Difference between revisions of "ICS Download"

From Overbyte
Jump to navigation Jump to search
 
(76 intermediate revisions by the same user not shown)
Line 1: Line 1:
ICS is available as source code only. You need Delphi to build the sample programs and create your own application. You will also need OpenSSL libraries if using SSL-enabled components.
+
ICS is available as source code only. You need Delphi to build the sample programs and create your own application.  
  
 
'''ICS versions available:'''
 
'''ICS versions available:'''
  
*'''ICS-V8''' for Delphi 7 / C++ Builder 2006 to Delphi XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0 / C++ Builder XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11.0 with FireMonkey cross platform support for POSIX/MacOS, also IPv6 support (main development tree, 32 and 64-bit).  
+
*'''ICS-V9''' for Delphi 7 to Delphi 13 / C++ Builder 10.2 to 13, FireMonkey cross platform support for POSIX/MacOS (long term support release, 32 and 64-bit).  
*'''ICS-V7''' for Delphi 7 / C++ Builder 2006 to Delphi / C++ Builder XE3 (stable release, no new development, please upgrade to V8).  
+
*'''ICS-V8''' for Delphi 7 to Delphi 11 (stable release, no new development, please upgrade to V9). 
*'''ICS-V6''' for Delphi 7 / C++ Builder 2006 to Delphi / C++ Builder 2007 (discontinued and obsolete, please upgrade to V7 if you do not have to support Windows versions < W2K).
+
*'''ICS-V7''' for Delphi 7 / C++ Builder 2006 to Delphi / C++ Builder XE3 (discontinued and obsolete, please upgrade to V9).  
*'''ICS-V5''' for Delphi / BCB 1 to Delphi / C++ Builder 2007 and Delphi .NET (discontinued, important bug fixes may still be backported from ICS-V7). SSL option requires at least Delphi 7 or C++ Builder 2006.
+
*'''ICS-V6''' for Delphi 7 / C++ Builder 2006 to Delphi / C++ Builder 2007 (discontinued and obsolete, please upgrade to V9 if you do not have to support Windows versions < W2K).
 +
*'''ICS-V5''' for Delphi / BCB 1 to Delphi / C++ Builder 2007 and Delphi .NET (discontinued and obsolete, please upgrade to V9).
  
 
== ICS News ==
 
== ICS News ==
  
Major Changes in '''ICS V8.69''' include:
+
Changes in '''ICS V9.5''' include:
  
#Major Changes in ICS V8.69 include:
+
#Major improvements in ICS V9.5 include a new geographic component that has built in IP address databases for countries and ASN; server components have a new event called before a connection is accepted allowing 'firewall' rejection of connections based on IP address; the MQTT client and server components now support protocol 3.1.1; the automatic certification ordering component now supports Google Trust Services and other ACME suppliers, as well as Let's Encrypt; changes for the HTTP clients and servers to better support REST request APIs;
#V8.69 has a lot of minor improvements, more HTTP client and server features, better built-in authentication, and added built in file uploading to the REST client component. Also continuing improving all the HTTP samples so they now hopefully test all the features of the ICS HTTP server, specifically adding POST and PUT file uploading, and a new client login window for interactive authentication with servers.  Also added OCSP (Online Certificate Status Protocol) to ICS, which is used to check SSL/TLS certificates are legitimately issued and not revoked.
+
#Many of these improvements, and the delay finishing this release, relate to web server improvements needed to mitigate a nine month long attack on a public web server, that started with millions of accesses from two Far East IP addresses, progressed to accesses from VPNs at data centres worldwide, then finally to a botnet that caused access from over one million different IP addresses in 150 countries each week.  It's not often a developer has first hand experience of such web server abuse, we try to plan for it, but rarely experience it directly.  The ICS web server samples already had filtering by IP addresses and reverse DNS lookup and this worked for a few months with manual updating of the filtering lists, but this was time consuming.  So a new GEO component was added with an IP address to country database that allowed specific countries to be blocked, then regions of the world, finally an ASN database allowed specific cloud/ISPs to be blocked. During these months, the ICS web server kept working, albeit slowing as logs tried to handle the vast volumes of IP addresses, needing rewrites of some ICS componentsBut everything is now stable and ICS capable of handling such heavy traffic.
#In the HTTP client, added new methods RequestAsync and RequestSync which start a specified request by parameter, useful to repeat the last request from an event (such as should be trust the certificate and repeat). When using a proxy, make sure Path is not blank which will break proxies, change to / as for non-proxy requestsGetRequestDoneErrorStr now handles TWsocket errors. Fixed NTLM authentication which got broken in V8.61.  Added a new THttpAuthType of httpAuthDigest2 for Digest with the modern SHA-256 algorithm instead of MD5 used by httpAuthDigest, only with USE_SSL. Added new property WWWAuthInfos array filled after 401/407 failure by parsing AuthorizationRequest headers for AuthType and Realm that may be presented to select an authentication option, get login and repeat request. Remove # fragment anchor rom the URL unless the new Option httpoAllowAnchor is set.
+
#TWSocketServer has a new event OnClientAcceptFilter event called before the component accepts an incoming connection allowing filtering on the remote IP address so the connection is refused without any more events being called. This action is similar to a firewall refusing a connection, rather than opening and immediately closing it again. Before the event is called, a TIcsSessIpInfo record if filled with remote and local addresses and ports in binary and as strings, saving a lot of application code, the event can complete other record fields. This event can be used with the new GEO components to check countries and regions that should be blocked, and with the TIcsBlacklist component to stop those previously blocked addresses from accessing the server.  The THttpSrv HTTP server has a similar OnHttpAcceptFilter event, and it will be added to other servers for the next release.
#In the HTTP REST client, added built in file uploading using POST or PUT. The file name is specified in HttpUploadFile using type HttpUploadStrat ofHttpUploadSimple with parameters in the URL or HttpUploadMIME for multipart with parameters in the first MIME part. Note the applications needs to supply parameters like FileName so the server knows what to do with the file. This may be tested against the ICS web server samplesUpon request completion, ReasonPhrase now also has status, so OK becomes 200 OK, etcPreviously the SslRevocation property was only effective when checking the windows certificate store, now it also works with bundle files using the new TOcspHttp component and OCSP stapling if available.
+
#Added a new TIcsGeoTools component that reads MaxMind formatted GEO database files using the MMDBReader component, and includes two small databases from db-ip.com, 'IP to Country Lite' and 'IP to ASN Lite', but can handle other MaxMind databases. Both databases can are available as resource files that can be linked into applications or loaded from a file to be shared between serversThere is also a country name database ICS-Countries.csv linked as a resource file that contains country GEO informationASN is Autonomous System Name, an ISP or cloud name, that supplements reverse DNS (often missing) in identifying the owners of IP addresses. The databases are updated monthly by db-ip.com and can be downloaded from them, will try to keep ICS up to date.
#In the HTTP server component, now converting FLastModified to UTC/GMT time for the response header. Added new authentication type atDigestSha2 with a SHA256 hash instead of MD5 with atDigest only supported with USE_SSL. Note: Mozilla Firefox supports Digest SHA-256, Chrome and Edge do not. Added a new client connection OnHttpRespHdr event to allow response headers to be logged, previously only request headers could be loggedCleaned up AnswerStream functions so separate lines don't go into send buffer. Added OcspSrvStapling property which should be set to enables OCSP checks and stapling only with AUTO_X509_CERTS define since it adds extra HTTP client code. A revoked certificate will be auto ordered.
+
#The TIcsGeoTools component is a self contained unit, IcsGeoUtils.pas with no dependencies, but is only available for Delphi 11 and later due to use of new language features. The component needs to be created in code and the databases required loaded before use, see the samples mentioned below. The main lookup methods are FindISOA2Code and FindASNCode, then FindCountry and FindRegion from an ISOA2 country code, region is a quick was to block all Asian countries for instanceThe TIcsDomainNameCache and TIcsBlacklist now include ISOA2 and ASN fields that are included in responses and reports from these components. Beware block countries and regions may have unexpected consequences, for instance Let's Encrypt and Google validate SSL/TLS certificate domain names from multiple countries.
#In TWSocket, added new method SendTB(const Data: TBytes; Len: Integer=-1) where Len is optional, also similar SendToTB and SendToTB6 with TBytes, as an alternative to casting such types to use Send(). Restored the TlsExtension_cb callback for client debugging since ClientHelloCallback only works with servers.
+
#The OverbyteIcsSslMultiWebServ and OverbyteIcsDDWebService samples use the databases in the new server OnHttpAcceptFilter event, and writes country and ASN to the web log file, as well as allowing hacker filtering using this information. The OverbyteIcsNetTools sample Trace Route now shows the country and ASN for each IP in the route to the destination, as well as reverse DNS, although the IP addresses allocated to network routers don't appear to totally accurate. These samples only use TIcsGeoTools if DEFINE USE_IcsGeoTools is set in Defs.inc.
#In TSslWSocketServer added OCSP (Online Certificate Status Protocol) support with IcsHosts using the TOcspHttp component to confirm server SSL/TLS certificates are legitimate and not revoked for security reasons. The certificate OCSP response is also stapled to the initial SSL/TLS HELO handshake and sent to the client to avoid it needing to lookup OCSP using HTTP itself. OCSP responses are cached and saved to a file for reloading later, but are refreshed every time the certificate is validated, at least once a day. The new server property OcspSrvStapling enables OCSP checks and stapling only with AUTO_X509_CERTS define since it adds extra HTTP client code. A revoked certificate will be auto ordered.  OCSP checking is done in LoadOneCert and the stapled response sent in TriggerSslServerName when checking SNI.  The same OCSP support is available in all ICS servers that use IcsHosts, including FTP, HTTP and TIcsIpStrmLog.
+
#Added new components TIcsFilterList and TIcsIpAddrList to replace TestFilters using HackFilterList and TestIpWhiteList using WhiteIpList in sample OverbyteIcsSslMultiWebServ1.pas. TIcsFilterList reads same file hackfilterlist.txt containing key=value pairs which are used to filter incoming connections for path, remhost, country, useragent or referrer, trying to filter out abusive remote hosts. TIcsIpAddrList reads same file whiteiplist.txt which is a list of ASCII IP full or partial addresses, generally that should not be blocked by filters. The TIcsBlacklist has major changes including support for saving IPv6 addresses in  binary as well as ASCII, they sort better in reports and take less memory, adding and checking an TSockAddrIn6 which avoids conversion to strings, and other improvements to handle one million IP addresses more efficiently.
#All three main HTTP SSL client sample applications FrameBrowserIcs, OverbyteIcsHttpsTst and OverbyteIcsHttpRestTst now support interactive authentication with a new Login window that displays the different methods the server will accept (from the new property WWWAuthInfos array) allowing one to be selected from Basic, Digest MD5, Digest SHA256 and NTLM logins. This window is displayed after an 401 error and the request then repeated.
+
#Since Let's Encrypt introduced the ACME (Automatic Certificate Management Environment) protocol to download free SSL/TLS certificates, other suppliers have added automated ordering using the same API, mostly with extra account information for commercial certificates. ICS has been tested successfully with free certificates from Google Trust Services, and should work with DigiCert, ZeroSSL and SSLcom, but these three are primarily commercial suppliers and need prepaid accounts, so not tested yet.  Google Trust Services offers an excellent alternate to Let's Encrypt and offers almost the same free certificates up to 90 days with multiple wildcards, but allows the expiry days to be specified during ordering, down to three days.  Some companies were reluctant to use Let's Encrypt when there was no alternative in case of extended down time, now Google offers that alternate.
#The OverbyteIcsHttpsTst SSL sample now has all the missing features from the non-SSL samples, Content Encoding Gzip tick box to support compression, persistent cookie support, POST/PUT support to either send simple data or upload files in various ways (from OverbyteIcsHttpPost1 sample), may be tested against the ICS web server samples.
+
#Apart from Let's Encrypt, suppliers use ACME external accounting to tie the ordering process to web site accounts, which is explained in comments in the OverbyteIcsSslX509Certs unit, more information will be added and the wiki pages updated soon.  Google needs the Google Cloud CLI Windows application installing, type a few commands and you get the external account information Acme needs.  The OverbyteIcsX509CertsTst sample has a major revision to support multiple account suppliers and to specify the external accounting information.  The sample needs to be run on any servers that will order certificates to create the initial Acme account (except for Let's Encrypt), and includes a web server allowing test certificates to be ordered provided DNS points to a public IP on the server. Most suppliers provide a testing endpoint which is listed in OverbyteIcsX509CertsTst so you can order fake certificates to understand the process. There is now a facility to ask ICS servers to renew certificates on demand from the OverbyteIcsX509CertsTst sample, previously you had to mess with the INI file to force a new order.
#The OverbyteIcsDDWebService SSL web server sample now builds on unicode compilers. Added authentication for POST requests and new 'Password protected page (POST)' button on the demo menu to test authentication using POST. Fixed web logging to log correct multiple listener.  Builds on unicode compilers. Added Digest SHA-256 authentication page DemoDigest2Auth.html and DemoDigestsAll.html that does both digests.  DemoAuthAll.html no longer does NTLM, use the separate page. Now displays server response headers if box ticked, only displayed request headers before. File Upload Form and Email Form pages now work without exceptionsThe OverbyteIcsSslMultiWebServ SSL web sample has similar new authentication features and logging fixes.
+
#TWSocketServer has a lot of improvements relating to SSL/TLS certificates, many relating to new IcsHosts options to support suppliers other than Let'S EncryptIcsHosts has a new property AcmeSupplier as TAcmeSupplier which may be AcmeLetsEncrypt or AcmeGoogle (or several others), and property SupplierTitle to specify the account name of than supplier from a database. The supplier accounts database is generally maintained by the OverbyteIcsX509CertsTst sample, which must be used to create accounts for new suppliers, and which may be used to view certificate orders. SupplierTitle is used instead of specifying CertDirWork which will be looked up from C:\ProgramData\ICS-Acme-Accounts\ics-acme-accounts.dbBy default, new work directories will be in: C:\ProgramData\ICS-Acme-Accounts\CertDirWork is still supported, but it's recommended that applications move to using supplier accounts instead, which can be monitored using OverbyteIcsX509CertsTst. Google and other suppliers only work with supplier accounts, since information is needed that is not in IcsHosts.
#Updated OpenSSL to 3.0.3 and ZLIB (HTTP compression) to 1.2.12, sorry for long delay in updating zlib, now including some important bug fixes, although never saw  any issues with the minimal use ICS makes of itUpdated the various ICS CA Trusted Stores.
+
#IcsHosts has other new properties: AcmeCertProfile to specify the type of certificate requested for Let's Encrypt, listed in FAcmeProfileNames array, default classic, optional tlsserver and shortlived (7 day, not yet available); AcmeCertValidity to specify certificate life in days, default 90, only Google at present, down to 3 days. Certificate ordering now makes use of the ACME Renewal Information API that specifies how many days before expiry a certificate should be renewed, and how often these dates should be rechecked to see if the certificate needs immediate renewal due to being revoked.  This overrides CertExpireDays.  Renewal Information is checked each time the certificate chain is checked, but is cached so there is usually only a server API call every six hours. Note with OCSP gone, this is now the only way to check if a certificate is revoked.
#The OverbyteIcsPemtool SSL sample now does OCSP checks when examining certificate filesThere is also a new Test Host Certificates tab that tests SSL/TLS handshake and certificates (using TIcsIpStrmLog) for a list of host names and ports, building a list of host and intermediate certificates that may be further checked and saved as files or added to an intermediate bundle. This new tester should prove useful for debugging sites that return SSL or certificate errors.
+
#Reworked certificate checking so if automatic ordering is enabled the Acme account information is looked up when the certificate is first loaded to get renewal information and maybe working directory, rather than only when time to order a new certificate, so there is more logging and error checking at load time.  Temporary ICS self signed certificates are now created in GSSL_CERTS_DIR instead of TempPath.  When starting a certificate order, if the challenges have been previously completed OK, collect order immediately, don't try to start them again.  Let's Encrypt is implementing a change in the way new certificates are issued, which may be delayed a few seconds after the CSR is provided, rather than immediately, so the component now waits and checks every five seconds for the new certificate to be issued. This already happens for Google.  Note this Let's Encrypt change means earlier ICS versions will soon fail to work.
 +
#ICS now supports ordering SSL/TLS certificates with IP addresses as well as host domain names, tested with Let's Encrypt Staging but not available yet from live certificates.  Testing showed a problem using SSL with IP addresses URLs relating to the Server Name Indication HELO feature which does not allow simple IP addresses which must be converted to domain names, ie 217.146.102.139 becomes 139.102.146.217.in-addr.arpa.  Automatic certificate ordering in IcsHosts now has a database property CertRenewNow that if set true in the database using the OverbyteIcsX509CertsTst, will override certificate expiry checking and cause an immediate new certificate replacement order by in servers with IcsHosts the next time RecheckSslCerts is called by the server, typically every two hours.
 +
#Fixed a long term problem where SSL/TLS server name SNI checking for a matching IcsHost used the certificate SANs that might have included a wild card, instead of the Hosts list of host names.  If one IcsHost allowed wild cards it might have been found instead a specific IcsHost for a single host.
 +
#New major versions of OpenSSL often add new functions and deprecate older functions that are then removed in a subsequent major release after applications should have been updated.  ICS has added a DEFINE OpenSSL_Deprecated without which no deprecated functions should be loaded.  ICS has been testing with a special build of OpenSSL 3.5 without deprecated functions and several units have now been updated to use newer 3.0 functions, so no more work should be necessary for OpenSSL 4.0 when those deprecated could disappear. The DEFINE OpenSSL_Deprecated should only be needed if your application uses old OpenSSL functions for encryption or signing.  The OverbyteIcsJoseTst sample also needs OpenSSL_Deprecated for RSA string encryption, pending a rewrite without deprecated functions.  ICS now only creates the C:\ProgramData\ICS-OpenSSL directory if conditionals OpenSSL_Resource_Files or OpenSSL_ProgramData are specified meaning OpenSSL files are expected there.  Otherwise the developer is responsible for setting GSSL_DLL_DIR to the OpenSSL DLL directory.
 +
#Updated the MQTT client and server components to support protocol 3.1.1 which is commonly used, previously we only supported 3.1.  The client will connect to a v5 server by ignoring dozens of new options, but needs a lot more work, much more complicated than v3.1.1, not planning any more v5 unless there is a specific requirement. Added LogPackets property to log packets in ASCII and hex for diagnostics, UseSSL property to force client to use SSL on any port, BlankClient property (anonymous) for 3.1.1 so server allocates ClientId, but only v5 tells us that ID. BurstMode property for 3.1.1 so client does not wait for response to Connect, but publishes immediately.  When Subscribing With v3.1.1, the server now returns a failure flag for permissions failure, which is returned as QoS qtFAILURE. Also improvements to the OverbyteIcsMQTTst sample, allow Username/Password to be set, so they may be left blank, ClientHost is now a drop down box, and includes test.mosquitto.org that may be used for client testing, see https://test.mosquitto.org/ for a long list of ports for different testing purposes, allow MQTT protocol to be specified, added v3.1.1 and v5, and options to test all new functions. If the server SSL port non-zero, the server will create an ICS CA signed certificate for the host name (ie localhost) if a certificate file bundle is not found.
 +
#There are various WebSocket improvements.  The client now has optional asynchronous connection which no longer blocks the initial WSConnect which now returns immediately and a OnWSConnected event is called when the connections is ready or fails, so should now correctly process a welcome message or packets sent immediately upon connection.  The server now has a configurable delay after connection before sending a welcome message or packets, for clients that can not process them immediately. Fixed a problem that data sent immediately a new connection opened could be lost because the component had not switched to Websocket mode. Allow Sec-WebSocket-Protocol: header to added with HeaderSecWebSocketProtocol values (char, superchat, etc). Added a new OnWSFramesDone event called when a queue of frames have been sent, for flow control when sending a lot of data.  Note the IcsAppMonMan.dpr sample illustrates how to use multiple WebSocket client components to contact multiple WebSocket servers and display information from them, it comes configured to view three public servers running ICS web, FTP and proxy servers.
 +
#Fixed a long term problem with ECDSA binary digests, which have two formats, ASN.1 used by OpenSSL and IEEE P1363 which is shorter fixed length and often also used.  Added IcsDigestAsntoIEEE and IcsDigestIEEEtoAsn to convert between the two formats, and a new EcdsaIEE flag to IcsAsymSignDigestTB, IcsAsymVerifyDigestTB, IcsJoseJWSJson, IcsJoseGetSigTB, IcsJoseCheckSigTB and IcsJoseCheckJWS to use the new format, only effective when using EC private keys.  Signing Acme requests with EC keys now correctly use IEEE P1363 digests so finally work properly, been looking for this since 2018.
 +
#CreateSelfSignCertEx now adds IP addresses to the correct alternate list, not allowed as common name. TSslCertTools has new certificate properties for more Distinguished Names, mainly for personal names: Street, SurName, GivenName, NameTitle, NameInitials, used when creating Certificate Requests. Using Description no longer gives an error.
 +
#The HTTP clients THttpCli and TSslHttpRest have new properties RespAttachment (Boolean) and RespFileName, parsed from Content-Disposition: response header which can be used to offer to save content as a file, and RespRetryDT parsed from Retry-After: response header, when this request should next be repeated as TDateTime. ResponseNoException now defaults to True to skip exceptions for most connection errors like 404, etc, beware this default change may cause applications expecting exceptions to misbehave, either set it false or check StatusCode in RequestDone.
 +
#In HTTP client TSslHttpRest, if HttpUploadStrat=HttpUploadSimple, add unofficial Content-Disposition request header that some web servers might check for an upload file name. Check for a Json response of any array only [] without objects. Allow GET and DELETE methods to use PContBodyJson, PContBodyUrlEn and PContBodyXML content types, beware web servers may not support this.
 +
#The TRestParams component has a new RParamFmt property that for Json only defines whether nested objects or an array should be formatted, default is RPFmtNestObj (Nested Objects, same as previously), or RPFmtArrayVal (Array of Values) if first element is any array, or RPFmtArrayObj (Array of Objects) where each element is treated as object in the array. Note RPFmtArrayObj allows duplicate names in Add methods, since output into different objects. For instance:  RPFmtNestObj: {"field1":"data1","field2":"data2","field3":[data1, data2, data3]};  RPFmtArrayVal: [data1, data2, data3];  RPFmtArrayObj: [{"field":"data1"},{"field":"data2"},{"field":[data1, data2, data3]}]
 +
#In the HTTP servers THttpSrv and THttpAppSrv, allow the  built in HTTP error response to be customised using new event OnHttpCustomError which is called by the error handlers with the error, path, and existing Body, that may be replaced or modified as required. Called for errors 301, 302, 307, 308, 400, 401, 403, 404, 416, 501.  Added new hoContDispHdr Option and AttachmentTypes list of file extensions that if matched causes the server to add an Content-Disposition: attachment header with the filename, that should cause a browser to offer a 'Save As' dialog to save a binary file, rather than trying to display it.  Note the default list includes .pdf so Acrobat files are saved rather than displayed.  The Get and Delete methods now accept uploaded body content similarly to POST/PUT. The derived THttpAppSrv server has handlers for uploaded content, for THttpSrv you need to write your own.  Added OnHttpAcceptFilter event called before TWSocketServer accepts an incoming connection allowing filtering on the remote IP address so the connection is refused without any more events being called.
 +
#TWSocket has a new property SessionIpInfo which is TIcsSessIpInfo record set after connection with the local and remote IP addresses and ports from the socket, also  socket type and protocol, as internal and string versions.  Might be  easier to use than various GetPeer methods. Set for accepted listen connections. Fixed a missing inherited DupConnected that meant counters did not get reset. The SSL/TLS Server Name extension does not allow raw IP addresses, so convert then to domain names, ie 217.146.102.139 becomes 139.102.146.217.in-addr.arpa.
 +
#Added Windows memory reporting functions IcsMemInfoProg, IcsMemInfoGlob and IcsMemInfoPerf to the OverbyteIcsWinUtils unit, useful for server monitoring, used by the sample IcsAppMon.dpr.  Also IcsMemWarning to check for low or critical memory problems, returns Warning at 85% physical or page file usage, critical at 95% usage (reboot probably required).
 +
#ICS added OSCP (Online Certificate Status Protocol) support a few years ago, used to check if certificates have been revoked.  But running the massive OCSP databases needed has proved challenging, and the industry is moving away from OCSP, Let's Encrypt stopped adding an OCSP URL to certificates in May 2025. OCSP adds quite a lot of code, so added new defines to ICS so OCSP code is only linked if using authorities that still support OCSP, see information about OverbyteIcsDefs.inc.  This change effects many components that check certificates, if the defines are disabled OCSP properties are still available, but will be ineffective, removing the OCSP properties would in too many form errors.
 +
#Another reason for OCSP's demise is shorter SSL/TLS certificate life, so they expire rather than needing to the revoked.  From 15th March 2026, certificate life span is reduced to 200 days, from 15th March 2027 down to 100 days and finally from 15th March 2029 to 47 days, but only 10 days for domain control validated certificates, such as most free certificates which are currently 90 days maximum. ICS can already order seven day certificates from Google Trust Services, with Let's Encrypt adding this later in 2025.
 +
#ICS now defaults to the latest OpenSSL version 3.5.2 which includes support for new Post Quantum Cryptography (PQC) algorithms (ML-KEM, ML-DSA and SLH-DSA) and for server side QUIC (RFC 9000). ICS has no plans for QUIC support, not yet investigated PQC, don't believe any low level changes are needed, maybe changes to the cipher lists. This is a long term support release with fixes and security updates for five years, until April 2030. ICS still includes four older OpenSSL versions, which will slowly disappear as they reach end of life, about one every six months.
 +
#The OverbyteIcsDefs.inc file included in most ICS units has several new defines.  DEFINE OpenSSL_36 (due Oct 2025) and OpenSSL_40 (due Apr 2026). Enabled DEFINE OpenSSL_35 for OpenSSL 3.5.  DEFINE OpenSSL_OcspStaple, should SSL server staple an OCSP response to check if server certificate is revoked. Let's Encrypt stopped adding an OCSP URL to certificates in May 2025 so only enable this if using authorities that still support OCSPL, to avoid extra code being linked.  DEFINE OpenSSL_OcspChains, should SSL clients checking a certificate chain check an OCSP server to see if the certificate is revoked, only  happens if the certificate has an OCSP URL, undefine to remove the extra code that does OCSP checks.  DEFINE OpenSSL_Deprecated, should OpenSSL deprecated functions be loaded, not needed for ICS but may be used by applications for encryption or signing.  DEFINE USE_IcsGeoTools used by samples with the TIcsGeoTools component to lookup countries from IP addresses, D11 and later only.
  
More detailed release notes are at [[ICS_V8.69 | ICS 8.69 Release Notes]]
+
Changes in '''ICS V9.4''' include:
  
Major Changes in '''ICS V8.68''' include:
+
#Completed the ICS Application Monitoring system added in V9.3, designed to locally and remotely monitor ICS servers and applications, and to locally restart applications on demand or if they crash. It comprises a small TIcsAppMonCli client monitoring component that is added to ICS applications, usually Windows Servers, but also client applications. This client component communicates with a TIcsAppMonSrv server component, usually running as a Windows Service on the same server so it is able to restart applications, but can also support clients on a LAN. The monitoring server has web and Websocket servers, allowing remote browsers to view the state of all applications being monitored by the server with a continually updated web page. There is also ICS Application Monitor - Remote Manager application that provides remote monitoring of multiple ICS Application Monitor servers using Json web and Websocket requests on a single screen.
 +
#The SMTP client component fixes a bug introduced in V9.3 which could corrupt the Content-Transfer-Encoding header line.
 +
#TWSocket, fixed a potential problem using multiple threads where a new connection opened very quickly (ie localhost) and then stalled due to an unexpected connection state. Made DataToString Unicode compatible, only used for diagnostic dump logs.
 +
#In the HTTP client, fixed a check for an overflowing buffer when receiving very long headers that could cause failure detecting headers end.  Made several URL validation functions public: GetProtocolPort, IsSSLProtocol, IsKnownProtocol and IsKnownProtocolURL.
 +
#When creating PKCS12/PFX certificates, change the 3DES cipher to AES256 if the legacy provider is not loaded.
 +
#In the TIcsFtpMulti component, skip download of zero length file by creating an empty file, previously this got SSL handshake error.  Don't report directories as being downloadable, they are not.  If extended passive mode allowed, send EPSV ALL at start so firewalls and NAT routers can handle sessions more efficiently. Added CheckBadUnicode property defaults to false, so that checks for bad Unicode to Ansi conversions with ? are skipped, allowing more complex paths without errors.
 +
#The FTP server FEAT request now returns EPRT and EPSV which have been supported for IPv6 for years, but were not advertised for IPv4.
 +
#The OverbyteIcsSnippets sample adds two new simple REST snippets to Get/Post Parameters that send them to an ICS server, and the server echoes back those params so you can check what was actually sent.
 +
#When loading the OpenSSL DLLs, no longer check they are digitally signed for Windows XP, 2003, Vista and 2008, they don't recognise SHA-256 code signing, never tested since no longer have those old versions available.
 +
#The TRestParams method AddItemSO to add a SuperObject now has an Escape parameter defaulting to True, so non-ASCII characters are escaped by default.
 +
#The Proxy component TProxyTarget now has a SocketFamily property so target connections can be restricted to TSocketFamily values. Added property SrvTotSess count of server session connections for logging.
 +
#In the HTTP Application Web Server, fixed a memory leak with multiple virtual PUT and POST documents.
 +
#The OverbyteIcsJoseTst sample 'Sign/Verify Data' tests now support hashes other than SHA-256, selected from the Key and Signing Hash Algorithm drop down list. Also, a private key matching that selection is created automatically, including X25519.
 +
#There is a new unit OverbyteIcsWinUtils that contains Windows API functions,  built from selected Magenta Systems libraries, with functions needed to build and control Windows Service applications, accessing the Windows registry, Windows firewall, Windows tasks, hardware, and with simple encryption for passwords. Most of these functions are used by the TIcsAppMonSrv server component and IcsAppMon sample, but should have much wider use for Windows Service server applications in particular, like allowing firewall access.  It's planned to move most other Windows specific function here for ICS V10.
 +
#In the ICMP component, fixed a problem setting property PingMsg to the text to ping.
 +
#In the TIcsIpStrmLog component, added method ListenStates which for logprotUdpServer and logprotTcpServer returns a multiline string listing the IP, port, SSL and state of all socket listeners. The CurSockets property now reflects actual TCP Server clients.
 +
#In the TIcsMailQueue component, don't keep retrying email that is too short to send with no body or with no sender headers. Added more error handling if the SMTP component fails to build the EML spool file.
 +
#In OverbyteIcsUtils, finished the cleanup of old Base64 functions by adding new IcsBase64 functions using TBytes internally to replace old Base64 functions that used AnsiChars, with no overloaded versions for simplicity. Old Base64 versions retained as deprecated for user applications, please update to the IcsBase versions.  Added IcsTBytesCompare to compare two TBytes. Added IcsOutputDebugStr for Posix and Windows. Added IcsDateToAStr and IcsDateTimeToAStr with alpha month (Jan/Feb).
 +
#The ICS C++ packages for C++ 10.4 and later have been updated with the correct paths for the three supported platforms, and all build and install correctly for Win32.  Win64 should also build, but not Win64x Modern which needs fixes in a future release of C++ 12.
  
#V8.68 is a minor release, mainly HTTP client and server improvements including new request and response headers to assist browser caching and conditional requests, improved error reporting to help diagnose failed HTTP requests, and improvements in the HTTP REST component allowing it to save files including resuming failed downloads and download files of any size.  There are minor fixes in various components, and updates to installing on MacOS and C++ Builder. There is also a new File Clean-Up demo ideal for deleting the old log files that many applications (including some ICS samples) leave on systems.
+
Changes in '''ICS V9.3''' include:
#The HTTP client TSslHttpCli now keeps the Etag response header as ResponseEtag, allowing applications to save it with the page content, and when requesting a refresh to add the request method ReqIfNoneMatch or ReqIfMatch to avoid downloading the page again. Improved RequestDoneError to give more information than a simple abort, added httperrOutOfMemory and httperrBgException which happen while receiving and processing data in the OnDocData event and httperrSslHandShake. For range downloads, added the ContentIfRange request header which can send an RFC1123 date or Etag so a partial download only happens if the file is unchanged.
 
#Previously, the HTTPS REST client TSslHttpRest always downloaded content to a TMemoryStream with content size being limited to MaxBodySize (default 100 MByte), and generally restricted by memory to less than 250 MByte.  To remove this limitation, added the HttpMemStrategy property with THttpMemStrategy on how to handle downloads: HttpStratMem only TMemoryStream; HttpStratTemp uses a work file in the system temporary directory for sizes larger than MaxBodySize; HttpStratFile always writes a named file HttpDownFileName (with .part extension during download); HttpStratResume is similar to HttpStratFile but supports resume of failed partial downloads (with .http extension for resume information). Property ResumeMinSize defines the minimum sized partial file that should be resumed, rather than start again (default 64K). Added ShowProgress property that causes download information to be sent to the OnHttpRestProg event.
 
#The HTTP server TSslHttpServer now supports the If-Range, If-Match and If-None-Match request headers for conditional pages using Etag or last modified date, and sends 304 not modified for matches, to help with caching. Added an ETag header to responses in AnswerStream and AnswerPage when we can create one from a file modification date and size (base64 CRC32), or if the EntityTag property is specified in the client onGetDocument event before using hgSendDoc or hgSendStream, perhaps a CRC32 of the entire content from a cache. The 304 not modified response now includes more recommended headers. Also add a Date: header to AnswerStream and AnswerPage responses to help with caching.
 
#The Multi HTTPS client TIcsHttpMulti has been updated to a fix a problem that meant large files failed download with only an abort error if too large for TMemoryStream, now downloaded to TFileStream with .part extension and renamed up successful completion.
 
#The previous ICS release added support for the OpenSSL 3.0 release. Now it's been available for three months it has been added to the main distribution, the samples SslInternet directory now has both OpenSSL 1.1.1m and 3.0.1. ICS now supports YuOpenSSL 3.0 and 1.1.1 vrsions as commercial DCUs allowing applications to be used with OpenSSL without needing separate DLLs.
 
#In TIcsFileCopy, the DeleteFiles method now supports a new Zipped property so files are zipped with .zip extension before being deleted, useful for cleaning up old logs to save space (requires VCLZip).  The OverbyteIcsXferTst,dpr sample has a new File Clean-Up tab to test the multiple DeleteFiles method, it allow files older than x days or a specific date range to be archived/zipped (to save space) or deleted, ideal for deleting the old log files that many applications (including some ICS samples) leave on systems.
 
#In the FTP client TSslFtpClient, using the PORT command to set Active mode now prevents other FTP clients sharing the same port number and address, usually only a problem with a small port pool (which is not recommended).
 
#Updated the trusted root certificate bundle files, lots of changes from Microsoft since June, Google is now issuing it's own certificates. Updated the build-in sslRootCACertsBundle, few gone, now total 59 certificates commonly used.
 
#ICS should now build with C++ for RAD Studio 10.4 and 11.0, fixed the 11.0 packages and various Windows API related units, including for Win64.
 
  
More detailed release notes are at [[ICS_V8.68 | ICS 8.68 Release Notes]]
+
#V9.3 continues the simplification of use of ICS components by consolidating many types and constants into the OverbyteIcsTypes unit, avoiding projects needing to find and add specific units before they will buildFor XE2 and later, OverbyteIcsTypes and OverbyteIcsSslBase will be added automatically when components needing them are dropped on a form, or that form accessed for existing projects. One benefit of this change is removing dependence on several units for many components and applications, it should be possible to remove OverbyteIcsWinsock, OverbyteIcsLIBEAY, OverbyteIcsSSLEAY and OverbyteIcsLogger from most applications, and also other units. See https://wiki.overbyte.eu/wiki/index.php?title=Updating_projects_to_V9.3 for more information.
 
+
# Previously, the Windows Certificate Store was supported on Windows for all components and samples, despite it not always being required. There are three new defines {$DEFINE MSCRYPT_Clients}, {$DEFINE MSCRYPT_Servers} and {$DEFINE MSCRYPT_Tools) that determine which components can use the store, at least one must be set or applications that need the store will fail. Although these new defines all default to enabled in the OverbyteIcsDefs.inc supplied with V9.3 and later, unless this file is installed, Windows Certificate Store will be unavailable. These defines are disabled for non-Windows platforms and for C++ Builder which has bugs.
 
+
#Added new application independent monitoring, comprising a client component and server sample.  The ICS Application Monitor TIcsAppMonCli client component is designed to report to an ICS Application Monitor server, which will ensure the main application remains running. The ICS Application Monitor server IcsAppMon.exe is designed to monitor ICS applications using the TIcsAppMonCli client component, and ensure they remain running, restarting the application if it stops or becomes non-responsive, or on demand. Primarily to keep ICS server Windows services running non-stop, but may also be used for network wide monitoring of ICS applications. Client and server both use the TIcsIpStrmLog component with a simple TCP protocol.  More information at https://wiki.overbyte.eu/wiki/index.php?title=FAQ_ICS_Application_Monitoring
Major Changes in '''ICS V8.67''' include:
+
#The HTTP client components TSslHttpCli and TSslHttpRest have new RespMimeType and RespCharset response properties parsed from the Content-Type header to avoid applications needing to parse this headers.  Fixed a problem in V9.2 where a missing / was added to the start of the request path, but was not needed for absolute paths used for proxies.
 
+
#The TIcsIpStrmLog streaming log component has improvements for TCP Server mode when multiple remote clients connectPreviously the same data was sent to all remote clients (the original concept being remote logging), but now applications can send data to specific remote clients, and more easily check which remote client is receiving data.  This change means TIcsIpStrmLog can be used as the core of many TCP servers with different protocols, such as the new IcsAppMon sample, see above.
# Added support and packages for RAD Studio 11.0Updated SSL/TLS root certificate bundles, old certificates gone, new ones added, nothing major.
+
#The TSslHttpRest and component has a new way for applications to check SSL certificate chains themselves, ignoring OpenSSL bundle checks, usually for self signed private certificates, maybe checking certificate serials, names or public key. If LogSslVerMethod = logSslVerOwnEvent, a new event OnSslCertVerifyEvent is called so the application can check the chain and change the verify result appropriately.
# Added support for OpenSSL 3.0 which is a major new release, primarily a lot of internal changes to ease long term support. There is an optional FIPS module with 3.0 but not available here since our DLLs are not built to the standards required for certification. The old engines for special extensions are replaced by new more versatile providers of which the FIPS module is one, a provider legacy.dll has obsolete ciphers and hash digests, including MD2, MD4, Blowfish, DES, IDEA, RC2, RC4, SEED, that most applications no longer need and which needs to loaded by the application by setting global variable GSSLEAY_LOAD_LEGACY to true before loading OpenSSL.
+
#Improved the ability to customise SSL ciphers if the ICS defaults need to be changed.  TSslContext and TIcsHosts have three properties, SslCipherList for TLSv12 ciphers, SslCipherList13 for TLSv13 ciphers, and SslCryptoGroups sets the cipher curve groups allowed (like P-256 or X25519).  Beware old SslContexts may include group P-512 which must be corrected to T-521SSL handshake responses now show the curve group used for OpenSSL 3.2 and later. The OverbyteIcsHttpsTst client sample may be used to test the new cipher options, and they will be read from IcsHosts INI files for servers.
# OpenSSL 3.0 does not offer any specific new features of benefit to ICS at present, although HTTP/3 support is planned for 3.1 or later, so the main ICS distribution retains OpenSSL 1.1.1i which is fully supported until September 2023. OpenSSL 3.0 may be downloaded from the download page.
+
#Added a new web server sample OverbyteIcsBasicWebServer1.dpr which is a simplified version of OverbyteIcsSslMultiWebServ ignoring configuration INI files, security features, session data, most demo pages and most logging, and settings for localhost set in code, search for IcsHosts to change IP addresses, etc. This sample should be easier to use as a basis for new web server applicationsThe existing samples OverbyteIcsSslMultiWebServ and OverbyteIcsDDWebService have a new index.html template page, and default to localhost 127.0.0.1 with an internal localhost SSL certificate, so should always response to https://localhost/ without any INI file changes.
# The main implication for ICS with OpenSSL 3.0 is for SSL/TLS certificate private keys saved with password protection, which is required for PKCS12 certificates for importing into the Windows certificate store. The new PKCS12 default password encryption AES256 is not recognised until Windows Server 2016 v1709  and Windows 10 v1709, so Server 2012, Windows 10 RTM and earlier won't load AES passworded keys, only 3DES, for which the legacy.dll must be loaded.
+
#Fixed an HTTP web server problem in V9.2 to avoid repeated redirection for virtual default page /, was adding /// etc.
# There are two new classes to write and read SSL/TLS certificates to and from the Windows Certificate Store, including private keys. This is primarily so Let's Encrypt certificates can be installed automatically for use with the IIS web server.
+
#Updated OpenSSL binary and resource files to releases 3.3.2, 3.2.3 and 3.0.15, only one of which will be linked according to defines.
# Various improvements for the OverbyteIcsPemTool sampleIt includes new buttons to list the contents of Windows certificate and private key stores and allow old items to be deleted.  This may be useful for cleaning up old certificates and private keys from the Windows stores.  
+
#Restored the sample OverbyteIcsConHttp.dpr which is a console example, now supports SSL by replacing THttpCli with TSslHttpRest, no longer needs any events or a message loop for a single sync request, so a less code than without SSL. Now contacts https://wiki.overbyte.eu/wiki.
# For the TX509Certs component, the default cipher for encrypting PFX/P12 files is now PrivKeyEncAES256 with 3.0 unless the legacy DLL is loaded when still PrivKeyEncTripleDES so older versions of Windows can load them. Changed extraction of download PEM bundle so that main certificate does not need to be  first in file, log them all, and ignore any self signed root certificates.
+
#A lot of changes have been made preparing ICS for Linux. Corrected loading OpenSSL on Posix, now loads the system supplied OpenSSL 3 DLLs on Ubuntu 22.04The Linux package now builds correctly, but beware WSocket is not yet supported on Linux so no protocols will work. There is a new IcsPemTest FMX sample that works on Ubuntu 22.04 and which will create ICS signed SSL certificates.  Note, MacOS support is disabled pending the new Posix implementation.
# Fixed two problems in the FTP client, support option ftpFixPasvLanIP for PUT/APPE uploads as well as  downloads, and support IPv6 for PUT/APPE uploads as well as downloads.
 
# In the Application Web Server TSslHttpAppSrv, added an optional LastModified parameter to the AnswerStream, AnswerPage, and AnswerString methods to avoid adding a custom header line with the dateAdded NO_CACHE_EX and NO_STORE_EX literals. Added PUT and DELETE verb handlers, similar to GET and POST.
 
# For the HTTP client TSslHttpCli, fixed a relocation problem where the Location: header included a path with a space, encode the space. Fixed another relocation problem where HEAD sometimes stalled. Remove # fragment or anchor from URL in relocation, only used by browsers and not by servers.
 
# Added a new SSL sample, OverbyteIcsDDWebService.dpr which is very similar to OverbyteIcsSslMultiWebServ.dpr, but designed as a Windows service, although it will also run as a GUI for debuggingIt requires DDService service framework to be installed from https://www.magsys.co.uk/delphi/ddservice.asp. It also includes a REST server with simple lookup responses from a SQL database, which optionally requires DISQLite3 5.36.5 or later to be installed from http://www.yunqa.de. Note this sample in not in the project groups due to these pre-requisites.
 
# Moved TRestParams from the OverbyteIcsSslHttpRest unit to OverbyteIcsUrl to ease circular references. Added a new method AddItemNULL to add a null, in Json this will be unquoted. Added a new TRestParamsSrv component which provides methods for creating REST server Json responses from a SQL database esultset, one or more rows, also error responses. Note this is only compiled if DATABASE is defined in OverbyteIcsDefs.inc to avoid bringing in database units that are not available on all Delphi editions. There is a REST server sample OverbyteIcsDDWebService.dpr that illustrates SQL lookups.
 
# In the proxy component TIcsHttpProxy, don't send an HTTP request header until after HTTP body has been processed in case the body length changes. HTTP Forward Proxy using HTTP works again, broken in V8.65. Using HTTP Forward Proxy, convert absolute URL to path only since some servers can not process an absolute URL and sulk.
 
# In the Jose unit, rewrote the functions converting private keys to and from Json Web Keys with new OpenSSL 3.0 provider functions. Use AnsiStrings and functions when dealing with binary data to avoid possible issues with string conversions and nullsJson now created with TRestParams.
 
# Added two new sample project groups, OtherDemos64 and SslDemos64 which include Win64 versions of all the main active samples with 64 added to the project name, so they can be regularly built alongside the Win32 versions without changing platforms and overwriting executables.
 
 
 
More detailed release notes are at [[ICS_V8.67 | ICS 8.67 Release Notes]]
 
  
 
== Overbyte Website ==
 
== Overbyte Website ==
Line 67: Line 84:
 
There are four options to obtain the source code.
 
There are four options to obtain the source code.
  
[http://www.overbyte.eu/eng/products/ics.html '''Download from Overbyte web site''']
+
[https://www.overbyte.eu/eng/products/ics.html '''Download from Overbyte web site''']
  
ICS-V8 is the main development version and needed for RAD Studio XE4 and later.
+
ICS-V9 is the long term development version and needed for RAD Studio XE4 and later, it supports Delphi 7 and later.
Older versions are only here for very old compilers and don't have current SSL support.
 
  
== Latest Stable Version ICS V8.69 - recommended ==
+
== Latest Stable Version ICS V9.5 - recommended ==
  
This is the latest recommended version, which has been tested and used for various published ICS application.  It is updated for new releases of RAD Studio and major changes. V8.69 is the version displayed when RAD Studio starts and by the main unit OverbyteIcsWSocket.  Note these versions include the latest version of the OpenSSL DLLs at the time of release.   
+
This is the latest recommended version, which has been tested and used for various published ICS application.  It is updated for new releases of RAD Studio and major changes. V9.2 is the version displayed when RAD Studio starts and by the main unit OverbyteIcsWSocket.  Note these versions include the latest version of the OpenSSL DLLs at the time of release.   
  
 
{| border="1" cellpadding="4" style="background:#eee;border:1px solid #ccc;text-align:left;border-collapse:collapse;"
 
{| border="1" cellpadding="4" style="background:#eee;border:1px solid #ccc;text-align:left;border-collapse:collapse;"
Line 80: Line 96:
 
! Download !! Platforms
 
! Download !! Platforms
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv870.zip ICS-V8.70] || Delphi 7 to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11, C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11. Includes OpenSSL 3.0.7.  
+
| [https://{{SERVERNAME}}/arch/icsv95.zip ICS-V9.5] || Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11, 12 and 13, C++ Builder 10.4, 11, 12 and 13. Includes OpenSSL 3.6.0, 3.5.4, 3.4.3 and 3.0.18.
 +
|- style="background:#fff;"
 +
| [https://{{SERVERNAME}}/arch/icsv95-new.zip ICS-V9.5] || Delphi 10.4, 11, 12 and 13 only. Includes OpenSSL 3.6.0, 3.5.4, 3.4.3 and 3.0.18.
 +
|- style="background:#fff;"
 +
| [https://{{SERVERNAME}}/arch/icsv94.zip ICS-V9.4] || Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12, C++ Builder 10.4, 11 and 12. Includes OpenSSL 3.0.16, 3.2.4, 3.3.3 and 3.4.1.
 +
|- style="background:#fff;"
 +
| [https://{{SERVERNAME}}/arch/icsv94-new.zip ICS-V9.4] || Delphi 10.4, 11 and 12 only. Includes OpenSSL 3.0.16, 3.2.4, 3.3.3 and 3.4.1.  
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv870-D110.zip ICS-V8.70] || Delphi 11 only. Includes OpenSSL 3.0.7.
+
| [https://{{SERVERNAME}}/arch/icsv93.zip ICS-V9.3] || Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12, C++ Builder 10.4, 11 and 12. Includes OpenSSL 3.3.2, 3.2.3 and 3.0.15.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv870-D104.zip ICS-V8.70] || Delphi 10.4 Sydney only. Includes OpenSSL 3.0.7.
+
| [https://{{SERVERNAME}}/arch/icsv93-new.zip ICS-V9.3] || Delphi 10.4, 11 and 12 only. Includes OpenSSL 3.3.2, 3.2.3 and 3.0.15.  
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv869.zip ICS-V8.69] || Delphi 7 to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11, C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11. Includes OpenSSL 3.0.3.  
+
| [https://{{SERVERNAME}}/arch/icsv92.zip ICS-V9.2] || Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12, C++ Builder 10.4, 11 and 12. Includes OpenSSL 3.0.14. 3.2.2 and 3.3.1.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv869-D110.zip ICS-V8.69] || Delphi 11 only. Includes OpenSSL 3.0.3.
+
| [https://{{SERVERNAME}}/arch/icsv92-new.zip ICS-V9.2] || Delphi 10.4, 11 and 12 only. Includes OpenSSL 3.0.14. 3.2.2 and 3.3.1.  
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv869-D104.zip ICS-V8.69] || Delphi 10.4 Sydney only. Includes OpenSSL 3.0.3.
+
| [https://{{SERVERNAME}}/arch/icsv91.zip ICS-V9.1] || Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12, C++ Builder 10.4, 11 and 12. Includes OpenSSL 3.0.13. 3.1.5 and 3.2.1.  
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv868.zip ICS-V8.68] || Delphi 7 to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11, C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11. Includes OpenSSL 3.0.1.  
+
| [https://{{SERVERNAME}}/arch/icsv91-new.zip ICS-V9.1] || Delphi 10.4, 11 and 12 only. Includes OpenSSL 3.0.13. 3.1.5 and 3.2.1.  
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv868-D110.zip ICS-V8.68] || Delphi 11 only. Includes OpenSSL 3.0.1.
+
| [https://{{SERVERNAME}}/arch/icsv90.zip ICS-V9.0] || Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12, C++ Builder 2006 to XE3, 10.2, 10.3, 10.4, 11 and 12. Includes OpenSSL 3.1.2.  
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv868-D104.zip ICS-V8.68] || Delphi 10.4 Sydney only. Includes OpenSSL 3.0.1.
+
| [https://{{SERVERNAME}}/arch/icsv90-D12.zip ICS-V9.0] || Delphi 12 only. Includes OpenSSL 3.1.2.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv867.zip ICS-V8.67] || Delphi 7 to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11, C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and 11. Includes OpenSSL 1.1.1i.  
+
| [https://{{SERVERNAME}}/arch/icsv90-D11.zip ICS-V9.0] || Delphi 11 only. Includes OpenSSL 3.1.2.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv867-D110.zip ICS-V8.67] || Delphi 11 only. Includes OpenSSL 1.1.1i.
+
| [https://{{SERVERNAME}}/arch/icsv90-D104.zip ICS-V9.0] || Delphi 10.4 only. Includes OpenSSL 3.1.2.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv867-D104.zip ICS-V8.67] || Delphi 10.4 Sydney only. Includes OpenSSL 1.1.1i.
+
| [https://{{SERVERNAME}}/arch/icsv870.zip ICS-V8.70] || Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4 and 11, C++ Builder 2006 to XE3, 10.2, 10.3, 10.4 and 11. Includes OpenSSL 3.0.7.  
 
|- style="background:#fff;"
 
|- style="background:#fff;"
 +
| [https://{{SERVERNAME}}/arch/icsv870-D110.zip ICS-V8.70] || Delphi 11 only. Includes OpenSSL 3.0.7.
 +
|- style="background:#fff;"
 +
| [https://{{SERVERNAME}}/arch/icsv870-D104.zip ICS-V8.70] || Delphi 10.4 only. Includes OpenSSL 3.0.7.
 
|}
 
|}
  
Line 116: Line 141:
 
! Download !! Changes log
 
! Download !! Changes log
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv8w.zip ICS-V8 Snapshot] || [http://{{SERVERNAME}}/arch/change-log-icsv8.xml View]
+
| [https://{{SERVERNAME}}/arch/icsv9w.zip ICS-V9 Snapshot] || [http://{{SERVERNAME}}/arch/change-log-icsv9.xml View]
 
|}
 
|}
  
Line 126: Line 151:
  
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv7w.zip ICS-V7 Archive] || [http://{{SERVERNAME}}/arch/change-log-icsv7.xml View]
+
| [https://{{SERVERNAME}}/arch/arch-samples-V9.1.zip ICS-V9.1 Archived Samples] ||
 +
|- style="background:#fff;"
 +
| [https://{{SERVERNAME}}/arch/icsv8w.zip ICS-V8 Archive] || [http://{{SERVERNAME}}/arch/change-log-icsv8.xml View]
 +
|- style="background:#fff;"
 +
| [https://{{SERVERNAME}}/arch/icsv7w.zip ICS-V7 Archive] || [http://{{SERVERNAME}}/arch/change-log-icsv7.xml View]
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv6w.zip ICS-V6 Archive] || [http://{{SERVERNAME}}/arch/change-log-icsv6.xml View]
+
| [https://{{SERVERNAME}}/arch/icsv6w.zip ICS-V6 Archive] || [http://{{SERVERNAME}}/arch/change-log-icsv6.xml View]
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| [http://{{SERVERNAME}}/arch/icsv5w.zip ICS-V5 Archive] || [http://{{SERVERNAME}}/arch/change-log-icsv5.xml View]
+
| [https://{{SERVERNAME}}/arch/icsv5w.zip ICS-V5 Archive] || [http://{{SERVERNAME}}/arch/change-log-icsv5.xml View]
 
|}
 
|}
  
Line 140: Line 169:
 
|-
 
|-
 
! ICS Version !! SVN URL !! HTTP URL
 
! ICS Version !! SVN URL !! HTTP URL
 +
|- style="background:#fff;"
 +
| ICS-V9 || svn://svn.overbyte.be/icsv9 || https://svn.overbyte.be/svn/icsv9
 
|- style="background:#fff;"
 
|- style="background:#fff;"
 
| ICS-V8 || svn://svn.overbyte.be/ics/trunk || https://svn.overbyte.be/svn/ics/trunk
 
| ICS-V8 || svn://svn.overbyte.be/ics/trunk || https://svn.overbyte.be/svn/ics/trunk
Line 152: Line 183:
 
Use username = '''ics''' and password = '''ics''' for read access. Write access is only available to TeamICS.
 
Use username = '''ics''' and password = '''ics''' for read access. Write access is only available to TeamICS.
  
== Download OpenSSL Binaries (required for SSL-enabled components) ==
+
== Download OpenSSL Binaries==
 +
 
 +
The OpenSSL binaries are required for all ICS SSL-enabled components.
 +
 
 +
The 64-bit DLLs are only for use with Delphi applications compiled for the 64-bit platform, the 32-bit DLLs work on both 32-bit and 64-bit Windows with 32-bit applications.
  
 
Please note older versions of the ICS source code had an internal check to only allow loading of the latest OpenSSL it was tested with, so you could not use new DLLs with an old application without recompiling with the latest version of ICS first.  
 
Please note older versions of the ICS source code had an internal check to only allow loading of the latest OpenSSL it was tested with, so you could not use new DLLs with an old application without recompiling with the latest version of ICS first.  
  
OpenSSL 1.0.2 and later are only supported by ICS v8, v7 is no longer updated for new OpenSSL versions. The 64-bit DLLs are only for use with Delphi applications compiled for the 64-bit platform, the 32-bit DLLs work on both 32-bit and 64-bit Windows with 32-bit applicationsNote that ICS V8.24 dated 3rd March 2016 and later included the latest OpenSSL 1.0.2 Win32 files to avoid a separate download. This was a long term support version for which free support ceased at the end of 2019, but paid support from OpenSSL continues for those needing it. ICS V8.65 is the last version to support 1.0.2.  
+
OpenSSL 1.0.2 and later were only supported by ICS v8, v7 is no longer updated for new OpenSSL versions.  This was a long term support version for which free support ceased at the end of 2019 unless you have an OpenSSL Premium Level Support contract for $50,000/year. ICS V8.65 was the last version to support 1.0.2.  
  
 
OpenSSL 1.1.0 is obsolete and no longer supported. ICS V8.65 is the last version to support 1.1.0.   
 
OpenSSL 1.1.0 is obsolete and no longer supported. ICS V8.65 is the last version to support 1.1.0.   
  
OpenSSL 1.1.1 is the latest long term support version and adds support for TLSv1.3 RFC8446 and various new cryptographic private key and hash digest types.  Delphi applications require ICS V8.57 or later.  ICS V8.57 and later include the Win32 and Win64 OpenSSL 1.1.1 files. This version will be supported until September 2023. OpenSSL 1.1.1 only supports Windows Vista and later, not XP.  
+
OpenSSL 1.1.1 is obsolete. Support ceased in September 2023 unless you have an OpenSSL Premium Level Support contract for $50,000/year. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
  
 
OpenSSL 3.0 is a major new release, primarily a lot of internal changes to ease long term support. ICS 8.67 is required to support 3.0.  There is an optional FIPS module with 3.0 but not available here since our DLLs are not built to standards required for certification. The old engines for special extensions are replaced by new more versatile providers of which the FIPS module is one, a provider legacy.dll contained in the distribution has obsolete ciphers and hash digests that most applications no longer need and which needs to loaded by the application. This version will be supported until September 2026.
 
OpenSSL 3.0 is a major new release, primarily a lot of internal changes to ease long term support. ICS 8.67 is required to support 3.0.  There is an optional FIPS module with 3.0 but not available here since our DLLs are not built to standards required for certification. The old engines for special extensions are replaced by new more versatile providers of which the FIPS module is one, a provider legacy.dll contained in the distribution has obsolete ciphers and hash digests that most applications no longer need and which needs to loaded by the application. This version will be supported until September 2026.
  
Firefox version 63 and Chrome 71 both support TLSv1.3 final RFC8446, note Chrome has settings for older beta versions that must be disabled.
+
OpenSSL 3.1 is obsolete. Support ceased in March 2025 and is no longer updated for ICS.
 +
 
 +
OpenSSL 3.2 is a minor new release with QUIC client support for HTTP/3 and many other improvements. ICS 8.67 is required to support 3.2.  This version will be supported until November 2025 but ICS has now ceased updates. 
 +
 
 +
OpenSSL 3.3 is a minor new release, minor QUIC and other features. ICS 8.67 is required to support 3.3. This version will be supported until April 2026 but ICS has now ceased updates.
 +
 
 +
OpenSSL 3.4 is a minor new release, minor newr features. ICS 8.67 is required to support 3.4. There is a bug fix in ICS 9.4.  This version will be supported until October 2026.  
  
The OpenSSL DLLs and EXE files included in the zips above are digitally code signed 'Magenta Systems Ltd', one of the organisations that maintains ICS.  The Magenta Systems Code Signing Trust and Certificate Check component may be used to check the correctly signed DLLs are being used by ICS, with this functionality included in  ICS V8.38 and later.  Beware that Windows needs recent root certificates to check newly signed code, and may give an error if the root store has not been kept current by Windows Update, particularly on older versions of Windows such as XP, Vista and 7.
+
OpenSSL 3.5 is a major new long term support release, adding Post Quantum Cryptography (PQC) algorithms (ML-KEM, ML-DSA and SLH-DSA) and server side QUIC (RFC 9000).
 +
ICS has no plans for QUIC support).  ICS 8.67 is required to support 3.2.  This version will be supported until April 2030.
 +
 
 +
OpenSSL 3.6 is a minor new release, adding several private key improvements and Leighton-Micali Signature (LMS) verification support which is a FIPS requirement.  This version will be supported until October 2027.
 +
 
 +
OpenSSL 4.0 is a major new release, due April 2026.  This version will be supported until April 2028.
 +
 
 +
Please note that ICS does not use any of the new features in OpenSSL 3.2 or later at present, so continuing to use the latest patch version of 3.0 with security fixes is generally fine.
 +
 
 +
The OpenSSL DLLs and EXE files included in the zips above are digitally code signed 'Magenta Systems Ltd', one of the organisations that maintains ICS.  The Magenta Systems Code Signing Trust and Certificate Check component may be used to check the correctly signed DLLs are being used by ICS, with this functionality included in  ICS V8.38 and later.  Beware that Windows needs recent root certificates to check newly signed code, and may give an error if the root store has not been kept current by Windows Update, particularly on older versions of Windows such as XP, Vista and 7. The signed check may be disabled in the OverbyteIcsDefs.inc file by suppressing defines OpenSSL_Check_Signed and OpenSSL_Check_SignCert.
  
 
{| border="1" cellpadding="4" style="background:#eee;border:1px solid #ccc;text-align:left;border-collapse:collapse;"
 
{| border="1" cellpadding="4" style="background:#eee;border:1px solid #ccc;text-align:left;border-collapse:collapse;"
Line 172: Line 222:
 
! Date !! Download !! Description !! Comments
 
! Date !! Download !! Description !! Comments
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-11-01 || [http://{{SERVERNAME}}/arch/openssl-3.0.7-win64.zip OpenSSL Binaries Win-64 3.0.7 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-10-02|| [https://{{SERVERNAME}}/arch/openssl-3.6.0-win64.zip OpenSSL Binaries Win-64 3.6.0 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 +
|- style="background:#fff;"
 +
| 2025-10-02|| [https://{{SERVERNAME}}/arch/openssl-3.6.0-win32.zip OpenSSL Binaries Win-32 3.6.0 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 ||
 +
Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 +
|- style="background:#fff;"
 +
| 2025-10-02 || [https://{{SERVERNAME}}/arch/openssl-3.5.4-win64.zip OpenSSL Binaries Win-64 3.5.4 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 +
|- style="background:#fff;"
 +
|2025-10-02|| [https://{{SERVERNAME}}/arch/openssl-3.5.4-win32.zip OpenSSL Binaries Win-32 3.5.4 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 ||
 +
Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 +
|- style="background:#fff;"
 +
| 2025-10-02|| [https://{{SERVERNAME}}/arch/openssl-3.4.3-win64.zip OpenSSL Binaries Win-64 3.4.3 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 +
|- style="background:#fff;"
 +
| 2025-10-02|| [https://{{SERVERNAME}}/arch/openssl-3.4.3-win32.zip OpenSSL Binaries Win-32 3.4.3 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 ||
 +
Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 +
|- style="background:#fff;"
 +
| 2025-10-02 || [https://{{SERVERNAME}}/arch/openssl-3.0.18-win64.zip OpenSSL Binaries Win-64 3.0.18 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 +
|- style="background:#fff;"
 +
| 2025-10-02 || [https://{{SERVERNAME}}/arch/openssl-3.0.18-win32.zip OpenSSL Binaries Win-32 3.0.18 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 +
|- style="background:#fff;"
 +
| 2025-09-17 || [https://{{SERVERNAME}}/arch/openssl-3.5.3-win64.zip OpenSSL Binaries Win-64 3.5.3 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 +
|- style="background:#fff;"
 +
| 2025-09-17|| [https://{{SERVERNAME}}/arch/openssl-3.5.3-win32.zip OpenSSL Binaries Win-32 3.5.3 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 ||
 +
Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 +
|- style="background:#fff;"
 +
| 2025-08-08 || [https://{{SERVERNAME}}/arch/openssl-3.5.2-win64.zip OpenSSL Binaries Win-64 3.5.2 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 +
|- style="background:#fff;"
 +
| 2025-08-08|| [https://{{SERVERNAME}}/arch/openssl-3.5.2-win32.zip OpenSSL Binaries Win-32 3.5.2 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 ||
 +
Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 +
|- style="background:#fff;"
 +
| 2025-07-02 || [https://{{SERVERNAME}}/arch/openssl-3.5.1-win64.zip OpenSSL Binaries Win-64 3.5.1 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 +
|- style="background:#fff;"
 +
| 2025-07-02|| [https://{{SERVERNAME}}/arch/openssl-3.5.1-win32.zip OpenSSL Binaries Win-32 3.5.1 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 ||
 +
Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-11-01 || [http://{{SERVERNAME}}/arch/openssl-3.0.7-win32.zip OpenSSL Binaries Win-32 3.0.7 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-07-02 || [https://{{SERVERNAME}}/arch/openssl-3.4.2-win64.zip OpenSSL Binaries Win-64 3.4.2 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-11-01 || [http://{{SERVERNAME}}/arch/openssl-1.1.1s-win64.zip OpenSSL Binaries Win-64 1.1.1s requires ICS V8.57 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-07-02|| [https://{{SERVERNAME}}/arch/openssl-3.4.2-win32.zip OpenSSL Binaries Win-32 3.4.2 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 ||  
 +
Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-11-01 || [http://{{SERVERNAME}}/arch/openssl-1.1.1s-win32.zip OpenSSL Binaries Win-32 1.1.1s requires ICS V8.57 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-07-02 || [https://{{SERVERNAME}}/arch/openssl-3.0.17-win64.zip OpenSSL Binaries Win-64 3.0.17 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-07-06 || [http://{{SERVERNAME}}/arch/openssl-3.0.5-win64.zip OpenSSL Binaries Win-64 3.0.5 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-07-02 || [https://{{SERVERNAME}}/arch/openssl-3.0.17-win32.zip OpenSSL Binaries Win-32 3.0.17 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-07-06 || [http://{{SERVERNAME}}/arch/openssl-3.0.5-win32.zip OpenSSL Binaries Win-32 3.0.5 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-04-10 || [https://{{SERVERNAME}}/arch/openssl-3.5.0-win64.zip OpenSSL Binaries Win-64 3.5.0 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-07-06 || [http://{{SERVERNAME}}/arch/openssl-1.1.1q-win64.zip OpenSSL Binaries Win-64 1.1.1q requires ICS V8.57 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-04-10|| [https://{{SERVERNAME}}/arch/openssl-3.5.0-win32.zip OpenSSL Binaries Win-32 3.5.0 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 ||  
 +
Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-07-06 || [http://{{SERVERNAME}}/arch/openssl-1.1.1q-win32.zip OpenSSL Binaries Win-32 1.1.1q requires ICS V8.57 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-02-12 || [https://{{SERVERNAME}}/arch/openssl-3.4.1-win64.zip OpenSSL Binaries Win-64 3.4.1 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-05-06 || [http://{{SERVERNAME}}/arch/openssl-3.0.3-win64.zip OpenSSL Binaries Win-64 3.0.3 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-02-12|| [https://{{SERVERNAME}}/arch/openssl-3.4.1-win32.zip OpenSSL Binaries Win-32 3.4.1 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 ||  
 +
Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-05-06 || [http://{{SERVERNAME}}/arch/openssl-3.0.3-win32.zip OpenSSL Binaries Win-32 3.0.3 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-02-12 || [https://{{SERVERNAME}}/arch/openssl-3.3.3-win64.zip OpenSSL Binaries Win-64 3.3.3 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-05-06 || [http://{{SERVERNAME}}/arch/openssl-1.1.1o-win64.zip OpenSSL Binaries Win-64 1.1.1o requires ICS V8.57 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-02-12|| [https://{{SERVERNAME}}/arch/openssl-3.3.3-win32.zip OpenSSL Binaries Win-32 3.3.3 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 ||  
 +
Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-05-06 || [http://{{SERVERNAME}}/arch/openssl-1.1.1o-win32.zip OpenSSL Binaries Win-32 1.1.1o requires ICS V8.57 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-02-12 || [https://{{SERVERNAME}}/arch/openssl-3.2.4-win64.zip OpenSSL Binaries Win-64 3.2.4 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-03-15 || [http://{{SERVERNAME}}/arch/openssl-3.0.2-win64.zip OpenSSL Binaries Win-64 3.0.2 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-02-12 || [https://{{SERVERNAME}}/arch/openssl-3.2.4-win32.zip OpenSSL Binaries Win-32 3.2.4 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 ||  
 +
Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-03-15 || [http://{{SERVERNAME}}/arch/openssl-3.0.2-win32.zip OpenSSL Binaries Win-32 3.0.2 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-02-12 || [https://{{SERVERNAME}}/arch/openssl-3.0.16-win64.zip OpenSSL Binaries Win-64 3.0.16 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-03-15 || [http://{{SERVERNAME}}/arch/openssl-1.1.1n-win64.zip OpenSSL Binaries Win-64 1.1.1n requires ICS V8.57 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2025-02-12 || [https://{{SERVERNAME}}/arch/openssl-3.0.16-win32.zip OpenSSL Binaries Win-32 3.0.16 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2022-03-15 || [http://{{SERVERNAME}}/arch/openssl-1.1.1n-win32.zip OpenSSL Binaries Win-32 1.1.1n requires ICS V8.57 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2024-10-25 || [https://{{SERVERNAME}}/arch/openssl-3.4.0-win64.zip OpenSSL Binaries Win-64 3.4.0 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2020-03-18 || [http://{{SERVERNAME}}/arch/openssl-1.0.2u-win64.zip OpenSSL Binaries Win-64 1.0.2u requires ICS V8.24 to ICS V8.65] || Built with Visual Studio Build Tools 2017 || For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2024-10-25|| [https://{{SERVERNAME}}/arch/openssl-3.4.0-win32.zip OpenSSL Binaries Win-32 3.4.0 requires ICS V8.67 or later] || Built with Visual Studio Build Tools 2017 ||  
 +
Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
 
|- style="background:#fff;"
 
|- style="background:#fff;"
| 2020-03-18 || [http://{{SERVERNAME}}/arch/openssl-1.0.2u-win32.zip OpenSSL Binaries Win-32 1.0.2u requires ICS V8.24 to ICS V8.65] || Built with Visual Studio Build Tools 2017 || Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
+
| 2023-09-21 || [https://{{SERVERNAME}}/arch/openssl-1.1.1w-win64.zip OpenSSL Binaries Win-64 1.1.1w requires ICS V8.57 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.
 +
|- style="background:#fff;"
 +
| 2023-09-21 || [https://{{SERVERNAME}}/arch/openssl-1.1.1w-win32.zip OpenSSL Binaries Win-32 1.1.1w requires ICS V8.57 or later] || Built with Visual Studio Build Tools 2017 || Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.
 +
|- style="background:#fff;"
 +
| 2020-03-18 || [https://{{SERVERNAME}}/arch/openssl-1.0.2u-win64.zip OpenSSL Binaries Win-64 1.0.2u requires ICS V8.24 to ICS V8.65] || Built with Visual Studio Build Tools 2017 || For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.
 +
|- style="background:#fff;"
 +
| 2020-03-18 || [https://{{SERVERNAME}}/arch/openssl-1.0.2u-win32.zip OpenSSL Binaries Win-32 1.0.2u requires ICS V8.24 to ICS V8.65] || Built with Visual Studio Build Tools 2017 || Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.  
 
|- style="background:#fff;"
 
|- style="background:#fff;"
 
|}
 
|}
Line 213: Line 307:
  
 
OpenSSL website also [http://www.openssl.org/related/binaries.html links] to [http://www.slproweb.com/products/Win32OpenSSL.html Win32OpenSSL website] providing another build of Win32 DLL binaries. Note note that unlike the builds above builds on that site may have dependencies on Visual C++ 2008 Redistributables (to keep dll files smaller) so make sure you include all the required (and correct) redistributable files in your software installation. You probably don't have to care about that if you use binaries above at the cost of slightly larger DLLs. Also note that site does not keep archives of older versions so you may want to watch their page if you prefer their binaries.
 
OpenSSL website also [http://www.openssl.org/related/binaries.html links] to [http://www.slproweb.com/products/Win32OpenSSL.html Win32OpenSSL website] providing another build of Win32 DLL binaries. Note note that unlike the builds above builds on that site may have dependencies on Visual C++ 2008 Redistributables (to keep dll files smaller) so make sure you include all the required (and correct) redistributable files in your software installation. You probably don't have to care about that if you use binaries above at the cost of slightly larger DLLs. Also note that site does not keep archives of older versions so you may want to watch their page if you prefer their binaries.
 
== Browser Demo Application using HtmlViewer ==
 
 
This is an example internet browser using the HtmlViewer component from [https://github.com/BerndGabriel/HtmlViewer GitHub (11.8)].
 
 
The browser demo is in the ICS nightly zip, in the folder samples\delphi\browserdemo, the project is FrameBrowserIcs.dpr. An  executable version of the new demo may also be downloaded from here, built with HtmlViewer 11.8 and ICS V8.69, using Delphi 11.0. 
 
 
{| border="1" cellpadding="4" style="background:#eee;border:1px solid #ccc;text-align:left;border-collapse:collapse;"
 
|-
 
! Download
 
|- style="background:#fff;"
 
| [http://{{SERVERNAME}}/arch/BrowserDemoIcs.zip Executable Browser Demo - last update V8.69]
 
|}
 
 
The HtmlViewer component must be downloaded and installed before the demo can be built.  The demo is based on FrameBrowserIndy project but with various enhancements, specifically display of all HTTP, SSL and some or all HTML traffic which makes it very useful for debugging the THttpCli component. Recent versions of HtmlViewer also include FrameBrowserIcs.dpr but it has been changed substantially from the ICS version and I've been unable to build it.
 
 
The Options, Settings window allow the SSL security level to be adjusted to various TLS and cipher variations, which can be useful testing web sites that ICS has difficulty accessing. 
 
 
The project is a good basic browser for HTML4, but does not support any scripting, so most sites without backward compatibility may appear strange.
 

Latest revision as of 17:47, 16 October 2025

ICS is available as source code only. You need Delphi to build the sample programs and create your own application.

ICS versions available:

  • ICS-V9 for Delphi 7 to Delphi 13 / C++ Builder 10.2 to 13, FireMonkey cross platform support for POSIX/MacOS (long term support release, 32 and 64-bit).
  • ICS-V8 for Delphi 7 to Delphi 11 (stable release, no new development, please upgrade to V9).
  • ICS-V7 for Delphi 7 / C++ Builder 2006 to Delphi / C++ Builder XE3 (discontinued and obsolete, please upgrade to V9).
  • ICS-V6 for Delphi 7 / C++ Builder 2006 to Delphi / C++ Builder 2007 (discontinued and obsolete, please upgrade to V9 if you do not have to support Windows versions < W2K).
  • ICS-V5 for Delphi / BCB 1 to Delphi / C++ Builder 2007 and Delphi .NET (discontinued and obsolete, please upgrade to V9).

ICS News

Changes in ICS V9.5 include:

  1. Major improvements in ICS V9.5 include a new geographic component that has built in IP address databases for countries and ASN; server components have a new event called before a connection is accepted allowing 'firewall' rejection of connections based on IP address; the MQTT client and server components now support protocol 3.1.1; the automatic certification ordering component now supports Google Trust Services and other ACME suppliers, as well as Let's Encrypt; changes for the HTTP clients and servers to better support REST request APIs;
  2. Many of these improvements, and the delay finishing this release, relate to web server improvements needed to mitigate a nine month long attack on a public web server, that started with millions of accesses from two Far East IP addresses, progressed to accesses from VPNs at data centres worldwide, then finally to a botnet that caused access from over one million different IP addresses in 150 countries each week. It's not often a developer has first hand experience of such web server abuse, we try to plan for it, but rarely experience it directly. The ICS web server samples already had filtering by IP addresses and reverse DNS lookup and this worked for a few months with manual updating of the filtering lists, but this was time consuming. So a new GEO component was added with an IP address to country database that allowed specific countries to be blocked, then regions of the world, finally an ASN database allowed specific cloud/ISPs to be blocked. During these months, the ICS web server kept working, albeit slowing as logs tried to handle the vast volumes of IP addresses, needing rewrites of some ICS components. But everything is now stable and ICS capable of handling such heavy traffic.
  3. TWSocketServer has a new event OnClientAcceptFilter event called before the component accepts an incoming connection allowing filtering on the remote IP address so the connection is refused without any more events being called. This action is similar to a firewall refusing a connection, rather than opening and immediately closing it again. Before the event is called, a TIcsSessIpInfo record if filled with remote and local addresses and ports in binary and as strings, saving a lot of application code, the event can complete other record fields. This event can be used with the new GEO components to check countries and regions that should be blocked, and with the TIcsBlacklist component to stop those previously blocked addresses from accessing the server. The THttpSrv HTTP server has a similar OnHttpAcceptFilter event, and it will be added to other servers for the next release.
  4. Added a new TIcsGeoTools component that reads MaxMind formatted GEO database files using the MMDBReader component, and includes two small databases from db-ip.com, 'IP to Country Lite' and 'IP to ASN Lite', but can handle other MaxMind databases. Both databases can are available as resource files that can be linked into applications or loaded from a file to be shared between servers. There is also a country name database ICS-Countries.csv linked as a resource file that contains country GEO information. ASN is Autonomous System Name, an ISP or cloud name, that supplements reverse DNS (often missing) in identifying the owners of IP addresses. The databases are updated monthly by db-ip.com and can be downloaded from them, will try to keep ICS up to date.
  5. The TIcsGeoTools component is a self contained unit, IcsGeoUtils.pas with no dependencies, but is only available for Delphi 11 and later due to use of new language features. The component needs to be created in code and the databases required loaded before use, see the samples mentioned below. The main lookup methods are FindISOA2Code and FindASNCode, then FindCountry and FindRegion from an ISOA2 country code, region is a quick was to block all Asian countries for instance. The TIcsDomainNameCache and TIcsBlacklist now include ISOA2 and ASN fields that are included in responses and reports from these components. Beware block countries and regions may have unexpected consequences, for instance Let's Encrypt and Google validate SSL/TLS certificate domain names from multiple countries.
  6. The OverbyteIcsSslMultiWebServ and OverbyteIcsDDWebService samples use the databases in the new server OnHttpAcceptFilter event, and writes country and ASN to the web log file, as well as allowing hacker filtering using this information. The OverbyteIcsNetTools sample Trace Route now shows the country and ASN for each IP in the route to the destination, as well as reverse DNS, although the IP addresses allocated to network routers don't appear to totally accurate. These samples only use TIcsGeoTools if DEFINE USE_IcsGeoTools is set in Defs.inc.
  7. Added new components TIcsFilterList and TIcsIpAddrList to replace TestFilters using HackFilterList and TestIpWhiteList using WhiteIpList in sample OverbyteIcsSslMultiWebServ1.pas. TIcsFilterList reads same file hackfilterlist.txt containing key=value pairs which are used to filter incoming connections for path, remhost, country, useragent or referrer, trying to filter out abusive remote hosts. TIcsIpAddrList reads same file whiteiplist.txt which is a list of ASCII IP full or partial addresses, generally that should not be blocked by filters. The TIcsBlacklist has major changes including support for saving IPv6 addresses in binary as well as ASCII, they sort better in reports and take less memory, adding and checking an TSockAddrIn6 which avoids conversion to strings, and other improvements to handle one million IP addresses more efficiently.
  8. Since Let's Encrypt introduced the ACME (Automatic Certificate Management Environment) protocol to download free SSL/TLS certificates, other suppliers have added automated ordering using the same API, mostly with extra account information for commercial certificates. ICS has been tested successfully with free certificates from Google Trust Services, and should work with DigiCert, ZeroSSL and SSLcom, but these three are primarily commercial suppliers and need prepaid accounts, so not tested yet. Google Trust Services offers an excellent alternate to Let's Encrypt and offers almost the same free certificates up to 90 days with multiple wildcards, but allows the expiry days to be specified during ordering, down to three days. Some companies were reluctant to use Let's Encrypt when there was no alternative in case of extended down time, now Google offers that alternate.
  9. Apart from Let's Encrypt, suppliers use ACME external accounting to tie the ordering process to web site accounts, which is explained in comments in the OverbyteIcsSslX509Certs unit, more information will be added and the wiki pages updated soon. Google needs the Google Cloud CLI Windows application installing, type a few commands and you get the external account information Acme needs. The OverbyteIcsX509CertsTst sample has a major revision to support multiple account suppliers and to specify the external accounting information. The sample needs to be run on any servers that will order certificates to create the initial Acme account (except for Let's Encrypt), and includes a web server allowing test certificates to be ordered provided DNS points to a public IP on the server. Most suppliers provide a testing endpoint which is listed in OverbyteIcsX509CertsTst so you can order fake certificates to understand the process. There is now a facility to ask ICS servers to renew certificates on demand from the OverbyteIcsX509CertsTst sample, previously you had to mess with the INI file to force a new order.
  10. TWSocketServer has a lot of improvements relating to SSL/TLS certificates, many relating to new IcsHosts options to support suppliers other than Let'S Encrypt. IcsHosts has a new property AcmeSupplier as TAcmeSupplier which may be AcmeLetsEncrypt or AcmeGoogle (or several others), and property SupplierTitle to specify the account name of than supplier from a database. The supplier accounts database is generally maintained by the OverbyteIcsX509CertsTst sample, which must be used to create accounts for new suppliers, and which may be used to view certificate orders. SupplierTitle is used instead of specifying CertDirWork which will be looked up from C:\ProgramData\ICS-Acme-Accounts\ics-acme-accounts.db. By default, new work directories will be in: C:\ProgramData\ICS-Acme-Accounts\. CertDirWork is still supported, but it's recommended that applications move to using supplier accounts instead, which can be monitored using OverbyteIcsX509CertsTst. Google and other suppliers only work with supplier accounts, since information is needed that is not in IcsHosts.
  11. IcsHosts has other new properties: AcmeCertProfile to specify the type of certificate requested for Let's Encrypt, listed in FAcmeProfileNames array, default classic, optional tlsserver and shortlived (7 day, not yet available); AcmeCertValidity to specify certificate life in days, default 90, only Google at present, down to 3 days. Certificate ordering now makes use of the ACME Renewal Information API that specifies how many days before expiry a certificate should be renewed, and how often these dates should be rechecked to see if the certificate needs immediate renewal due to being revoked. This overrides CertExpireDays. Renewal Information is checked each time the certificate chain is checked, but is cached so there is usually only a server API call every six hours. Note with OCSP gone, this is now the only way to check if a certificate is revoked.
  12. Reworked certificate checking so if automatic ordering is enabled the Acme account information is looked up when the certificate is first loaded to get renewal information and maybe working directory, rather than only when time to order a new certificate, so there is more logging and error checking at load time. Temporary ICS self signed certificates are now created in GSSL_CERTS_DIR instead of TempPath. When starting a certificate order, if the challenges have been previously completed OK, collect order immediately, don't try to start them again. Let's Encrypt is implementing a change in the way new certificates are issued, which may be delayed a few seconds after the CSR is provided, rather than immediately, so the component now waits and checks every five seconds for the new certificate to be issued. This already happens for Google. Note this Let's Encrypt change means earlier ICS versions will soon fail to work.
  13. ICS now supports ordering SSL/TLS certificates with IP addresses as well as host domain names, tested with Let's Encrypt Staging but not available yet from live certificates. Testing showed a problem using SSL with IP addresses URLs relating to the Server Name Indication HELO feature which does not allow simple IP addresses which must be converted to domain names, ie 217.146.102.139 becomes 139.102.146.217.in-addr.arpa. Automatic certificate ordering in IcsHosts now has a database property CertRenewNow that if set true in the database using the OverbyteIcsX509CertsTst, will override certificate expiry checking and cause an immediate new certificate replacement order by in servers with IcsHosts the next time RecheckSslCerts is called by the server, typically every two hours.
  14. Fixed a long term problem where SSL/TLS server name SNI checking for a matching IcsHost used the certificate SANs that might have included a wild card, instead of the Hosts list of host names. If one IcsHost allowed wild cards it might have been found instead a specific IcsHost for a single host.
  15. New major versions of OpenSSL often add new functions and deprecate older functions that are then removed in a subsequent major release after applications should have been updated. ICS has added a DEFINE OpenSSL_Deprecated without which no deprecated functions should be loaded. ICS has been testing with a special build of OpenSSL 3.5 without deprecated functions and several units have now been updated to use newer 3.0 functions, so no more work should be necessary for OpenSSL 4.0 when those deprecated could disappear. The DEFINE OpenSSL_Deprecated should only be needed if your application uses old OpenSSL functions for encryption or signing. The OverbyteIcsJoseTst sample also needs OpenSSL_Deprecated for RSA string encryption, pending a rewrite without deprecated functions. ICS now only creates the C:\ProgramData\ICS-OpenSSL directory if conditionals OpenSSL_Resource_Files or OpenSSL_ProgramData are specified meaning OpenSSL files are expected there. Otherwise the developer is responsible for setting GSSL_DLL_DIR to the OpenSSL DLL directory.
  16. Updated the MQTT client and server components to support protocol 3.1.1 which is commonly used, previously we only supported 3.1. The client will connect to a v5 server by ignoring dozens of new options, but needs a lot more work, much more complicated than v3.1.1, not planning any more v5 unless there is a specific requirement. Added LogPackets property to log packets in ASCII and hex for diagnostics, UseSSL property to force client to use SSL on any port, BlankClient property (anonymous) for 3.1.1 so server allocates ClientId, but only v5 tells us that ID. BurstMode property for 3.1.1 so client does not wait for response to Connect, but publishes immediately. When Subscribing With v3.1.1, the server now returns a failure flag for permissions failure, which is returned as QoS qtFAILURE. Also improvements to the OverbyteIcsMQTTst sample, allow Username/Password to be set, so they may be left blank, ClientHost is now a drop down box, and includes test.mosquitto.org that may be used for client testing, see https://test.mosquitto.org/ for a long list of ports for different testing purposes, allow MQTT protocol to be specified, added v3.1.1 and v5, and options to test all new functions. If the server SSL port non-zero, the server will create an ICS CA signed certificate for the host name (ie localhost) if a certificate file bundle is not found.
  17. There are various WebSocket improvements. The client now has optional asynchronous connection which no longer blocks the initial WSConnect which now returns immediately and a OnWSConnected event is called when the connections is ready or fails, so should now correctly process a welcome message or packets sent immediately upon connection. The server now has a configurable delay after connection before sending a welcome message or packets, for clients that can not process them immediately. Fixed a problem that data sent immediately a new connection opened could be lost because the component had not switched to Websocket mode. Allow Sec-WebSocket-Protocol: header to added with HeaderSecWebSocketProtocol values (char, superchat, etc). Added a new OnWSFramesDone event called when a queue of frames have been sent, for flow control when sending a lot of data. Note the IcsAppMonMan.dpr sample illustrates how to use multiple WebSocket client components to contact multiple WebSocket servers and display information from them, it comes configured to view three public servers running ICS web, FTP and proxy servers.
  18. Fixed a long term problem with ECDSA binary digests, which have two formats, ASN.1 used by OpenSSL and IEEE P1363 which is shorter fixed length and often also used. Added IcsDigestAsntoIEEE and IcsDigestIEEEtoAsn to convert between the two formats, and a new EcdsaIEE flag to IcsAsymSignDigestTB, IcsAsymVerifyDigestTB, IcsJoseJWSJson, IcsJoseGetSigTB, IcsJoseCheckSigTB and IcsJoseCheckJWS to use the new format, only effective when using EC private keys. Signing Acme requests with EC keys now correctly use IEEE P1363 digests so finally work properly, been looking for this since 2018.
  19. CreateSelfSignCertEx now adds IP addresses to the correct alternate list, not allowed as common name. TSslCertTools has new certificate properties for more Distinguished Names, mainly for personal names: Street, SurName, GivenName, NameTitle, NameInitials, used when creating Certificate Requests. Using Description no longer gives an error.
  20. The HTTP clients THttpCli and TSslHttpRest have new properties RespAttachment (Boolean) and RespFileName, parsed from Content-Disposition: response header which can be used to offer to save content as a file, and RespRetryDT parsed from Retry-After: response header, when this request should next be repeated as TDateTime. ResponseNoException now defaults to True to skip exceptions for most connection errors like 404, etc, beware this default change may cause applications expecting exceptions to misbehave, either set it false or check StatusCode in RequestDone.
  21. In HTTP client TSslHttpRest, if HttpUploadStrat=HttpUploadSimple, add unofficial Content-Disposition request header that some web servers might check for an upload file name. Check for a Json response of any array only [] without objects. Allow GET and DELETE methods to use PContBodyJson, PContBodyUrlEn and PContBodyXML content types, beware web servers may not support this.
  22. The TRestParams component has a new RParamFmt property that for Json only defines whether nested objects or an array should be formatted, default is RPFmtNestObj (Nested Objects, same as previously), or RPFmtArrayVal (Array of Values) if first element is any array, or RPFmtArrayObj (Array of Objects) where each element is treated as object in the array. Note RPFmtArrayObj allows duplicate names in Add methods, since output into different objects. For instance: RPFmtNestObj: {"field1":"data1","field2":"data2","field3":[data1, data2, data3]}; RPFmtArrayVal: [data1, data2, data3]; RPFmtArrayObj: [{"field":"data1"},{"field":"data2"},{"field":[data1, data2, data3]}]
  23. In the HTTP servers THttpSrv and THttpAppSrv, allow the built in HTTP error response to be customised using new event OnHttpCustomError which is called by the error handlers with the error, path, and existing Body, that may be replaced or modified as required. Called for errors 301, 302, 307, 308, 400, 401, 403, 404, 416, 501. Added new hoContDispHdr Option and AttachmentTypes list of file extensions that if matched causes the server to add an Content-Disposition: attachment header with the filename, that should cause a browser to offer a 'Save As' dialog to save a binary file, rather than trying to display it. Note the default list includes .pdf so Acrobat files are saved rather than displayed. The Get and Delete methods now accept uploaded body content similarly to POST/PUT. The derived THttpAppSrv server has handlers for uploaded content, for THttpSrv you need to write your own. Added OnHttpAcceptFilter event called before TWSocketServer accepts an incoming connection allowing filtering on the remote IP address so the connection is refused without any more events being called.
  24. TWSocket has a new property SessionIpInfo which is TIcsSessIpInfo record set after connection with the local and remote IP addresses and ports from the socket, also socket type and protocol, as internal and string versions. Might be easier to use than various GetPeer methods. Set for accepted listen connections. Fixed a missing inherited DupConnected that meant counters did not get reset. The SSL/TLS Server Name extension does not allow raw IP addresses, so convert then to domain names, ie 217.146.102.139 becomes 139.102.146.217.in-addr.arpa.
  25. Added Windows memory reporting functions IcsMemInfoProg, IcsMemInfoGlob and IcsMemInfoPerf to the OverbyteIcsWinUtils unit, useful for server monitoring, used by the sample IcsAppMon.dpr. Also IcsMemWarning to check for low or critical memory problems, returns Warning at 85% physical or page file usage, critical at 95% usage (reboot probably required).
  26. ICS added OSCP (Online Certificate Status Protocol) support a few years ago, used to check if certificates have been revoked. But running the massive OCSP databases needed has proved challenging, and the industry is moving away from OCSP, Let's Encrypt stopped adding an OCSP URL to certificates in May 2025. OCSP adds quite a lot of code, so added new defines to ICS so OCSP code is only linked if using authorities that still support OCSP, see information about OverbyteIcsDefs.inc. This change effects many components that check certificates, if the defines are disabled OCSP properties are still available, but will be ineffective, removing the OCSP properties would in too many form errors.
  27. Another reason for OCSP's demise is shorter SSL/TLS certificate life, so they expire rather than needing to the revoked. From 15th March 2026, certificate life span is reduced to 200 days, from 15th March 2027 down to 100 days and finally from 15th March 2029 to 47 days, but only 10 days for domain control validated certificates, such as most free certificates which are currently 90 days maximum. ICS can already order seven day certificates from Google Trust Services, with Let's Encrypt adding this later in 2025.
  28. ICS now defaults to the latest OpenSSL version 3.5.2 which includes support for new Post Quantum Cryptography (PQC) algorithms (ML-KEM, ML-DSA and SLH-DSA) and for server side QUIC (RFC 9000). ICS has no plans for QUIC support, not yet investigated PQC, don't believe any low level changes are needed, maybe changes to the cipher lists. This is a long term support release with fixes and security updates for five years, until April 2030. ICS still includes four older OpenSSL versions, which will slowly disappear as they reach end of life, about one every six months.
  29. The OverbyteIcsDefs.inc file included in most ICS units has several new defines. DEFINE OpenSSL_36 (due Oct 2025) and OpenSSL_40 (due Apr 2026). Enabled DEFINE OpenSSL_35 for OpenSSL 3.5. DEFINE OpenSSL_OcspStaple, should SSL server staple an OCSP response to check if server certificate is revoked. Let's Encrypt stopped adding an OCSP URL to certificates in May 2025 so only enable this if using authorities that still support OCSPL, to avoid extra code being linked. DEFINE OpenSSL_OcspChains, should SSL clients checking a certificate chain check an OCSP server to see if the certificate is revoked, only happens if the certificate has an OCSP URL, undefine to remove the extra code that does OCSP checks. DEFINE OpenSSL_Deprecated, should OpenSSL deprecated functions be loaded, not needed for ICS but may be used by applications for encryption or signing. DEFINE USE_IcsGeoTools used by samples with the TIcsGeoTools component to lookup countries from IP addresses, D11 and later only.

Changes in ICS V9.4 include:

  1. Completed the ICS Application Monitoring system added in V9.3, designed to locally and remotely monitor ICS servers and applications, and to locally restart applications on demand or if they crash. It comprises a small TIcsAppMonCli client monitoring component that is added to ICS applications, usually Windows Servers, but also client applications. This client component communicates with a TIcsAppMonSrv server component, usually running as a Windows Service on the same server so it is able to restart applications, but can also support clients on a LAN. The monitoring server has web and Websocket servers, allowing remote browsers to view the state of all applications being monitored by the server with a continually updated web page. There is also ICS Application Monitor - Remote Manager application that provides remote monitoring of multiple ICS Application Monitor servers using Json web and Websocket requests on a single screen.
  2. The SMTP client component fixes a bug introduced in V9.3 which could corrupt the Content-Transfer-Encoding header line.
  3. TWSocket, fixed a potential problem using multiple threads where a new connection opened very quickly (ie localhost) and then stalled due to an unexpected connection state. Made DataToString Unicode compatible, only used for diagnostic dump logs.
  4. In the HTTP client, fixed a check for an overflowing buffer when receiving very long headers that could cause failure detecting headers end. Made several URL validation functions public: GetProtocolPort, IsSSLProtocol, IsKnownProtocol and IsKnownProtocolURL.
  5. When creating PKCS12/PFX certificates, change the 3DES cipher to AES256 if the legacy provider is not loaded.
  6. In the TIcsFtpMulti component, skip download of zero length file by creating an empty file, previously this got SSL handshake error. Don't report directories as being downloadable, they are not. If extended passive mode allowed, send EPSV ALL at start so firewalls and NAT routers can handle sessions more efficiently. Added CheckBadUnicode property defaults to false, so that checks for bad Unicode to Ansi conversions with ? are skipped, allowing more complex paths without errors.
  7. The FTP server FEAT request now returns EPRT and EPSV which have been supported for IPv6 for years, but were not advertised for IPv4.
  8. The OverbyteIcsSnippets sample adds two new simple REST snippets to Get/Post Parameters that send them to an ICS server, and the server echoes back those params so you can check what was actually sent.
  9. When loading the OpenSSL DLLs, no longer check they are digitally signed for Windows XP, 2003, Vista and 2008, they don't recognise SHA-256 code signing, never tested since no longer have those old versions available.
  10. The TRestParams method AddItemSO to add a SuperObject now has an Escape parameter defaulting to True, so non-ASCII characters are escaped by default.
  11. The Proxy component TProxyTarget now has a SocketFamily property so target connections can be restricted to TSocketFamily values. Added property SrvTotSess count of server session connections for logging.
  12. In the HTTP Application Web Server, fixed a memory leak with multiple virtual PUT and POST documents.
  13. The OverbyteIcsJoseTst sample 'Sign/Verify Data' tests now support hashes other than SHA-256, selected from the Key and Signing Hash Algorithm drop down list. Also, a private key matching that selection is created automatically, including X25519.
  14. There is a new unit OverbyteIcsWinUtils that contains Windows API functions, built from selected Magenta Systems libraries, with functions needed to build and control Windows Service applications, accessing the Windows registry, Windows firewall, Windows tasks, hardware, and with simple encryption for passwords. Most of these functions are used by the TIcsAppMonSrv server component and IcsAppMon sample, but should have much wider use for Windows Service server applications in particular, like allowing firewall access. It's planned to move most other Windows specific function here for ICS V10.
  15. In the ICMP component, fixed a problem setting property PingMsg to the text to ping.
  16. In the TIcsIpStrmLog component, added method ListenStates which for logprotUdpServer and logprotTcpServer returns a multiline string listing the IP, port, SSL and state of all socket listeners. The CurSockets property now reflects actual TCP Server clients.
  17. In the TIcsMailQueue component, don't keep retrying email that is too short to send with no body or with no sender headers. Added more error handling if the SMTP component fails to build the EML spool file.
  18. In OverbyteIcsUtils, finished the cleanup of old Base64 functions by adding new IcsBase64 functions using TBytes internally to replace old Base64 functions that used AnsiChars, with no overloaded versions for simplicity. Old Base64 versions retained as deprecated for user applications, please update to the IcsBase versions. Added IcsTBytesCompare to compare two TBytes. Added IcsOutputDebugStr for Posix and Windows. Added IcsDateToAStr and IcsDateTimeToAStr with alpha month (Jan/Feb).
  19. The ICS C++ packages for C++ 10.4 and later have been updated with the correct paths for the three supported platforms, and all build and install correctly for Win32. Win64 should also build, but not Win64x Modern which needs fixes in a future release of C++ 12.

Changes in ICS V9.3 include:

  1. V9.3 continues the simplification of use of ICS components by consolidating many types and constants into the OverbyteIcsTypes unit, avoiding projects needing to find and add specific units before they will build. For XE2 and later, OverbyteIcsTypes and OverbyteIcsSslBase will be added automatically when components needing them are dropped on a form, or that form accessed for existing projects. One benefit of this change is removing dependence on several units for many components and applications, it should be possible to remove OverbyteIcsWinsock, OverbyteIcsLIBEAY, OverbyteIcsSSLEAY and OverbyteIcsLogger from most applications, and also other units. See https://wiki.overbyte.eu/wiki/index.php?title=Updating_projects_to_V9.3 for more information.
  2. Previously, the Windows Certificate Store was supported on Windows for all components and samples, despite it not always being required. There are three new defines {$DEFINE MSCRYPT_Clients}, {$DEFINE MSCRYPT_Servers} and {$DEFINE MSCRYPT_Tools) that determine which components can use the store, at least one must be set or applications that need the store will fail. Although these new defines all default to enabled in the OverbyteIcsDefs.inc supplied with V9.3 and later, unless this file is installed, Windows Certificate Store will be unavailable. These defines are disabled for non-Windows platforms and for C++ Builder which has bugs.
  3. Added new application independent monitoring, comprising a client component and server sample. The ICS Application Monitor TIcsAppMonCli client component is designed to report to an ICS Application Monitor server, which will ensure the main application remains running. The ICS Application Monitor server IcsAppMon.exe is designed to monitor ICS applications using the TIcsAppMonCli client component, and ensure they remain running, restarting the application if it stops or becomes non-responsive, or on demand. Primarily to keep ICS server Windows services running non-stop, but may also be used for network wide monitoring of ICS applications. Client and server both use the TIcsIpStrmLog component with a simple TCP protocol. More information at https://wiki.overbyte.eu/wiki/index.php?title=FAQ_ICS_Application_Monitoring
  4. The HTTP client components TSslHttpCli and TSslHttpRest have new RespMimeType and RespCharset response properties parsed from the Content-Type header to avoid applications needing to parse this headers. Fixed a problem in V9.2 where a missing / was added to the start of the request path, but was not needed for absolute paths used for proxies.
  5. The TIcsIpStrmLog streaming log component has improvements for TCP Server mode when multiple remote clients connect. Previously the same data was sent to all remote clients (the original concept being remote logging), but now applications can send data to specific remote clients, and more easily check which remote client is receiving data. This change means TIcsIpStrmLog can be used as the core of many TCP servers with different protocols, such as the new IcsAppMon sample, see above.
  6. The TSslHttpRest and component has a new way for applications to check SSL certificate chains themselves, ignoring OpenSSL bundle checks, usually for self signed private certificates, maybe checking certificate serials, names or public key. If LogSslVerMethod = logSslVerOwnEvent, a new event OnSslCertVerifyEvent is called so the application can check the chain and change the verify result appropriately.
  7. Improved the ability to customise SSL ciphers if the ICS defaults need to be changed. TSslContext and TIcsHosts have three properties, SslCipherList for TLSv12 ciphers, SslCipherList13 for TLSv13 ciphers, and SslCryptoGroups sets the cipher curve groups allowed (like P-256 or X25519). Beware old SslContexts may include group P-512 which must be corrected to T-521. SSL handshake responses now show the curve group used for OpenSSL 3.2 and later. The OverbyteIcsHttpsTst client sample may be used to test the new cipher options, and they will be read from IcsHosts INI files for servers.
  8. Added a new web server sample OverbyteIcsBasicWebServer1.dpr which is a simplified version of OverbyteIcsSslMultiWebServ ignoring configuration INI files, security features, session data, most demo pages and most logging, and settings for localhost set in code, search for IcsHosts to change IP addresses, etc. This sample should be easier to use as a basis for new web server applications. The existing samples OverbyteIcsSslMultiWebServ and OverbyteIcsDDWebService have a new index.html template page, and default to localhost 127.0.0.1 with an internal localhost SSL certificate, so should always response to https://localhost/ without any INI file changes.
  9. Fixed an HTTP web server problem in V9.2 to avoid repeated redirection for virtual default page /, was adding /// etc.
  10. Updated OpenSSL binary and resource files to releases 3.3.2, 3.2.3 and 3.0.15, only one of which will be linked according to defines.
  11. Restored the sample OverbyteIcsConHttp.dpr which is a console example, now supports SSL by replacing THttpCli with TSslHttpRest, no longer needs any events or a message loop for a single sync request, so a less code than without SSL. Now contacts https://wiki.overbyte.eu/wiki.
  12. A lot of changes have been made preparing ICS for Linux. Corrected loading OpenSSL on Posix, now loads the system supplied OpenSSL 3 DLLs on Ubuntu 22.04. The Linux package now builds correctly, but beware WSocket is not yet supported on Linux so no protocols will work. There is a new IcsPemTest FMX sample that works on Ubuntu 22.04 and which will create ICS signed SSL certificates. Note, MacOS support is disabled pending the new Posix implementation.

Overbyte Website

There are four options to obtain the source code.

Download from Overbyte web site

ICS-V9 is the long term development version and needed for RAD Studio XE4 and later, it supports Delphi 7 and later.

Latest Stable Version ICS V9.5 - recommended

This is the latest recommended version, which has been tested and used for various published ICS application. It is updated for new releases of RAD Studio and major changes. V9.2 is the version displayed when RAD Studio starts and by the main unit OverbyteIcsWSocket. Note these versions include the latest version of the OpenSSL DLLs at the time of release.

Download Platforms
ICS-V9.5 Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11, 12 and 13, C++ Builder 10.4, 11, 12 and 13. Includes OpenSSL 3.6.0, 3.5.4, 3.4.3 and 3.0.18.
ICS-V9.5 Delphi 10.4, 11, 12 and 13 only. Includes OpenSSL 3.6.0, 3.5.4, 3.4.3 and 3.0.18.
ICS-V9.4 Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12, C++ Builder 10.4, 11 and 12. Includes OpenSSL 3.0.16, 3.2.4, 3.3.3 and 3.4.1.
ICS-V9.4 Delphi 10.4, 11 and 12 only. Includes OpenSSL 3.0.16, 3.2.4, 3.3.3 and 3.4.1.
ICS-V9.3 Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12, C++ Builder 10.4, 11 and 12. Includes OpenSSL 3.3.2, 3.2.3 and 3.0.15.
ICS-V9.3 Delphi 10.4, 11 and 12 only. Includes OpenSSL 3.3.2, 3.2.3 and 3.0.15.
ICS-V9.2 Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12, C++ Builder 10.4, 11 and 12. Includes OpenSSL 3.0.14. 3.2.2 and 3.3.1.
ICS-V9.2 Delphi 10.4, 11 and 12 only. Includes OpenSSL 3.0.14. 3.2.2 and 3.3.1.
ICS-V9.1 Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12, C++ Builder 10.4, 11 and 12. Includes OpenSSL 3.0.13. 3.1.5 and 3.2.1.
ICS-V9.1 Delphi 10.4, 11 and 12 only. Includes OpenSSL 3.0.13. 3.1.5 and 3.2.1.
ICS-V9.0 Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4, 11 and 12, C++ Builder 2006 to XE3, 10.2, 10.3, 10.4, 11 and 12. Includes OpenSSL 3.1.2.
ICS-V9.0 Delphi 12 only. Includes OpenSSL 3.1.2.
ICS-V9.0 Delphi 11 only. Includes OpenSSL 3.1.2.
ICS-V9.0 Delphi 10.4 only. Includes OpenSSL 3.1.2.
ICS-V8.70 Delphi 7 to XE8, 10, 10.1, 10.2, 10.3, 10.4 and 11, C++ Builder 2006 to XE3, 10.2, 10.3, 10.4 and 11. Includes OpenSSL 3.0.7.
ICS-V8.70 Delphi 11 only. Includes OpenSSL 3.0.7.
ICS-V8.70 Delphi 10.4 only. Includes OpenSSL 3.0.7.

From XE8 onwards, Delphi includes a new GetIt tool that offers a catalog of third party components, and allows them to be automatically downloaded and installed. The same stable ICS versions listed above should be available from GetIt.

Zipped Daily Snapshots

This is the easiest way to get the latest version. These packages are built from the version control repositories automatically when they change and are refreshed once a day. To use the latest OpenSSL version, download this snapshot. Note the snapshot includes the latest version of the OpenSSL DLLs.

Download Changes log
ICS-V9 Snapshot View

Archives

Download Changes log
ICS-V9.1 Archived Samples
ICS-V8 Archive View
ICS-V7 Archive View
ICS-V6 Archive View
ICS-V5 Archive View

Version Control System

Using the version control repository is the best choice if you want to get live access to current development files. Overbyte uses a Subversion server and you need to use a Subversion client such as TortoiseSVN or your favorite browser. The URLs are as follows:

ICS Version SVN URL HTTP URL
ICS-V9 svn://svn.overbyte.be/icsv9 https://svn.overbyte.be/svn/icsv9
ICS-V8 svn://svn.overbyte.be/ics/trunk https://svn.overbyte.be/svn/ics/trunk
ICS-V7 svn://svn.overbyte.be/ics/tags/icsv7 https://svn.overbyte.be/svn/ics/tags/icsv7
ICS-V6 svn://svn.overbyte.be/ics/tags/v6_obsolete https://svn.overbyte.be/svn/ics/tags/v6_obsolete
ICS-V5 svn://svn.overbyte.be/icsv5 https://svn.overbyte.be/svn/icsv5

Use username = ics and password = ics for read access. Write access is only available to TeamICS.

Download OpenSSL Binaries

The OpenSSL binaries are required for all ICS SSL-enabled components.

The 64-bit DLLs are only for use with Delphi applications compiled for the 64-bit platform, the 32-bit DLLs work on both 32-bit and 64-bit Windows with 32-bit applications.

Please note older versions of the ICS source code had an internal check to only allow loading of the latest OpenSSL it was tested with, so you could not use new DLLs with an old application without recompiling with the latest version of ICS first.

OpenSSL 1.0.2 and later were only supported by ICS v8, v7 is no longer updated for new OpenSSL versions. This was a long term support version for which free support ceased at the end of 2019 unless you have an OpenSSL Premium Level Support contract for $50,000/year. ICS V8.65 was the last version to support 1.0.2.

OpenSSL 1.1.0 is obsolete and no longer supported. ICS V8.65 is the last version to support 1.1.0.

OpenSSL 1.1.1 is obsolete. Support ceased in September 2023 unless you have an OpenSSL Premium Level Support contract for $50,000/year. Only supports Windows Vista/Server 2008, and later, not Windows XP.

OpenSSL 3.0 is a major new release, primarily a lot of internal changes to ease long term support. ICS 8.67 is required to support 3.0. There is an optional FIPS module with 3.0 but not available here since our DLLs are not built to standards required for certification. The old engines for special extensions are replaced by new more versatile providers of which the FIPS module is one, a provider legacy.dll contained in the distribution has obsolete ciphers and hash digests that most applications no longer need and which needs to loaded by the application. This version will be supported until September 2026.

OpenSSL 3.1 is obsolete. Support ceased in March 2025 and is no longer updated for ICS.

OpenSSL 3.2 is a minor new release with QUIC client support for HTTP/3 and many other improvements. ICS 8.67 is required to support 3.2. This version will be supported until November 2025 but ICS has now ceased updates.

OpenSSL 3.3 is a minor new release, minor QUIC and other features. ICS 8.67 is required to support 3.3. This version will be supported until April 2026 but ICS has now ceased updates.

OpenSSL 3.4 is a minor new release, minor newr features. ICS 8.67 is required to support 3.4. There is a bug fix in ICS 9.4. This version will be supported until October 2026.

OpenSSL 3.5 is a major new long term support release, adding Post Quantum Cryptography (PQC) algorithms (ML-KEM, ML-DSA and SLH-DSA) and server side QUIC (RFC 9000). ICS has no plans for QUIC support). ICS 8.67 is required to support 3.2. This version will be supported until April 2030.

OpenSSL 3.6 is a minor new release, adding several private key improvements and Leighton-Micali Signature (LMS) verification support which is a FIPS requirement. This version will be supported until October 2027.

OpenSSL 4.0 is a major new release, due April 2026. This version will be supported until April 2028.

Please note that ICS does not use any of the new features in OpenSSL 3.2 or later at present, so continuing to use the latest patch version of 3.0 with security fixes is generally fine.

The OpenSSL DLLs and EXE files included in the zips above are digitally code signed 'Magenta Systems Ltd', one of the organisations that maintains ICS. The Magenta Systems Code Signing Trust and Certificate Check component may be used to check the correctly signed DLLs are being used by ICS, with this functionality included in ICS V8.38 and later. Beware that Windows needs recent root certificates to check newly signed code, and may give an error if the root store has not been kept current by Windows Update, particularly on older versions of Windows such as XP, Vista and 7. The signed check may be disabled in the OverbyteIcsDefs.inc file by suppressing defines OpenSSL_Check_Signed and OpenSSL_Check_SignCert.

Date Download Description Comments
2025-10-02 OpenSSL Binaries Win-64 3.6.0 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-10-02 OpenSSL Binaries Win-32 3.6.0 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017

Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.

2025-10-02 OpenSSL Binaries Win-64 3.5.4 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-10-02 OpenSSL Binaries Win-32 3.5.4 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017

Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.

2025-10-02 OpenSSL Binaries Win-64 3.4.3 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-10-02 OpenSSL Binaries Win-32 3.4.3 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017

Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.

2025-10-02 OpenSSL Binaries Win-64 3.0.18 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-10-02 OpenSSL Binaries Win-32 3.0.18 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-09-17 OpenSSL Binaries Win-64 3.5.3 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-09-17 OpenSSL Binaries Win-32 3.5.3 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017

Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.

2025-08-08 OpenSSL Binaries Win-64 3.5.2 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-08-08 OpenSSL Binaries Win-32 3.5.2 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017

Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.

2025-07-02 OpenSSL Binaries Win-64 3.5.1 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-07-02 OpenSSL Binaries Win-32 3.5.1 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017

Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.

2025-07-02 OpenSSL Binaries Win-64 3.4.2 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-07-02 OpenSSL Binaries Win-32 3.4.2 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017

Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.

2025-07-02 OpenSSL Binaries Win-64 3.0.17 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-07-02 OpenSSL Binaries Win-32 3.0.17 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-04-10 OpenSSL Binaries Win-64 3.5.0 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-04-10 OpenSSL Binaries Win-32 3.5.0 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017

Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.

2025-02-12 OpenSSL Binaries Win-64 3.4.1 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-02-12 OpenSSL Binaries Win-32 3.4.1 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017

Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.

2025-02-12 OpenSSL Binaries Win-64 3.3.3 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-02-12 OpenSSL Binaries Win-32 3.3.3 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017

Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.

2025-02-12 OpenSSL Binaries Win-64 3.2.4 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-02-12 OpenSSL Binaries Win-32 3.2.4 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017

Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.

2025-02-12 OpenSSL Binaries Win-64 3.0.16 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2025-02-12 OpenSSL Binaries Win-32 3.0.16 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2024-10-25 OpenSSL Binaries Win-64 3.4.0 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.
2024-10-25 OpenSSL Binaries Win-32 3.4.0 requires ICS V8.67 or later Built with Visual Studio Build Tools 2017

Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP. Includes a compiled RES resource file with the same files.

2023-09-21 OpenSSL Binaries Win-64 1.1.1w requires ICS V8.57 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.
2023-09-21 OpenSSL Binaries Win-32 1.1.1w requires ICS V8.57 or later Built with Visual Studio Build Tools 2017 Supports TLSv1.3. Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.
2020-03-18 OpenSSL Binaries Win-64 1.0.2u requires ICS V8.24 to ICS V8.65 Built with Visual Studio Build Tools 2017 For 64-bit applications only (XE2+). Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.
2020-03-18 OpenSSL Binaries Win-32 1.0.2u requires ICS V8.24 to ICS V8.65 Built with Visual Studio Build Tools 2017 Use with 32-bit applications on Windows 64-bit. Digitally code signed. Only supports Windows Vista/Server 2008, and later, not Windows XP.

Download OpenSSL Binaries (alternative)

OpenSSL website also links to Win32OpenSSL website providing another build of Win32 DLL binaries. Note note that unlike the builds above builds on that site may have dependencies on Visual C++ 2008 Redistributables (to keep dll files smaller) so make sure you include all the required (and correct) redistributable files in your software installation. You probably don't have to care about that if you use binaries above at the cost of slightly larger DLLs. Also note that site does not keep archives of older versions so you may want to watch their page if you prefer their binaries.