ICS V8.67 has been released at: http://wiki.overbyte.eu/wiki/index.php/ICS_Download
ICS is a free internet component library for Delphi 7, 2006 to 2010, XE
to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and
11.0 and C++ Builder 2006 to XE3, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney and
11.0. ICS supports VCL and FMX, Win32, Win64 and MacOS 32-bit targets.
The distribution zip includes the latest OpenSSL 1.1.1i win32, with
OpenSSL 3.0 and Win64 versions of OpenSSL being available from the
download page.
Changes in ICS V8.67 include:
1 - Added support and packages for RAD Studio 11.0. Updated SSL/TLS
root certificate bundles, old certificates gone, new ones added, nothing
major.
2 - Added support for OpenSSL 3.0 which is a major new release,
primarily a lot of internal changes to ease long term support. There is
an optional FIPS module with 3.0 but not available here since our DLLs
are not built to the standards required for certification. The old
engines for special extensions are replaced by new more versatile
providers of which the FIPS module is one, a provider legacy.dll has
obsolete ciphers and hash digests, including MD2, MD4, Blowfish, DES,
IDEA, RC2, RC4, SEED, that most applications no longer need and which
needs to loaded by the application by setting global variable
GSSLEAY_LOAD_LEGACY to true before loading OpenSSL.
3 - OpenSSL 3.0 does not offer any specific new features of benefit to
ICS at present, although HTTP/3 support is planned for 3.1 or later, so
the main ICS distribution retains OpenSSL 1.1.1i which is fully
supported until September 2023. OpenSSL 3.0 may be downloaded from the
download page. There are two global variables to restrict which OpenSSL
version is loaded, GSSLEAY_DLL_IgnoreNew set true will ignore 3.0, while
GSSLEAY_DLL_IgnoreOld will ignore 1.1.1, if both sets of DLLs are
available in the same directory. The main SSL samples all set these
globals, which can be changed for testing one version or the other, or
set by the application, but must be before OpenSSL is initialised.
4 - The main implication for ICS with OpenSSL 3.0 is for SSL/TLS
certificate private keys saved with password protection, which is
required for PKCS12 certificates for importing into the Windows
certificate store. The new PKCS12 default password encryption AES256 is
not recognised until Windows Server 2016 v1709 and Windows 10 v1709, so
Server 2012, Windows 10 RTM and earlier won't load AES passworded keys,
only 3DES, for which the legacy.dll must be loaded.
5 - The TX509Base class has various improvements. The ValidateCertChain
method reports CA roots for multiple certificate verification paths
with two or more intermediate certificates, rather than only the last.
The CertMainInfo method provides a single line with the main certificate
information.
6 - There are two new classes to write and read SSL/TLS certificates to
and from the Windows Certificate Store, including private keys. This is
primarily so Let's Encrypt certificates can be installed automatically
for use with the IIS web server. TMsX509List descends from TX509List
adding a method LoadFromStore to load the list from a Windows
certificate store by store name TMsCertStore and location
MsCertLocation. For My/Personal store, attempts to load private keys if
they are allowed to be exported unencrypted. TMsCertTools descends from
TSslCertTools adding methods SaveToStorePfx and LoadFromMyStore to
access Windows certificate stores. Note access to the Local Machine
Store for web server certificates requires administrator rights.
7 - Various improvements for the OverbyteIcsPemTool sample. It
includes new buttons to list the contents of Windows certificate and
private key stores and allow old items to be deleted. This may be
useful for cleaning up old certificates and private keys from the
Windows stores. Added ResavePrivateKey and Resave Private Key menu
option which prompt for a PFX or PEM file containing an encrypted
private key with a new cipher, renaming old file to .oldpem/pfx.
Specifically for files saved with old ciphers than OpenSSL 3.0 does not
support as standard if required for older versions of Windows.
Displaying certificates and bundles is no longer a new modal window, but
updates the existing log window. Improved import certificates from
Windows certificate store to use TMsX509List instead of Windows API
calls, and to access all Windows store locations instead of just user,
specifically the Local Machine store where server certificates are
located.
8 - For the TX509Certs component, the default cipher for encrypting
PFX/P12 files is now PrivKeyEncAES256 with 3.0 unless the legacy DLL is
loaded when still PrivKeyEncTripleDES so older versions of Windows can
load them. Changed extraction of download PEM bundle so that main
certificate does not need to be first in file, log them all, and ignore
any self signed root certificates. If testing dns-01 challenge fails,
rotate to next public server and three retries (previously only happened
on timeout). When saving files with private keys, log encryption type
used. Added more certificate output formats, OutFmtPwPem and OutFmtPwP12
specify whether to password PEM and P12/PFX private keys. Note Windows
always needs passworded P12/PRX files, while Apache web server only
accepts PEM files without a password. Allow automatic installation of
new certificates to the Windows Certificate Store so they can be used by
IIS web sites, by setting output format to OutFmtWinStore. Note
application must have administrator rights to do this.
9 - Fixed two problems in the FTP client, support option
ftpFixPasvLanIP for PUT/APPE uploads as well as downloads, and support
IPv6 for PUT/APPE uploads as well as downloads.
10 - Fixed a problem in TIcsMailQueue with sequential number generation
to avoid file locking errors and unicode BOM corrupting file, generate
large random number for errors instead of reverting to 1. Don't save
BOM withunicode compilers.
11 - In the Application Web Server TSslHttpAppSrv, added an optional
LastModified parameter to the AnswerStream, AnswerPage, and AnswerString
methods to avoid adding a custom header line with the date. Added
NO_CACHE_EX and NO_STORE_EX literals. Added PUT and DELETE verb
handlers, similar to GET and POST.
12 - For the HTTP client TSslHttpCli, fixed a relocation problem where
the Location: header included a path with a space, encode the space.
Fixed another relocation problem where HEAD sometimes stalled. Remove #
fragment or anchor from URL in relocation, only used by browsers and not
by servers.
13 - In the TIcsBlackList component, Internally use BlockedFlag instead of setting attempts to 9999 once the actual maximum failed attempts is reached, so we can keep counting attempts.
14 - Added a new SSL sample, OverbyteIcsDDWebService.dpr which is very
similar to OverbyteIcsSslMultiWebServ.dpr, but designed as a Windows
service, although it will also run as a GUI for debugging. It requires
DDService service framework to be installed from https://www.magsys.co.uk/delphi/ddservice. asp. It also includes a REST server with simple lookup responses from a SQL
database, which optionally requires DISQLite3 5.36.5 or later to be installed from http://www.yunqa.de. Note this sample in not in the project groups due to these pre-requisites.
15 - Moved TRestParams from the OverbyteIcsSslHttpRest unit to
OverbyteIcsUrl to ease circular references. Added a new method
AddItemNULL to add a null, in Json this will be unquoted. Added a new
TRestParamsSrv component which provides methods for creating REST server
Json responses from a SQL database resultset, one or more rows, also
error responses. Note this is only compiled if DATABASE is defined in
OverbyteIcsDefs.inc to avoid bringing in database units that are not
available on all Delphi editions. There is a REST server sample
OverbyteIcsDDWebService.dpr that illustrates SQL lookups.
16 - In the proxy component TIcsHttpProxy, don't send an HTTP request
header until after HTTP body has been processed in case the body length
changes. HTTP Forward Proxy using HTTP works again, broken in V8.65.
Using HTTP Forward Proxy, convert absolute URL to path only since some
servers can not process an absolute URL and sulk.
17 - In the Jose unit, rewrote the functions converting private keys to and from Json Web Keys with new OpenSSL 3.0 provider functions. Use AnsiStrings and functions when dealing with binary data to avoid possible issues with string conversions and nulls. Json now created with TRestParams.
18 - Added two new sample project groups, OtherDemos64 and SslDemos64 which include Win64 versions of all the main active samples with 64 added to the project name, so they can be regularly built alongside the Win32 versions without changing platforms and overwriting executables.
