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.|
|2021-12-17||OpenSSL Binaries Win-32 1.1.1m requires ICS V8.57 or later||Built with Visual Studio Build Tools 2017||Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.|
|2021-09-07||OpenSSL Binaries Win-64 3.0.0 requires ICS V8.67 or later||Built with Visual Studio Build Tools 2017||Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.|
|2021-09-07||OpenSSL Binaries Win-32 3.0.0 requires ICS V8.67 or later||Built with Visual Studio Build Tools 2017||Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.|
|2021-08-24||OpenSSL Binaries Win-64 1.1.1l requires ICS V8.57 or later||Built with Visual Studio Build Tools 2017|
|2021-08-24||OpenSSL Binaries Win-32 1.1.1l requires ICS V8.57 or later||Built with Visual Studio Build Tools 2017|
|2021-03-26||OpenSSL Binaries Win-64 1.1.1k requires ICS V8.57 or later||Built with Visual Studio Build Tools 2017|
|2021-03-26||OpenSSL Binaries Win-32 1.1.1k requires ICS V8.57 or later||Built with Visual Studio Build Tools 2017|
|2020-12-08||OpenSSL Binaries Win-64 1.1.1i requires ICS V8.57 or later||Built with Visual Studio Build Tools 2017|
|2020-12-08||OpenSSL Binaries Win-32 1.1.1i requires ICS V8.57 or later||Built with Visual Studio Build Tools 2017|
|2020-03-18||OpenSSL Binaries Win-64 1.0.2u requires ICS V8.24 to ICS V8.65||Built with Visual Studio Build Tools 2017||For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.|
|2020-03-18||OpenSSL Binaries Win-32 1.0.2u requires ICS V8.24 to ICS V8.65||Built with Visual Studio Build Tools 2017||Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.|
Download OpenSSL Binaries (alternative)
OpenSSL website also links to Win32OpenSSL website providing another build of Win32 DLL binaries. Note note that unlike the builds above builds on that site may have dependencies on Visual C++ 2008 Redistributables (to keep dll files smaller) so make sure you include all the required (and correct) redistributable files in your software installation. You probably don't have to care about that if you use binaries above at the cost of slightly larger DLLs. Also note that site does not keep archives of older versions so you may want to watch their page if you prefer their binaries.
Browser Demo Application using HtmlViewer
This is an example internet browser using the HtmlViewer component from GitHub (11.8).
The browser demo is in the ICS nightly zip, in the folder samples\delphi\browserdemo, the project is FrameBrowserIcs.dpr. An executable version of the new demo may also be downloaded from here, built with HtmlViewer 11.8 and ICS V8.65, using Delphi 10.4 Sydney.
|Executable Browser Demo - last update V8.65|
The HtmlViewer component must be downloaded and installed before the demo can be built. The demo is based on FrameBrowserIndy project but with various enhancements, specifically display of all HTTP, SSL and some or all HTML traffic which makes it very useful for debugging the THttpCli component. Recent versions of HtmlViewer also include FrameBrowserIcs.dpr but it has been changed substantially from the ICS version and I've been unable to build it.
The Options, Settings window allow the SSL security level to be adjusted to various TLS and cipher variations, which can be useful testing web sites that ICS has difficulty accessing.
The project is a good basic browser for HTML4, but does not support any scripting, so most sites without backward compatibility may appear strange.