Difference between revisions of "ICS Download"

ICS is available as source code only. You need Delphi to build the sample programs and create your own application.

ICS News

Changes in ICS V9.7 include:

1. V9.7 is a bug fix release, primarily a serious issue that arose in early May 2026 when Google made a change to it's servers that caused SSL handshake negotiation to always fail, giving the error 'SSL routines::tls alert illegal parameter' when using OpenmSSL3.2 or later. The problem relates to a new feature to support Raw Public Key certificates for servers, but which seems to effect clients as well, so has now been disabled. Anyone using ICS V9.5 and V9.6 and needing to access Google hosted web sites, and probably others using BoringSSL, should update to ICS V9.7.
2. Fixed two bugs in V9.6, an SSL handshake error if define MSCRYPT_Clients not enabled, and an HTTPRest problem in InitSsl if NO_DEBUG_LOG was not enabled. The defaults did not cause a problem. The MultiWebServ now builds without define USE_IcsGeoTools.
3. Changed the default version of OpenSSL to 4.0, and removed the resource files for OpenSSL 3.0 and 3.4 which cease support within four months. OpenSSL 3.6 ceases support in six months, so the long term support version 3.5 is now in the ICS-OpenSSL directory which is used if resource files are not linked and version 3 is set as a define. Found the first issue with OpenSSL 4.0, got an exception trying to verify an IP address used in a URL, need to use a different API, while 3.x seemed to work.
4. When ordering SSL/TLS certificates, only use certificate profiles for Lets Encrypt, Google rejects orders with a profile.
5. The WSocket.ComponentOptions wsoIcsDnsLookup and wsoAsyncDnsLookup options are now ignored, so WSocket always uses async threaded DNS Lookups for IPv4. Previously, IPv6 always used async DNS, but IPv4 defaulted to older code, that has now been removed. Many components set these flags, so saves a lot of IPV4 only code. Currently these options are not removed to avoid application errors, just ignored, but please check and remove them.
6. In the HTTP client component, convert some old IcsLogger output to new onDisplay logging, rest removed.
7. Added checks to two units to prevent ICS being built for Linux, which is not supported for V9, and removed all the test Linux, Android and MacOS packages. V10 is planned to support non-Windows platforms.
8. In the WebSocket Client, when using WSFullHdrs, don't remove any ExtraHeaders that we added. Also, don't allow duplicate Connection: headers.
9. In SuperObject, when writing Currency JSON, check if the last char is a dot, and delete it, which confused some parsers.

Changes in ICS V9.6 include:

1. Major improvements in ICS V9.6 include more Post Quantum Cryptography (PQC) support, a new general purpose symmetrical crypto component, HTTP support for WebDAV verbs, SNI, Cache-Control support and a sync request timeout, and new logging in TWSocket to replace or supplement logging code in numerous components and applications.
2. Security is continuously evolving, with new concepts added and old ones discontinued. This release removes some discontinued properties, so When opening old projects, please ignore warnings about missing properties, OcspHttp, OcspSrvStapling, SslDHParamLines and IcsLogger (can be enabled with a define).
3. Support for Post Quantum Cryptography (PQC) was added to OpenSSL 3.5, and is designed to be resistant against brute force hacking by ever faster computers. Initially, it is available for ML-DSA private keys for signing messages using Jose, and ML-KEM for TLS for secure key exchange as part of the SSL handshake. ICS V9.5 clients using OpenSSL 3.5 sent the group X25519MLKEM768, but this was not reported if supported, now fixed. This release adds similar support for TLSv1.3 servers. There are currently no PQC ciphers and PQC signed X509 certificates are awaiting an RFC and major changes for issuance, due to PQC keys being much larger than EC keys (over 1KB against 64 bytes) so are unacceptable in SSL handshakes.
4. Historically, event logging in ICS has varied between components, TWSocket had no cosmetically acceptable logging, only IcsLogger which was designed for development use, not end user applications. Some protocol components (SMPT, POP3, FTP) had limited logging while HTTP had none. This was resolved in the high level protocol components, HTTP Rest, Mail Queue, FTP Multi, HTTP Multi, that all have proper application logging. Likewise many samples had logging added to the component events. But what was logged was inconsistent, and maintaining the logging was difficult, in particular SSL handshake certificate checking and reporting where similar code was duplicated in literally dozens of components and samples, all of which had to be changed for new features or fixes.
5. Proper logging has now been added to TWSocket and TWSocketS, using the existing event onDebugDisplay (that was used in only one sample), controlled by a new set of options WSDebugOptions. Unless one or more options are set and the event handled no logging will be seen, so this is backward compatible with end user applications. TSslWSocket has new properties SslCertVerMethod and SslAllowSelfSign to enable SSL handshake certificate chain checking, replacing the similar code in numerous units.
6. Many of the protocol and server components already have an onDisplay event so this echoes from TWSocket, THTTPCli needed a new onDisplay event. Again these components expose WSDebugOptions and the SSL properties, but send no logging unless options are set, with the exception of protocol commands and responses previously sent by FTP and mail components still appear. So to get logging in your applications, use the onDebugDisplay (WSocket) or onDisplay (most other components) event and set WSDebugOptions, then remove any logging code you already have that duplicates the new logging, usually in the onConnected, onSslHandshakeDone and onDisconnect events. You may still need those events, to enable or disable buttons, change states, etc, just not for logging.
7. If your applications only uses high level components like HTTP Rest, no application changes are needed, the existing DebugLevel setting is mapped to similar WSDebugOptions so similar event messages appear, although there may be cosmetic improvements. Most servers already had some limited logging, but all now expose WSDebugOptions which should be set so TWSocketS reports SSL and IcsHosts problems, some of which previously got sent via the TX509Certs component.
8. The existing IcsLogger remains in the low level components, but DEFINE NO_DEBUG_LOG is now enabled in the Defs.inc file so the code will not be compiled. IcsLogger has been removed from all ICS samples and most high level components, and is planned to disappear completely as soon as possible, it's not been used it for development purposes for many years, if your applications use IcsLogger, please remove it. Dozens of samples have been updated to use the WSDebugOptions property for the new onDisplay and onDebugDisplay events, removing local logging where it duplicated the new logging,
9. As part of testing the new logging to ensure consistent reporting of connection IP addresses and hosts, fixed a long term problem with several protocol components that meant the TWSocket.Addr property was lost after a DnsLookup, which prevented logging the original host name. Likewise cleaned up proxy support for consistent logging of both proxy and target names.
10. ICS has long contained some functions for Blowfish cryptography, but these are now replaced by a proper TIcsSymCrypto component is a general purpose symmetrical cryptography component using block ciphers to encrypt and decrypt data, using a key derived from a password in various ways. It is designed to be compatible with the openssl-enc command line tool. The component can be tested using the OverbyteIcsJoseTst sample to encrypt and decrypt strings, streams or files. It supports all OpenSSL ciphers, AES being the most common, with several key derivation methods, PKCS5v15, PKCS5_PDKDF2_HMAC, Aragon2, Raw Key/IV, and a Quick Hash. There are two standalone functions IcsJoseStrEncrypt and IcsJoseStrDecrypt that include password, EvpCipher, and CKeyDerMethod as parameters for simplicity (last two have defaults). Note further testing for compatibility with JODE encryption is required.
11. Added new asymmetrical cryptography functions IcsJoseEncryptPKey, IcsJoseDecryptPKey, IcsJoseStrEncPKey, IcsJoseStrDecPKey, currently only work with RSA private and public keys. These replace older De/EncryptPublicRSA functions.
12. Added client and server support for HTTP WebDAV verbs, used for file transfer via HTTP. The HTTP components now support new verbs PURGE, PROPFIND, PROPPATCH, MKCOL, MOVE, COPY, LOCK and UNLOCK. Note only limited functionality is currently implemented, WebDAV is complex with many extensions from Microsoft. Currently the web server only internally handles PROPFIND for directory listings, some other verbs will be added for the next release. The HTTP REST sample converts the PROPFIND XML response into an array of TIcsFDirRec that other ICS functions can report and process. The WebDAV server commands require special authentication, performed in the three web servers samples.
13. The HTTP client has a new property SslSniType to specify how Host is sent as Server Name Indication (SNI), mainly when that name is an IP address. SslSniHostNoIP (default) does not send an IP address as SNI (most browsers do not), SslSniHostRawIP sends a raw IP address (default for ICS V9.4 and earlier, but breaks RFC6066), SslSniHostArpaIP converts the IP to reverse ARPA per V9.5), SslSniNone sends no SNI atall. Note certificate validation is always by SslServerName.
14. The HTTP client has a new property SyncMaxSecs for sync requests only, if non-zero specifies the maximum duration of a request in seconds, irrespective of the Timeout property which is only while the connection is idle. Only intended for short requests whose maximum duration is known, for the case where the request stalls for no sensible reason.
15. The HTTP client has a new property CacheType of THttpCacheType to replace NoCache with all the options: httpCacheNone, httpCacheNoCache, httpCacheNoStore, httpCacheMaxAge, httpCacheMaxStale, httpCacheMinFresh, httpCacheRevalidate, httpCacheOnlyIfCached. NoCache sets HttpCacheNone. cacheAgeSecs sets the cache age in seconds, 0=no cache. Note Cloudflare says 403 without a Cache-Control header. The OverbyteIcsHttpRestTst sample has new settings to test all the new HTTP client properties.
16. Other HTTP client changes include improved error handling so StatusCode=404 is always returned if a request fails, with the reason in ReasonPhrase and RequestDoneErrorStr; corrected DoBeforeConnect to set connection parameters from a DNS lookup using new method SetSinConn instead of connecting by IP address; setting a blank ProxyURL now clears previous proxy settings; ProxyURL now supports the SOCKS5 protocol; RequestAsync and RequestSync now reset FLocationChangeCurCount so relocation still works after failed relocations.
17. The WebSocket Client has a breaking change, WsConnect now passes URL instead of setting URL property, to allow RestParams to be passed. It now supports proxy setting correctly. Restored error handling for failed WSConnect in async mode, lost in V9.5, OnWSConnected event is called for success and failure, check IsWSConnected for success.
18. Improved IPv6 address handling for TX505Base. ListNameIP now returns standardised IPv6 addresses in an array, while SubAltNameIP returns a string with one line for each raw IPv6 address that may include capitals letters or extra :0:. Added ListAllNames that gets a string array of all subject alternate names for certificate, ie combines ListAltNameDNS and ListAltNameIP. SubAltAllDisp returns a display string with all SAN names. PostConnectionChec rewritten to use CheckHost but check IP addresses from SAN list since OpenSSL not happy with IPv6 addresses. Fixed CertMainInfo to correctly show TLS Server certificates with blank common name, and with IP addresses. Added TX509List method CertsHandshake to report client handshake certificates, usually host, intermediate and root. ValidateCertChain now reports the host name found, might be wildcard. IcsReportOpenSSLVer now reports loading error reason and only reports legacy module if loaded, since rarely needed now.
19. Updated the JOSE signing functions to use more private key types, specifically Post Quantum ML-DSA-44, ML-DSA-65, ML-DSA-87, ED448 and SM2, creating and reading JWS and JWT with new algorithms.
20. Let's Encrypt is now optionally issuing certificates with a six day expiry using the shortlived profile, in preparation for this requirement in 2029, and for IP addresses instead of host names. It is also issuing test certificates using a new dns-persist-01 challenge that can be set once in DNS for a specific account and never changes so can be set manually once, not live yet. ICS has been updated and tested with all these new features. Note that IPv6 string addresses are usually compacted, maybe in different ways, so uses IcsStndIPv6Str to standardise them for comparison. Now clearing old renewal dates properly, so new orders not stopped. Added SerNumType SerNumSpecific and SerialNum property for OwnCA. tlsserver and shortlived certificates without a subject name now install correctly in the Windows Store with a alternate name.
21. Updated the SMPT server component with IcsHosts for multiple listeners and automated certificates, now only available with SSL, none SSL version gone Added X-IpAddr and X-RDNS headers to avoid parsing Received header.
22. For the SMTP client and Mail Queue components, increased the SMTP timeout from five to 60 seconds, some servers accept commands slowly so mail failed.
23. In the proxy server component, added ForwardSocFamily property which sets the Forward Proxy family for all listeners, so a IPv4 listener can connect to IPv6 targets or be prevented from doing so. Added OnProxyForward event allows application to determine which ports HTTP Connect command will forward, normally only 80 and 443. If OnHttpPxyAuth event is assigned, Forward Proxy authentication is mandated with Proxy-Authorization: header and basic.
24. Added OpenSSL 4.0.0 to ICS, note the DLLs have new file names and will not load with any older version of ICS before this one today. Due to lack of testing, ICS V9.6 will remain defaulted to using OpenSSL 3.6 and will need changes to OverbyteIcsDefs.inc to load OpenSSL 4.0, see readme9.txt. When extracting OpenSSL files from resources, check that all three DLLs have been previously extracted, not just one. Also, don't stop extracting on first error, keep trying other files. There are no longer internal exceptions for errors. GSSLEAY_DLL_IgnoreNew now forces OpenSSL 3 if the old DLLs are found.
25. For Delphi 13.1, ICS may now be built for Windows WinARM64EC target, this has been added to the Delphi packages for the Win64 IDE only. Main difference with ARM is no assembler support or OBJ files. While the ICS packages build OK for ARM, no Windows ARM laptop to test samples.
26. Restored and updated an old sample OverbyteIcsServiceTcp.dpr, which is a Windows service with simple TCP server responding to telnet commands on 127.0.0.1 port 2150 by default. Added IcsSimpleLogging so it writes a daily log file so you know what it's doing. This sample uses the standard Windows service component, unlike the samples in Extra which use DDService.

Changes in ICS V9.5 include:

1. Major improvements in ICS V9.5 include a new geographic component that has built in IP address databases for countries and ASN; server components have a new event called before a connection is accepted allowing 'firewall' rejection of connections based on IP address; the MQTT client and server components now support protocol 3.1.1; the automatic certification ordering component now supports Google Trust Services and other ACME suppliers, as well as Let's Encrypt; changes for the HTTP clients and servers to better support REST request APIs;
2. Many of these improvements, and the delay finishing this release, relate to web server improvements needed to mitigate a nine month long attack on a public web server, that started with millions of accesses from two Far East IP addresses, progressed to accesses from VPNs at data centres worldwide, then finally to a botnet that caused access from over one million different IP addresses in 150 countries each week. It's not often a developer has first hand experience of such web server abuse, we try to plan for it, but rarely experience it directly. The ICS web server samples already had filtering by IP addresses and reverse DNS lookup and this worked for a few months with manual updating of the filtering lists, but this was time consuming. So a new GEO component was added with an IP address to country database that allowed specific countries to be blocked, then regions of the world, finally an ASN database allowed specific cloud/ISPs to be blocked. During these months, the ICS web server kept working, albeit slowing as logs tried to handle the vast volumes of IP addresses, needing rewrites of some ICS components. But everything is now stable and ICS capable of handling such heavy traffic.
3. TWSocketServer has a new event OnClientAcceptFilter event called before the component accepts an incoming connection allowing filtering on the remote IP address so the connection is refused without any more events being called. This action is similar to a firewall refusing a connection, rather than opening and immediately closing it again. Before the event is called, a TIcsSessIpInfo record if filled with remote and local addresses and ports in binary and as strings, saving a lot of application code, the event can complete other record fields. This event can be used with the new GEO components to check countries and regions that should be blocked, and with the TIcsBlacklist component to stop those previously blocked addresses from accessing the server. The THttpSrv HTTP server has a similar OnHttpAcceptFilter event, and it will be added to other servers for the next release.
4. Added a new TIcsGeoTools component that reads MaxMind formatted GEO database files using the MMDBReader component, and includes two small databases from db-ip.com, 'IP to Country Lite' and 'IP to ASN Lite', but can handle other MaxMind databases. Both databases can are available as resource files that can be linked into applications or loaded from a file to be shared between servers. There is also a country name database ICS-Countries.csv linked as a resource file that contains country GEO information. ASN is Autonomous System Name, an ISP or cloud name, that supplements reverse DNS (often missing) in identifying the owners of IP addresses. The databases are updated monthly by db-ip.com and can be downloaded from them, will try to keep ICS up to date.
5. The TIcsGeoTools component is a self contained unit, IcsGeoUtils.pas with no dependencies, but is only available for Delphi 11 and later due to use of new language features. The component needs to be created in code and the databases required loaded before use, see the samples mentioned below. The main lookup methods are FindISOA2Code and FindASNCode, then FindCountry and FindRegion from an ISOA2 country code, region is a quick was to block all Asian countries for instance. The TIcsDomainNameCache and TIcsBlacklist now include ISOA2 and ASN fields that are included in responses and reports from these components. Beware block countries and regions may have unexpected consequences, for instance Let's Encrypt and Google validate SSL/TLS certificate domain names from multiple countries.
6. The OverbyteIcsSslMultiWebServ and OverbyteIcsDDWebService samples use the databases in the new server OnHttpAcceptFilter event, and writes country and ASN to the web log file, as well as allowing hacker filtering using this information. The OverbyteIcsNetTools sample Trace Route now shows the country and ASN for each IP in the route to the destination, as well as reverse DNS, although the IP addresses allocated to network routers don't appear to totally accurate. These samples only use TIcsGeoTools if DEFINE USE_IcsGeoTools is set in Defs.inc.
7. Added new components TIcsFilterList and TIcsIpAddrList to replace TestFilters using HackFilterList and TestIpWhiteList using WhiteIpList in sample OverbyteIcsSslMultiWebServ1.pas. TIcsFilterList reads same file hackfilterlist.txt containing key=value pairs which are used to filter incoming connections for path, remhost, country, useragent or referrer, trying to filter out abusive remote hosts. TIcsIpAddrList reads same file whiteiplist.txt which is a list of ASCII IP full or partial addresses, generally that should not be blocked by filters. The TIcsBlacklist has major changes including support for saving IPv6 addresses in binary as well as ASCII, they sort better in reports and take less memory, adding and checking an TSockAddrIn6 which avoids conversion to strings, and other improvements to handle one million IP addresses more efficiently.
8. Since Let's Encrypt introduced the ACME (Automatic Certificate Management Environment) protocol to download free SSL/TLS certificates, other suppliers have added automated ordering using the same API, mostly with extra account information for commercial certificates. ICS has been tested successfully with free certificates from Google Trust Services, and should work with DigiCert, ZeroSSL and SSLcom, but these three are primarily commercial suppliers and need prepaid accounts, so not tested yet. Google Trust Services offers an excellent alternate to Let's Encrypt and offers almost the same free certificates up to 90 days with multiple wildcards, but allows the expiry days to be specified during ordering, down to three days. Some companies were reluctant to use Let's Encrypt when there was no alternative in case of extended down time, now Google offers that alternate.
9. Apart from Let's Encrypt, suppliers use ACME external accounting to tie the ordering process to web site accounts, which is explained in comments in the OverbyteIcsSslX509Certs unit, more information will be added and the wiki pages updated soon. Google needs the Google Cloud CLI Windows application installing, type a few commands and you get the external account information Acme needs. The OverbyteIcsX509CertsTst sample has a major revision to support multiple account suppliers and to specify the external accounting information. The sample needs to be run on any servers that will order certificates to create the initial Acme account (except for Let's Encrypt), and includes a web server allowing test certificates to be ordered provided DNS points to a public IP on the server. Most suppliers provide a testing endpoint which is listed in OverbyteIcsX509CertsTst so you can order fake certificates to understand the process. There is now a facility to ask ICS servers to renew certificates on demand from the OverbyteIcsX509CertsTst sample, previously you had to mess with the INI file to force a new order.
10. TWSocketServer has a lot of improvements relating to SSL/TLS certificates, many relating to new IcsHosts options to support suppliers other than Let'S Encrypt. IcsHosts has a new property AcmeSupplier as TAcmeSupplier which may be AcmeLetsEncrypt or AcmeGoogle (or several others), and property SupplierTitle to specify the account name of than supplier from a database. The supplier accounts database is generally maintained by the OverbyteIcsX509CertsTst sample, which must be used to create accounts for new suppliers, and which may be used to view certificate orders. SupplierTitle is used instead of specifying CertDirWork which will be looked up from C:\ProgramData\ICS-Acme-Accounts\ics-acme-accounts.db. By default, new work directories will be in: C:\ProgramData\ICS-Acme-Accounts\. CertDirWork is still supported, but it's recommended that applications move to using supplier accounts instead, which can be monitored using OverbyteIcsX509CertsTst. Google and other suppliers only work with supplier accounts, since information is needed that is not in IcsHosts.
11. IcsHosts has other new properties: AcmeCertProfile to specify the type of certificate requested for Let's Encrypt, listed in FAcmeProfileNames array, default classic, optional tlsserver and shortlived (7 day, not yet available); AcmeCertValidity to specify certificate life in days, default 90, only Google at present, down to 3 days. Certificate ordering now makes use of the ACME Renewal Information API that specifies how many days before expiry a certificate should be renewed, and how often these dates should be rechecked to see if the certificate needs immediate renewal due to being revoked. This overrides CertExpireDays. Renewal Information is checked each time the certificate chain is checked, but is cached so there is usually only a server API call every six hours. Note with OCSP gone, this is now the only way to check if a certificate is revoked.
12. Reworked certificate checking so if automatic ordering is enabled the Acme account information is looked up when the certificate is first loaded to get renewal information and maybe working directory, rather than only when time to order a new certificate, so there is more logging and error checking at load time. Temporary ICS self signed certificates are now created in GSSL_CERTS_DIR instead of TempPath. When starting a certificate order, if the challenges have been previously completed OK, collect order immediately, don't try to start them again. Let's Encrypt is implementing a change in the way new certificates are issued, which may be delayed a few seconds after the CSR is provided, rather than immediately, so the component now waits and checks every five seconds for the new certificate to be issued. This already happens for Google. Note this Let's Encrypt change means earlier ICS versions will soon fail to work.
13. ICS now supports ordering SSL/TLS certificates with IP addresses as well as host domain names, tested with Let's Encrypt Staging but not available yet from live certificates. Testing showed a problem using SSL with IP addresses URLs relating to the Server Name Indication HELO feature which does not allow simple IP addresses which must be converted to domain names, ie 217.146.102.139 becomes 139.102.146.217.in-addr.arpa. Automatic certificate ordering in IcsHosts now has a database property CertRenewNow that if set true in the database using the OverbyteIcsX509CertsTst, will override certificate expiry checking and cause an immediate new certificate replacement order by in servers with IcsHosts the next time RecheckSslCerts is called by the server, typically every two hours.
14. Fixed a long term problem where SSL/TLS server name SNI checking for a matching IcsHost used the certificate SANs that might have included a wild card, instead of the Hosts list of host names. If one IcsHost allowed wild cards it might have been found instead a specific IcsHost for a single host.
15. New major versions of OpenSSL often add new functions and deprecate older functions that are then removed in a subsequent major release after applications should have been updated. ICS has added a DEFINE OpenSSL_Deprecated without which no deprecated functions should be loaded. ICS has been testing with a special build of OpenSSL 3.5 without deprecated functions and several units have now been updated to use newer 3.0 functions, so no more work should be necessary for OpenSSL 4.0 when those deprecated could disappear. The DEFINE OpenSSL_Deprecated should only be needed if your application uses old OpenSSL functions for encryption or signing. The OverbyteIcsJoseTst sample also needs OpenSSL_Deprecated for RSA string encryption, pending a rewrite without deprecated functions. ICS now only creates the C:\ProgramData\ICS-OpenSSL directory if conditionals OpenSSL_Resource_Files or OpenSSL_ProgramData are specified meaning OpenSSL files are expected there. Otherwise the developer is responsible for setting GSSL_DLL_DIR to the OpenSSL DLL directory.
16. Updated the MQTT client and server components to support protocol 3.1.1 which is commonly used, previously we only supported 3.1. The client will connect to a v5 server by ignoring dozens of new options, but needs a lot more work, much more complicated than v3.1.1, not planning any more v5 unless there is a specific requirement. Added LogPackets property to log packets in ASCII and hex for diagnostics, UseSSL property to force client to use SSL on any port, BlankClient property (anonymous) for 3.1.1 so server allocates ClientId, but only v5 tells us that ID. BurstMode property for 3.1.1 so client does not wait for response to Connect, but publishes immediately. When Subscribing With v3.1.1, the server now returns a failure flag for permissions failure, which is returned as QoS qtFAILURE. Also improvements to the OverbyteIcsMQTTst sample, allow Username/Password to be set, so they may be left blank, ClientHost is now a drop down box, and includes test.mosquitto.org that may be used for client testing, see https://test.mosquitto.org/ for a long list of ports for different testing purposes, allow MQTT protocol to be specified, added v3.1.1 and v5, and options to test all new functions. If the server SSL port non-zero, the server will create an ICS CA signed certificate for the host name (ie localhost) if a certificate file bundle is not found.
17. There are various WebSocket improvements. The client now has optional asynchronous connection which no longer blocks the initial WSConnect which now returns immediately and a OnWSConnected event is called when the connections is ready or fails, so should now correctly process a welcome message or packets sent immediately upon connection. The server now has a configurable delay after connection before sending a welcome message or packets, for clients that can not process them immediately. Fixed a problem that data sent immediately a new connection opened could be lost because the component had not switched to Websocket mode. Allow Sec-WebSocket-Protocol: header to added with HeaderSecWebSocketProtocol values (char, superchat, etc). Added a new OnWSFramesDone event called when a queue of frames have been sent, for flow control when sending a lot of data. Note the IcsAppMonMan.dpr sample illustrates how to use multiple WebSocket client components to contact multiple WebSocket servers and display information from them, it comes configured to view three public servers running ICS web, FTP and proxy servers.
18. Fixed a long term problem with ECDSA binary digests, which have two formats, ASN.1 used by OpenSSL and IEEE P1363 which is shorter fixed length and often also used. Added IcsDigestAsntoIEEE and IcsDigestIEEEtoAsn to convert between the two formats, and a new EcdsaIEE flag to IcsAsymSignDigestTB, IcsAsymVerifyDigestTB, IcsJoseJWSJson, IcsJoseGetSigTB, IcsJoseCheckSigTB and IcsJoseCheckJWS to use the new format, only effective when using EC private keys. Signing Acme requests with EC keys now correctly use IEEE P1363 digests so finally work properly, been looking for this since 2018.
19. CreateSelfSignCertEx now adds IP addresses to the correct alternate list, not allowed as common name. TSslCertTools has new certificate properties for more Distinguished Names, mainly for personal names: Street, SurName, GivenName, NameTitle, NameInitials, used when creating Certificate Requests. Using Description no longer gives an error.
20. The HTTP clients THttpCli and TSslHttpRest have new properties RespAttachment (Boolean) and RespFileName, parsed from Content-Disposition: response header which can be used to offer to save content as a file, and RespRetryDT parsed from Retry-After: response header, when this request should next be repeated as TDateTime. ResponseNoException now defaults to True to skip exceptions for most connection errors like 404, etc, beware this default change may cause applications expecting exceptions to misbehave, either set it false or check StatusCode in RequestDone.
21. In HTTP client TSslHttpRest, if HttpUploadStrat=HttpUploadSimple, add unofficial Content-Disposition request header that some web servers might check for an upload file name. Check for a Json response of any array only [] without objects. Allow GET and DELETE methods to use PContBodyJson, PContBodyUrlEn and PContBodyXML content types, beware web servers may not support this.
22. The TRestParams component has a new RParamFmt property that for Json only defines whether nested objects or an array should be formatted, default is RPFmtNestObj (Nested Objects, same as previously), or RPFmtArrayVal (Array of Values) if first element is any array, or RPFmtArrayObj (Array of Objects) where each element is treated as object in the array. Note RPFmtArrayObj allows duplicate names in Add methods, since output into different objects. For instance: RPFmtNestObj: {"field1":"data1","field2":"data2","field3":[data1, data2, data3]}; RPFmtArrayVal: [data1, data2, data3]; RPFmtArrayObj: [{"field":"data1"},{"field":"data2"},{"field":[data1, data2, data3]}]
23. In the HTTP servers THttpSrv and THttpAppSrv, allow the built in HTTP error response to be customised using new event OnHttpCustomError which is called by the error handlers with the error, path, and existing Body, that may be replaced or modified as required. Called for errors 301, 302, 307, 308, 400, 401, 403, 404, 416, 501. Added new hoContDispHdr Option and AttachmentTypes list of file extensions that if matched causes the server to add an Content-Disposition: attachment header with the filename, that should cause a browser to offer a 'Save As' dialog to save a binary file, rather than trying to display it. Note the default list includes .pdf so Acrobat files are saved rather than displayed. The Get and Delete methods now accept uploaded body content similarly to POST/PUT. The derived THttpAppSrv server has handlers for uploaded content, for THttpSrv you need to write your own. Added OnHttpAcceptFilter event called before TWSocketServer accepts an incoming connection allowing filtering on the remote IP address so the connection is refused without any more events being called.
24. TWSocket has a new property SessionIpInfo which is TIcsSessIpInfo record set after connection with the local and remote IP addresses and ports from the socket, also socket type and protocol, as internal and string versions. Might be easier to use than various GetPeer methods. Set for accepted listen connections. Fixed a missing inherited DupConnected that meant counters did not get reset. The SSL/TLS Server Name extension does not allow raw IP addresses, so convert then to domain names, ie 217.146.102.139 becomes 139.102.146.217.in-addr.arpa.
25. Added Windows memory reporting functions IcsMemInfoProg, IcsMemInfoGlob and IcsMemInfoPerf to the OverbyteIcsWinUtils unit, useful for server monitoring, used by the sample IcsAppMon.dpr. Also IcsMemWarning to check for low or critical memory problems, returns Warning at 85% physical or page file usage, critical at 95% usage (reboot probably required).
26. ICS added OSCP (Online Certificate Status Protocol) support a few years ago, used to check if certificates have been revoked. But running the massive OCSP databases needed has proved challenging, and the industry is moving away from OCSP, Let's Encrypt stopped adding an OCSP URL to certificates in May 2025. OCSP adds quite a lot of code, so added new defines to ICS so OCSP code is only linked if using authorities that still support OCSP, see information about OverbyteIcsDefs.inc. This change effects many components that check certificates, if the defines are disabled OCSP properties are still available, but will be ineffective, removing the OCSP properties would in too many form errors.
27. Another reason for OCSP's demise is shorter SSL/TLS certificate life, so they expire rather than needing to the revoked. From 15th March 2026, certificate life span is reduced to 200 days, from 15th March 2027 down to 100 days and finally from 15th March 2029 to 47 days, but only 10 days for domain control validated certificates, such as most free certificates which are currently 90 days maximum. ICS can already order seven day certificates from Google Trust Services, with Let's Encrypt adding this later in 2025.
28. ICS now defaults to the latest OpenSSL version 3.5.2 which includes support for new Post Quantum Cryptography (PQC) algorithms (ML-KEM, ML-DSA and SLH-DSA) and for server side QUIC (RFC 9000). ICS has no plans for QUIC support, not yet investigated PQC, don't believe any low level changes are needed, maybe changes to the cipher lists. This is a long term support release with fixes and security updates for five years, until April 2030. ICS still includes four older OpenSSL versions, which will slowly disappear as they reach end of life, about one every six months.
29. The OverbyteIcsDefs.inc file included in most ICS units has several new defines. DEFINE OpenSSL_36 (due Oct 2025) and OpenSSL_40 (due Apr 2026). Enabled DEFINE OpenSSL_35 for OpenSSL 3.5. DEFINE OpenSSL_OcspStaple, should SSL server staple an OCSP response to check if server certificate is revoked. Let's Encrypt stopped adding an OCSP URL to certificates in May 2025 so only enable this if using authorities that still support OCSPL, to avoid extra code being linked. DEFINE OpenSSL_OcspChains, should SSL clients checking a certificate chain check an OCSP server to see if the certificate is revoked, only happens if the certificate has an OCSP URL, undefine to remove the extra code that does OCSP checks. DEFINE OpenSSL_Deprecated, should OpenSSL deprecated functions be loaded, not needed for ICS but may be used by applications for encryption or signing. DEFINE USE_IcsGeoTools used by samples with the TIcsGeoTools component to lookup countries from IP addresses, D11 and later only.

Overbyte Website

There are four options to obtain the source code.

Download from Overbyte web site

ICS-V9 is the long term development version and needed for RAD Studio XE4 and later, it supports Delphi 7 and later.

Latest Stable Version ICS V9.7 - recommended

This is the latest recommended version, which has been tested and used for various published ICS application. It is updated for new releases of RAD Studio and major changes. V9.7 is the version displayed when RAD Studio starts and by the main unit OverbyteIcsWSocket. Note these versions include the latest version of the OpenSSL DLLs at the time of release.

Warning - there was a change in V9.5 and V9.6 that prevented ICS accessing many Google web sites using BoringSSL after 8th May 2026, this has been fixed in V9.7.

From XE8 onwards, Delphi includes a new GetIt tool that offers a catalog of third party components, and allows them to be automatically downloaded and installed. The same stable ICS versions listed above should be available from GetIt.

Zipped Daily Snapshots

This is the easiest way to get the latest version. These packages are built from the version control repositories automatically when they change and are refreshed once a day. To use the latest OpenSSL version, download this snapshot. Note the snapshot includes the latest version of the OpenSSL DLLs.

Archives

Version Control System

Using the version control repository is the best choice if you want to get live access to current development files. Overbyte uses a Subversion server and you need to use a Subversion client such as TortoiseSVN or your favorite browser. The URLs are as follows:

Use username = ics and password = ics for read access. Write access is only available to TeamICS.

Download OpenSSL Binaries

The OpenSSL binaries are required for all ICS SSL-enabled components.

The 64-bit DLLs are only for use with Delphi applications compiled for the 64-bit platform, the 32-bit DLLs work on both 32-bit and 64-bit Windows with 32-bit applications.

Please note older versions of the ICS source code had an internal check to only allow loading of the latest OpenSSL it was tested with, so you could not use new DLLs with an old application without recompiling with the latest version of ICS first.

OpenSSL 1.0.2 and later were only supported by ICS v8, v7 is no longer updated for new OpenSSL versions. This was a long term support version for which free support ceased at the end of 2019 unless you have an OpenSSL Premium Level Support contract for $50,000/year. ICS V8.65 was the last version to support 1.0.2.

OpenSSL 1.1.0 is obsolete and no longer supported. ICS V8.65 is the last version to support 1.1.0.

OpenSSL 1.1.1 is obsolete. Support ceased in September 2023 unless you have an OpenSSL Premium Level Support contract for $50,000/year. Only supports Windows Vista/Server 2008, and later, not Windows XP.

OpenSSL 3.0 is a major new release, primarily a lot of internal changes to ease long term support. ICS 8.67 is required to support 3.0. There is an optional FIPS module with 3.0 but not available here since our DLLs are not built to standards required for certification. The old engines for special extensions are replaced by new more versatile providers of which the FIPS module is one, a provider legacy.dll contained in the distribution has obsolete ciphers and hash digests that most applications no longer need and which needs to loaded by the application. This version will be supported until September 2026.

OpenSSL 3.1 is obsolete. Support ceased in March 2025 and is no longer updated for ICS.

OpenSSL 3.2 is a minor new release with QUIC client support for HTTP/3 and many other improvements. ICS 8.67 is required to support 3.2. This version will be supported until November 2025 but ICS has now ceased updates.

OpenSSL 3.3 is a minor new release, minor QUIC and other features. ICS 8.67 is required to support 3.3. This version will be supported until April 2026 but ICS has now ceased updates.

OpenSSL 3.4 is a minor new release, minor newr features. ICS 8.67 is required to support 3.4. There is a bug fix in ICS 9.4. This version will be supported until October 2026.

OpenSSL 3.5 is a major new long term support release, adding Post Quantum Cryptography (PQC) algorithms (ML-KEM, ML-DSA and SLH-DSA) and server side QUIC (RFC 9000). ICS has no plans for QUIC support). ICS 8.67 is required to support 3.2. This version will be supported until April 2030.

OpenSSL 3.6 is a minor new release, adding several private key improvements and Leighton-Micali Signature (LMS) verification support which is a FIPS requirement. This version will be supported until November 2026.

OpenSSL 4.0 is a major new release. This version will be supported until May 2027. Note 4.0 is a breaking release with new DLL filenames which will not work with any existing ICS releases. ICS V9.6 or later is required.

OpenSSL 4.2 is planned as the next long term support release, in April 2027.

Please note that ICS does not use any of the new features in OpenSSL 3.2 or later at present, so continuing to use the latest patch version of 3.0 with security fixes is generally fine.

The OpenSSL DLLs and EXE files included in the zips above are digitally code signed 'Magenta Systems Ltd', one of the organisations that maintains ICS. The Magenta Systems Code Signing Trust and Certificate Check component may be used to check the correctly signed DLLs are being used by ICS, with this functionality included in ICS V8.38 and later. Beware that Windows needs recent root certificates to check newly signed code, and may give an error if the root store has not been kept current by Windows Update, particularly on older versions of Windows such as XP, Vista and 7. The signed check may be disabled in the OverbyteIcsDefs.inc file by suppressing defines OpenSSL_Check_Signed and OpenSSL_Check_SignCert.

Download OpenSSL Binaries (alternative)

OpenSSL website also links to Win32OpenSSL website providing another build of Win32 DLL binaries. Note note that unlike the builds above builds on that site may have dependencies on Visual C++ 2008 Redistributables (to keep dll files smaller) so make sure you include all the required (and correct) redistributable files in your software installation. You probably don't have to care about that if you use binaries above at the cost of slightly larger DLLs. Also note that site does not keep archives of older versions so you may want to watch their page if you prefer their binaries.