Delphi Developers - Information and Components

Delphi Developers
Components for Internet Component Suite (ICS)

Request Free
Download Password

Delphi Developers
Downloads
(Free password required)

12th September 2025 - ICS V9.5 released, many improvements

8th August 2025 - OpenSSL 3.5.2 Windows binaries released.

3rd July 2025 - Updated PEM Bundle CA Trusted Store Files

2nd July 2025 - OpenSSL 3.4.2, 3.3.4, 3.2.5, 3.0.17 Windows binaries released.

August 2023 - Magenta Systems Internet Protocol Helper Component and Magenta Systems Internet Packet Monitoring Components are now part of ICS v9, with major upgrades and new samples, with full IPv6 support.

There is a new ICS support forum at https://en.delphipraxis.net/forum/37-ics-internet-component-suite/ to replace the old TWSocket mailing that stopped working a few years ago.

This page contains various components written by Magenta Systems Ltd to extend the François Piette's Internet Component Suite (ICS) version 8 from http://www.overbyte.eu/. ICS v8 supports Delphi 7, 2006 to 2010, XE to XE8, 10 Seattle, 10.1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney, 11, 12 and 13. Note that all ICS versions now include SSL free of charge.

Internet Component Suite (ICS) Downloads

All ICS files should normally be accessed from the ICS Download Wiki page but the important files are available here as well.

The latest versions of ICS may be downloaded from the ICS SubVersion server using a subversion client such as TortoiseSVN. Once your SVN client is installed, you can browse to svn://svn.overbyte.be/ics, svn://svn.magsys.co.uk/ics or https://svn.overbyte.be/svn/ics or https://svn.magsys.co.uk/svn/ics. The SVN login user code is ics and password is ics for read access.

Nightly ICS v9 for Delphi 7-2010, XE-XE8, 10 Seattle, 10,1 Berlin, 10.2 Tokyo, 10.3 Rio, 10.4 Sydney, 11, 12 and 13
v9 - 12 Sep 2025 (69,718,294 bytes)

Latest ICS V9.5 Release
V9.5 - 12 Sep 2025 (69,629,775 bytes)

OpenSSL Binaries 3.5 Win32
3.5.2 32-bit - 8 Aug 2025 (5,351,710 bytes)
Minor new version of OpenSSL, requires minimum ICS V8.67.
Note the binaries are now digitally signed by 'Magenta Systems Ltd'. Long term support version, until April 2030.

OpenSSL Binaries 3.4 Win32
3.4.2 32-bit - 2 Jul 2025 (5,107,022 bytes)
Minor new version of OpenSSL, requires minimum ICS V8.67. Supported until October 2026.

OpenSSL Binaries 3.3 Win32
3.3.4 32-bit - 2 Jul 2025 (5,039,282 bytes)
Minor new version of OpenSSL, requires minimum ICS V8.67. Supported until April 2026.

OpenSSL Binaries 3.2 Win32
3.2.5 32-bit - 2 Jul 2025 (4,982,795 bytes)
Minor new version of OpenSSL, requires minimum ICS V8.67. Supported until November 2025.

OpenSSL Binaries 3.0 Win32
3.0.17 32-bit - 2 Jul 2025 (4,575,537 bytes)
Major new version of OpenSSL, requires minimum ICS V8.67. Long term support version, until September 2026.

OpenSSL Binaries 1.1.1 Win32
1.1.1w 32-bit - 20 Sep 2023 (1,829,214 bytes)
Only supports Windows Vista/Server 2008, and later, not Windows XP, requires minimum ICS V8.57. Support ceased in September 2023 unless you have an OpenSSL Premium Level Support contract for $50,000/year. Not supported by ICS V9.1 or later.

OpenSSL Binaries 1.0.2 Win32
1.0.2u 32-bit - 7 Jan 2021 (1,742,205 bytes)
Note ICS V8.65 is the last release to support OpenSSL 1.0.2, whose support ceased in 2019 unless you have an OpenSSL Premium Level Support contract for $50,000/year. Not supported by ICS V8.66 or later.

Sources of CA Trusted Stores

SSL/TLS trusted root certificate bundles and always changing, annually perhaps for major changes, although Microsoft officially Windows roots every two months. The Common CA Database (CCADB) https://www.ccadb.org/ is a repository of information about Certificate Authorities (CAs), and is used by a number of different root store operators to manage their root stores.

But it's not easy to create root bundles from CCADB and another developer got frustrated with updating roots, and created a Trust Stores Observatory Git repository: https://github.com/nabla-c0d3/trust_stores_observatory which contains over 680 root certificates and lists of which trust store contain which roots by different operating systems. But even this does not contain certificates in a form easily used by OpenSSL, so Magenta Systems Ltd has written a small tool that converts the YAML files from TSO into PEM and PKCS7/12 bundle files, one each for the different operating systems.

New PEM Bundle CA Trusted Store Files

CA PEM Bundle - 29 May 2025 (3,259,344 bytes)

There are six different PEM CA bundle files, built from the Trust Stores Observatory Git repository in May 2025.

apple.pem - 153 Certificates
google_aosp.pem - 145 Certificates
microsoft_windows.pem - 310 Certificates
mozilla_nss.pem - 143 Certificates
openjdk.pem - 89 Certificates
oracle_java.pem - 93 Certificates

Each certificate is prefixed by it's description, issuer fields, expiry, public key type and SHA256 hash, so the bundles are self documenting rather than being just cryptic base64 blocks. These PEM bundles may be loaded into an OpenSSL context as a root store. Magenta Systems Ltd will periodically update these bundles, as needed. The files are all UTF-8 with a BOM. While the certificates are base64 encoded, the added comments may include Unicode characters for non-English issuers.

The zip file contains three versions of each bundle, the name above, one ending with -clean.pem which omits all the added textual comments so is smaller and less likely to cause problems with non-English characters, and a third PKCS7/12 version with extension P12 which is smaller than PEMs. There are also -titles.txt and -fprints.txt files which are one line per certificate listing the main details, and fingerprint in the latter file. There are also changes files for the Microsoft Windows bundle that indicates which certificates were removed or added with each update.

Note the ICS distribution download (see above) contains three CA Trusted Stores, two as PEM bundle files, one in a source unit, and access to the Window Certificate Store directly, see FAQ_SSL/TLS_Certificate_Authority_Root_Stores for more information.

Internet Component Suite (ICS) Release Notes

Changes in ICS V9.5 include:

1 - Major improvements in ICS V9.5 include a new geographic component that has built in IP address databases for countries and ASN; server components have a new event called before a connection is accepted allowing 'firewall' rejection of connections based on IP address; the MQTT client and server components now support protocol 3.1.1; the automatic certification ordering component now supports Google Trust Services and other ACME suppliers, as well as Let's Encrypt; changes for the HTTP clients and servers to better support REST request APIs;

2 - Many of these improvements, and the delay finishing this release, relate to web server improvements needed to mitigate a nine month long attack on a public web server, that started with millions of accesses from two Far East IP addresses, progressed to accesses from VPNs at data centres worldwide, then finally to a botnet that caused access from over one million different IP addresses in 150 countries each week. It's not often a developer has first hand experience of such web server abuse, we try to plan for it, but rarely experience it directly. The ICS web server samples already had filtering by IP addresses and reverse DNS lookup and this worked for a few months with manual updating of the filtering lists, but this was time consuming. So a new GEO component was added with an IP address to country database that allowed specific countries to be blocked, then regions of the world, finally an ASN database allowed specific cloud/ISPs to be blocked. During these months, the ICS web server kept working, albeit slowing as logs tried to handle the vast volumes of IP addresses, needing rewrites of some ICS components. But everything is now stable and ICS capable of handling such heavy traffic.

3 - TWSocketServer has a new event OnClientAcceptFilter event called before the component accepts an incoming connection allowing filtering on the remote IP address so the connection is refused without any more events being called. This action is similar to a firewall refusing a connection, rather than opening and immediately closing it again. Before the event is called, a TIcsSessIpInfo record if filled with remote and local addresses and ports in binary and as strings, saving a lot of application code, the event can complete other record fields. This event can be used with the new GEO components to check countries and regions that should be blocked, and with the TIcsBlacklist component to stop those previously blocked addresses from accessing the server. The THttpSrv HTTP server has a similar OnHttpAcceptFilter event, and it will be added to other servers for the next release.

4 - Added a new TIcsGeoTools component that reads MaxMind formatted GEO database files using the MMDBReader component, and includes two small databases from db-ip.com, 'IP to Country Lite' and 'IP to ASN Lite', but can handle other MaxMind databases. Both databases can are available as resource files that can be linked into applications or loaded from a file to be shared between servers. There is also a country name database ICS-Countries.csv linked as a resource file that contains country GEO information. ASN is Autonomous System Name, an ISP or cloud name, that supplements reverse DNS (often missing) in identifying the owners of IP addresses. The databases are updated monthly by db-ip.com and can be downloaded from them, will try to keep ICS up to date.

The TIcsGeoTools component is a self contained unit, IcsGeoUtils.pas with no dependencies, but is only available for Delphi 11 and later due to use of new language features. The component needs to be created in code and the databases required loaded before use, see the samples mentioned below. The main lookup methods are FindISOA2Code and FindASNCode, then FindCountry and FindRegion from an ISOA2 country code, region is a quick was to block all Asian countries for instance. The TIcsDomainNameCache and TIcsBlacklist now include ISOA2 and ASN fields that are included in responses and reports from these components. Beware block countries and regions may have unexpected consequences, for instance Let's Encrypt and Google validate SSL/TLS certificate domain names from multiple countries.

The OverbyteIcsSslMultiWebServ and OverbyteIcsDDWebService samples use the databases in the new server OnHttpAcceptFilter event, and writes country and ASN to the web log file, as well as allowing hacker filtering using this information. The OverbyteIcsNetTools sample Trace Route now shows the country and ASN for each IP in the route to the destination, as well as reverse DNS, although the IP addresses allocated to network routers don't appear to totally accurate. These samples only use TIcsGeoTools if DEFINE USE_IcsGeoTools is set in Defs.inc.

5 - Added new components TIcsFilterList and TIcsIpAddrList to replace TestFilters using HackFilterList and TestIpWhiteList using WhiteIpList in sample OverbyteIcsSslMultiWebServ1.pas. TIcsFilterList reads same file hackfilterlist.txt containing key=value pairs which are used to filter incoming connections for path, remhost, country, useragent or referrer, trying to filter out abusive remote hosts. TIcsIpAddrList reads same file whiteiplist.txt which is a list of ASCII IP full or partial addresses, generally that should not be blocked by filters. The TIcsBlacklist has major changes including support for saving IPv6 addresses in binary as well as ASCII, they sort better in reports and take less memory, adding and checking an TSockAddrIn6 which avoids conversion to strings, and other improvements to handle one million IP addresses more efficiently.

6 - Since Let's Encrypt introduced the ACME (Automatic Certificate Management Environment) protocol to download free SSL/TLS certificates, other suppliers have added automated ordering using the same API, mostly with extra account information for commercial certificates. ICS has been tested successfully with free certificates from Google Trust Services, and should work with DigiCert, ZeroSSL and SSLcom, but these three are primarily commercial suppliers and need prepaid accounts, so not tested yet. Google Trust Services offers an excellent alternate to Let's Encrypt and offers almost the same free certificates up to 90 days with multiple wildcards, but allows the expiry days to be specified during ordering, down to three days. Some companies were reluctant to use Let's Encrypt when there was no alternative in case of extended down time, now Google offers that alternate.

Apart from Let's Encrypt, suppliers use ACME external accounting to tie the ordering process to web site accounts, which is explained in comments in the OverbyteIcsSslX509Certs unit, more information will be added and the wiki pages updated soon. Google needs the Google Cloud CLI Windows application installing, type a few commands and you get the external account information Acme needs. The OverbyteIcsX509CertsTst sample has a major revision to support multiple account suppliers and to specify the external accounting information. The sample needs to be run on any servers that will order certificates to create the initial Acme account (except for Let's Encrypt), and includes a web server allowing test certificates to be ordered provided DNS points to a public IP on the server. Most suppliers provide a testing endpoint which is listed in OverbyteIcsX509CertsTst so you can order fake certificates to understand the process. There is now a facility to ask ICS servers to renew certificates on demand from the OverbyteIcsX509CertsTst sample, previously you had to mess with the INI file to force a new order.

7 - TWSocketServer has a lot of improvements relating to SSL/TLS certificates, many relating to new IcsHosts options to support suppliers other than Let'S Encrypt. IcsHosts has a new property AcmeSupplier as TAcmeSupplier which may be AcmeLetsEncrypt or AcmeGoogle (or several others), and property SupplierTitle to specify the account name of than supplier from a database. The supplier accounts database is generally maintained by the OverbyteIcsX509CertsTst sample, which must be used to create accounts for new suppliers, and which may be used to view certificate orders. SupplierTitle is used instead of specifying CertDirWork which will be looked up from C:\ProgramData\ICS-Acme-Accounts\ics-acme-accounts.db. By default, new work directories will be in: C:\ProgramData\ICS-Acme-Accounts\. CertDirWork is still supported, but it's recommended that applications move to using supplier accounts instead, which can be monitored using OverbyteIcsX509CertsTst. Google and other suppliers only work with supplier accounts, since information is needed that is not in IcsHosts.

IcsHosts has other new properties: AcmeCertProfile to specify the type of certificate requested for Let's Encrypt, listed in FAcmeProfileNames array, default classic, optional tlsserver and shortlived (7 day, not yet available); AcmeCertValidity to specify certificate life in days, default 90, only Google at present, down to 3 days. Certificate ordering now makes use of the ACME Renewal Information API that specifies how many days before expiry a certificate should be renewed, and how often these dates should be rechecked to see if the certificate needs immediate renewal due to being revoked. This overrides CertExpireDays. Renewal Information is checked each time the certificate chain is checked, but is cached so there is usually only a server API call every six hours. Note with OCSP gone, this is now the only way to check if a certificate is revoked.

Reworked certificate checking so if automatic ordering is enabled the Acme account information is looked up when the certificate is first loaded to get renewal information and maybe working directory, rather than only when time to order a new certificate, so there is more logging and error checking at load time. Temporary ICS self signed certificates are now created in GSSL_CERTS_DIR instead of TempPath. When starting a certificate order, if the challenges have been previously completed OK, collect order immediately, don't try to start them again. Let's Encrypt is implementing a change in the way new certificates are issued, which may be delayed a few seconds after the CSR is provided, rather than immediately, so the component now waits and checks every five seconds for the new certificate to be issued. This already happens for Google. Note this Let's Encrypt change means earlier ICS versions will soon fail to work.

ICS now supports ordering SSL/TLS certificates with IP addresses as well as host domain names, tested with Let's Encrypt Staging but not available yet from live certificates. Testing showed a problem using SSL with IP addresses URLs relating to the Server Name Indication HELO feature which does not allow simple IP addresses which must be converted to domain names, ie 217.146.102.139 becomes 139.102.146.217.in-addr.arpa. Automatic certificate ordering in IcsHosts now has a database property CertRenewNow that if set true in the database using the OverbyteIcsX509CertsTst, will override certificate expiry checking and cause an immediate new certificate replacement order by in servers with IcsHosts the next time RecheckSslCerts is called by the server, typically every two hours.

Fixed a long term problem where SSL/TLS server name SNI checking for a matching IcsHost used the certificate SANs that might have included a wild card, instead of the Hosts list of host names. If one IcsHost allowed wild cards it might have been found instead a specific IcsHost for a single host.

8 - New major versions of OpenSSL often add new functions and deprecate older functions that are then removed in a subsequent major release after applications should have been updated. ICS has added a DEFINE OpenSSL_Deprecated without which no deprecated functions should be loaded. ICS has been testing with a special build of OpenSSL 3.5 without deprecated functions and several units have now been updated to use newer 3.0 functions, so no more work should be necessary for OpenSSL 4.0 when those deprecated could disappear. The DEFINE OpenSSL_Deprecated should only be needed if your application uses old OpenSSL functions for encryption or signing. The OverbyteIcsJoseTst sample also needs OpenSSL_Deprecated for RSA string encryption, pending a rewrite without deprecated functions. ICS now only creates the C:\ProgramData\ICS-OpenSSL directory if conditionals OpenSSL_Resource_Files or OpenSSL_ProgramData are specified meaning OpenSSL files are expected there. Otherwise the developer is responsible for setting GSSL_DLL_DIR to the OpenSSL DLL directory.

9 - Updated the MQTT client and server components to support protocol 3.1.1 which is commonly used, previously we only supported 3.1. The client will connect to a v5 server by ignoring dozens of new options, but needs a lot more work, much more complicated than v3.1.1, not planning any more v5 unless there is a specific requirement. Added LogPackets property to log packets in ASCII and hex for diagnostics, UseSSL property to force client to use SSL on any port, BlankClient property (anonymous) for 3.1.1 so server allocates ClientId, but only v5 tells us that ID. BurstMode property for 3.1.1 so client does not wait for response to Connect, but publishes immediately. When Subscribing With v3.1.1, the server now returns a failure flag for permissions failure, which is returned as QoS qtFAILURE. Also improvements to the OverbyteIcsMQTTst sample, allow Username/Password to be set, so they may be left blank, ClientHost is now a drop down box, and includes test.mosquitto.org that may be used for client testing, see https://test.mosquitto.org/ for a long list of ports for different testing purposes, allow MQTT protocol to be specified, added v3.1.1 and v5, and options to test all new functions. If the server SSL port non-zero, the server will create an ICS CA signed certificate for the host name (ie localhost) if a certificate file bundle is not found.

10 - There are various WebSocket improvements. The client now has optional asynchronous connection which no longer blocks the initial WSConnect which now returns immediately and a OnWSConnected event is called when the connections is ready or fails, so should now correctly process a welcome message or packets sent immediately upon connection. The server now has a configurable delay after connection before sending a welcome message or packets, for clients that can not process them immediately. Fixed a problem that data sent immediately a new connection opened could be lost because the component had not switched to Websocket mode. Allow Sec-WebSocket-Protocol: header to added with HeaderSecWebSocketProtocol values (char, superchat, etc). Added a new OnWSFramesDone event called when a queue of frames have been sent, for flow control when sending a lot of data. Note the IcsAppMonMan.dpr sample illustrates how to use multiple WebSocket client components to contact multiple WebSocket servers and display information from them, it comes configured to view three public servers running ICS web, FTP and proxy servers.

11 - Fixed a long term problem with ECDSA binary digests, which have two formats, ASN.1 used by OpenSSL and IEEE P1363 which is shorter fixed length and often also used. Added IcsDigestAsntoIEEE and IcsDigestIEEEtoAsn to convert between the two formats, and a new EcdsaIEE flag to IcsAsymSignDigestTB, IcsAsymVerifyDigestTB, IcsJoseJWSJson, IcsJoseGetSigTB, IcsJoseCheckSigTB and IcsJoseCheckJWS to use the new format, only effective when using EC private keys. Signing Acme requests with EC keys now correctly use IEEE P1363 digests so finally work properly, been looking for this since 2018.

12 - CreateSelfSignCertEx now adds IP addresses to the correct alternate list, not allowed as common name. TSslCertTools has new certificate properties for more Distinguished Names, mainly for personal names: Street, SurName, GivenName, NameTitle, NameInitials, used when creating Certificate Requests. Using Description no longer gives an error.

13 - The HTTP clients THttpCli and TSslHttpRest have new properties RespAttachment (Boolean) and RespFileName, parsed from Content-Disposition: response header which can be used to offer to save content as a file, and RespRetryDT parsed from Retry-After: response header, when this request should next be repeated as TDateTime. ResponseNoException now defaults to True to skip exceptions for most connection errors like 404, etc, beware this default change may cause applications expecting exceptions to misbehave, either set it false or check StatusCode in RequestDone.

14 - In HTTP client TSslHttpRest, if HttpUploadStrat=HttpUploadSimple, add unofficial Content-Disposition request header that some web servers might check for an upload file name. Check for a Json response of any array only [] without objects. Allow GET and DELETE methods to use PContBodyJson, PContBodyUrlEn and PContBodyXML content types, beware web servers may not support this.

15 - The TRestParams component has a new RParamFmt property that for Json only defines whether nested objects or an array should be formatted, default is RPFmtNestObj (Nested Objects, same as previously), or RPFmtArrayVal (Array of Values) if first element is any array, or RPFmtArrayObj (Array of Objects) where each element is treated as object in the array. Note RPFmtArrayObj allows duplicate names in Add methods, since output into different objects. For instance:
RPFmtNestObj: {"field1":"data1","field2":"data2","field3":[data1, data2, data3]}
RPFmtArrayVal: [data1, data2, data3]
RPFmtArrayObj: [{"field":"data1"},{"field":"data2"},{"field":[data1, data2, data3]}]

16 - In the HTTP servers THttpSrv and THttpAppSrv, allow the built in HTTP error response to be customised using new event OnHttpCustomError which is called by the error handlers with the error, path, and existing Body, that may be replaced or modified as required. Called for errors 301, 302, 307, 308, 400, 401, 403, 404, 416, 501. Added new hoContDispHdr Option and AttachmentTypes list of file extensions that if matched causes the server to add an Content-Disposition: attachment header with the filename, that should cause a browser to offer a 'Save As' dialog to save a binary file, rather than trying to display it. Note the default list includes .pdf so Acrobat files are saved rather than displayed. The Get and Delete methods now accept uploaded body content similarly to POST/PUT. The derived THttpAppSrv server has handlers for uploaded content, for THttpSrv you need to write your own. Added OnHttpAcceptFilter event called before TWSocketServer accepts an incoming connection allowing filtering on the remote IP address so the connection is refused without any more events being called.

17 - TWSocket has a new property SessionIpInfo which is TIcsSessIpInfo record set after connection with the local and remote IP addresses and ports from the socket, also socket type and protocol, as internal and string versions. Might be easier to use than various GetPeer methods. Set for accepted listen connections. Fixed a missing inherited DupConnected that meant counters did not get reset. The SSL/TLS Server Name extension does not allow raw IP addresses, so convert then to domain names, ie 217.146.102.139 becomes 139.102.146.217.in-addr.arpa.

18 - Added Windows memory reporting functions IcsMemInfoProg, IcsMemInfoGlob and IcsMemInfoPerf to the OverbyteIcsWinUtils unit, useful for server monitoring, used by the sample IcsAppMon.dpr. Also IcsMemWarning to check for low or critical memory problems, returns Warning at 85% physical or page file usage, critical at 95% usage (reboot probably required).

19 - ICS added OSCP (Online Certificate Status Protocol) support a few years ago, used to check if certificates have been revoked. But running the massive OCSP databases needed has proved challenging, and the industry is moving away from OCSP, Let's Encrypt stopped adding an OCSP URL to certificates in May 2025. OCSP adds quite a lot of code, so added new defines to ICS so OCSP code is only linked if using authorities that still support OCSP, see information about OverbyteIcsDefs.inc. This change effects many components that check certificates, if the defines are disabled OCSP properties are still available, but will be ineffective, removing the OCSP properties would in too many form errors.

Another reason for OCSP's demise is shorter SSL/TLS certificate life, so they expire rather than needing to the revoked. From 15th March 2026, certificate life span is reduced to 200 days, from 15th March 2027 down to 100 days and finally from 15th March 2029 to 47 days, but only 10 days for domain control validated certificates, such as most free certificates which are currently 90 days maximum. ICS can already order seven day certificates from Google Trust Services, with Let's Encrypt adding this later in 2025.

20 - ICS now defaults to the latest OpenSSL version 3.5.2 which includes support for new Post Quantum Cryptography (PQC) algorithms (ML-KEM, ML-DSA and SLH-DSA) and for server side QUIC (RFC 9000). ICS has no plans for QUIC support, not yet investigated PQC, don't believe any low level changes are needed, maybe changes to the cipher lists. This is a long term support release with fixes and security updates for five years, until April 2030. ICS still includes four older OpenSSL versions, which will slowly disappear as they reach end of life, about one every six months.

21 - The OverbyteIcsDefs.inc file included in most ICS units has several new defines.
DEFINE OpenSSL_36 (due Oct 2025) and OpenSSL_40 (due Apr 2026).
Enabled DEFINE OpenSSL_35 for OpenSSL 3.5.
DEFINE OpenSSL_OcspStaple, should SSL server staple an OCSP response to check if server certificate is revoked. Let's Encrypt stopped adding an OCSP URL to certificates in May 2025 so only enable this if using authorities that still support OCSPL, to avoid extra code being linked.
DEFINE OpenSSL_OcspChains, should SSL clients checking a certificate chain check an OCSP server to see if the certificate is revoked, only happens if the certificate has an OCSP URL, undefine to remove the extra code that does OCSP checks.
DEFINE OpenSSL_Deprecated, should OpenSSL deprecated functions be loaded, not needed for ICS but may be used by applications for encryption or signing.
DEFINE USE_IcsGeoTools used by samples with the TIcsGeoTools component to lookup countries from IP addresses, D11 and later only.

Changes in ICS V9.4 include:

1 - Completed the ICS Application Monitoring system added in V9.3, designed to locally and remotely monitor ICS servers and applications, and to locally restart applications on demand or if they crash. It comprises a small TIcsAppMonCli client monitoring component that is added to ICS applications, usually Windows Servers, but also client applications. This client component communicates with a TIcsAppMonSrv server component, usually running as a Windows Service on the same server so it is able to restart applications, but can also support clients on a LAN. The monitoring server has web and Websocket servers, allowing remote browsers to view the state of all applications being monitored by the server with a continually updated web page. There is also ICS Application Monitor - Remote Manager application that provides remote monitoring of multiple ICS Application Monitor servers using Json web and Websocket requests on a single screen.

2 - The SMTP client component fixes a bug introduced in V9.3 which could corrupt the Content-Transfer-Encoding header line.

3 - In TWSocket, fixed a potential problem using multiple threads where a new connection opened very quickly (ie localhost) and then stalled due to an unexpected connection state. Made DataToString Unicode compatible, only used for diagnostic dump logs.

4 - In the HTTP client, fixed a check for an overflowing buffer when receiving very long headers that could cause failure detecting headers end. Made several URL validation functions public: GetProtocolPort, IsSSLProtocol, IsKnownProtocol and IsKnownProtocolURL.

5 - When creating PKCS12/PFX certificates, change the 3DES cipher to AES256 if the legacy provider is not loaded.

6 - In the TIcsFtpMulti component, skip download of zero length file by creating an empty file, previously this got SSL handshake error. Don't report directories as being downloadable, they are not. If extended passive mode allowed, send EPSV ALL at start so firewalls and NAT routers can handle sessions more efficiently. Added CheckBadUnicode property defaults to false, so that checks for bad Unicode to Ansi conversions with ? are skipped, allowing more complex paths without errors.

7 - The FTP server FEAT request now returns EPRT and EPSV which have been supported for IPv6 for years, but were not advertised for IPv4.

8 - The OverbyteIcsSnippets sample adds two new simple REST snippets to Get/Post Parameters that send them to an ICS server, and the server echoes back those params so you can check what was actually sent.

9 - When loading the OpenSSL DLLs, no longer check they are digitally signed for Windows XP, 2003, Vista and 2008, they don't recognise SHA-256 code signing, never tested since no longer have those old versions available.

10 - The TRestParams method AddItemSO to add a SuperObject now has an Escape parameter defaulting to True, so non-ASCII characters are escaped by default.

11 - The Proxy component TProxyTarget now has a SocketFamily property so target connections can be restricted to TSocketFamily values. Added property SrvTotSess count of server session connections for logging.

12 - In the HTTP Application Web Server, fixed a memory leak with multiple virtual PUT and POST documents.

13 - The OverbyteIcsJoseTst sample 'Sign/Verify Data' tests now support hashes other than SHA-256, selected from the Key and Signing Hash Algorithm drop down list. Also, a private key matching that selection is created automatically, including X25519.

14 - There is a new unit OverbyteIcsWinUtils that contains Windows API functions, built from selected Magenta Systems libraries, with functions needed to build and control Windows Service applications, accessing the Windows registry, Windows firewall, Windows tasks, hardware, and with simple encryption for passwords. Most of these functions are used by the TIcsAppMonSrv server component and IcsAppMon sample, but should have much wider use for Windows Service server applications in particular, like allowing firewall access. It's planned to move most other Windows specific function here for ICS V10.

15 - In the ICMP component, fixed a problem setting property PingMsg to the text to ping.

16 - In the TIcsIpStrmLog component, added method ListenStates which for logprotUdpServer and logprotTcpServer returns a multiline string listing the IP, port, SSL and state of all socket listeners. The CurSockets property now reflects actual TCP Server clients.

17 - In the TIcsMailQueue component, don't keep retrying email that is too short to send with no body or with no sender headers. Added more error handling if the SMTP component fails to build the EML spool file.

18 - In OverbyteIcsUtils, finished the cleanup of old Base64 functions by adding new IcsBase64 functions using TBytes internally to replace old Base64 functions that used AnsiChars, with no overloaded versions for simplicity. Old Base64 versions retained as deprecated for user applications, please update to the IcsBase versions. Added IcsTBytesCompare to compare two TBytes. Added IcsOutputDebugStr for Posix and Windows. Added IcsDateToAStr and IcsDateTimeToAStr with alpha month (Jan/Feb).

19 - The ICS C++ packages for C++ 10.4 and later have been updated with the correct paths for the three supported platforms, and all build and install correctly for Win32. Win64 should also build, but not Win64x Modern which needs fixes in a future release of C++ 12.

The release notes for V9.4 are at https://wiki.overbyte.eu/wiki/index.php/ICS_V9.4

All ICS active samples are available as prebuilt executables, to allow ease of testing without needing to install ICS and build them all. There are four separate zip files split into clients, servers, tools and miscellaneous samples which can be downloaded from https://wiki.overbyte.eu/wiki/index.php/ICS_Samples

Changes in ICS V9.3 include:

1 - V9.3 continues the simplification of use of ICS components by consolidating many types and constants into the OverbyteIcsTypes unit, avoiding projects needing to find and add specific units before they will build. For XE2 and later, OverbyteIcsTypes and OverbyteIcsSslBase will be added automatically when components needing them are dropped on a form, or that form accessed for existing projects. One benefit of this change is removing dependence on several units for many components and applications, it should be possible to remove OverbyteIcsWinsock, OverbyteIcsLIBEAY, OverbyteIcsSSLEAY and OverbyteIcsLogger from most applications, and also other units. See https://wiki.overbyte.eu/wiki/index.php?title=Updating_projects_to_V9.3 for more information.

2 - Previously, the Windows Certificate Store was supported on Windows for all components and samples, despite it not always being required. There are three new defines {$DEFINE MSCRYPT_Clients}, {$DEFINE MSCRYPT_Servers} and {$DEFINE MSCRYPT_Tools) that determine which components can use the store, at least one must be set or applications that need the store will fail. Although these new defines all default to enabled in the OverbyteIcsDefs.inc supplied with V9.3 and later, unless this file is installed, Windows Certificate Store will be unavailable. These defines are disabled for non-Windows platforms and for C++ Builder which has bugs.

3 - Added new application independent monitoring, comprising a client component and server sample. The ICS Application Monitor TIcsAppMonCli client component is designed to report to an ICS Application Monitor server, which will ensure the main application remains running. The ICS Application Monitor server IcsAppMon.exe is designed to monitor ICS applications using the TIcsAppMonCli client component, and ensure they remain running, restarting the application if it stops or becomes non-responsive, or on demand. Primarily to keep ICS server Windows services running non-stop, but may also be used for network wide monitoring of ICS applications. Client and server both use the TIcsIpStrmLog component with a simple TCP protocol. More information at https://wiki.overbyte.eu/wiki/index.php?title=FAQ_ICS_Application_Monitoring

4 - The HTTP client components TSslHttpCli and TSslHttpRest have new RespMimeType and RespCharset response properties parsed from the Content-Type header to avoid applications needing to parse this headers. Fixed a problem in V9.2 where a missing / was added to the start of the request path, but was not needed for absolute paths used for proxies.

5 - The TIcsIpStrmLog streaming log component has improvements for TCP Server mode when multiple remote clients connect. Previously the same data was sent to all remote clients (the original concept being remote logging), but now applications can send data to specific remote clients, and more easily check which remote client is receiving data. This change means TIcsIpStrmLog can be used as the core of many TCP servers with different protocols, such as the new IcsAppMon sample, see above.

6 - The TSslHttpRest and component has a new way for applications to check SSL certificate chains themselves, ignoring OpenSSL bundle checks, usually for self signed private certificates, maybe checking certificate serials, names or public key. If LogSslVerMethod = logSslVerOwnEvent, a new event OnSslCertVerifyEvent is called so the application can check the chain and change the verify result appropriately.

7 - Improved the ability to customise SSL ciphers if the ICS defaults need to be changed. TSslContext and TIcsHosts have three properties, SslCipherList for TLSv12 ciphers, SslCipherList13 for TLSv13 ciphers, and SslCryptoGroups sets the cipher curve groups allowed (like P-256 or X25519). Beware old SslContexts may include group P-512 which must be corrected to T-521. SSL handshake responses now show the curve group used for OpenSSL 3.2 and later. The OverbyteIcsHttpsTst client sample may be used to test the new cipher options, and they will be read from IcsHosts INI files for servers.

8 - Added a new web server sample OverbyteIcsBasicWebServer1.dpr which is a simplified version of OverbyteIcsSslMultiWebServ ignoring configuration INI files, security features, session data, most demo pages and most logging, and settings for localhost set in code, search for IcsHosts to change IP addresses, etc. This sample should be easier to use as a basis for new web server applications. The existing samples OverbyteIcsSslMultiWebServ and OverbyteIcsDDWebService have a new index.html template page, and default to localhost 127.0.0.1 with an internal localhost SSL certificate, so should always response to https://localhost/ without any INI file changes.

9 - Fixed an HTTP web server problem in V9.2 to avoid repeated redirection for virtual default page /, was adding /// etc.

10 - Updated OpenSSL binary and resource files to releases 3.3.2, 3.2.3 and 3.0.15, only one of which will be linked according to defines.

11 - Restored the sample OverbyteIcsConHttp.dpr which is a console example, now supports SSL by replacing THttpCli with TSslHttpRest, no longer needs any events or a message loop for a single sync request, so a less code than without SSL. Now contacts https://wiki.overbyte.eu/wiki.

12 - A lot of changes have been made preparing ICS for Linux. Corrected loading OpenSSL on Posix, now loads the system supplied OpenSSL 3 DLLs on Ubuntu 22.04. The Linux package now builds correctly, but beware WSocket is not yet supported on Linux so no protocols will work. There is a new IcsPemTest FMX sample that works on Ubuntu 22.04 and which will create ICS signed SSL certificates. Note, MacOS support is disabled pending the new Posix implementation.

The release notes for V9.3 are at https://wiki.overbyte.eu/wiki/index.php/ICS_V9.3

New Resource Files

As mentioned above, ICS now includes several resource files that are linked into applications, to avoid distributing and loading separate files, these includes OpenSSL DLLs, certificate authority bundles, root certificates and network information lists.

It is intended to issue new ICS releases containing the latest OpenSSL DLLs shortly after new versions are released, which is typically every three months unless serious security fixes require more frequent releases.

The OpenSSL resource files included with ICS come from the OpenSSL zip distribution files at https://wiki.overbyte.eu/wiki/index.php/ICS_Download . ICS currently includes three different versions for two platforms, only one is ever linked into applications according to DEFINES, see earlier. These RES files contain all the DLLs, which are extracted once to version specific sub-directories.

LibV30OpenSSL32.RES
LibV30OpenSSL64.RES
LibV31OpenSSL32.RES
LibV31OpenSSL64.RES
LibV32OpenSSL32.RES
LibV32OpenSSL64.RES

ICS contains three root certificate authority bundle files, the latest versions of which can be downloaded from https://www.magsys.co.uk/download/software/ca-root-bundles.zip, one of which is linked into applications according to defines. The source bundle files are located in .\ICS-OpenSSL/ICS-RootCAs\, the RES files contail the P12 files which are smaller than the PEM versions.

RootCaCertsBundle.RES {$DEFINE OpenSSL_CA_Bundle_Large}
sslRootCACertsBundle.RES {$DEFINE OpenSSL_CA_Bundle_Small}
TrustedCaBundle.RES {$DEFINE OpenSSL_CA_Bundle_Medium}

There are other smaller resource files, all build with BuildICSResFiles.cmd for which the source files are part of ICS,.

ICSCerts.RES (contains ICSRootCA.pem and ICS_Intermediate_Short-bundle.pem)
ICSPortList.RES (contains ICSPortList.txt)
nmap-mac-prefixes.RES (contains nmap-mac-prefixes.txt)

More detailed release notes are at ICS V9.1 Release Notes

More informaion about updating projhects to ICS V9.1

Changes in ICS V9.0 include:

1 - ICS V9 is planned as a long term support release with no new components or major features added, just bug fixes as needed, major changes will be for ICS V10. It uses OpenSSL 3.0 which is supported until September 2026 so applications should have a good life.

2 - To ease introduction to ICS and for existing users looking for new features, the samples have been re-arranged with a new ActiveDemos project group for modern compilers only, that includes about 50 sample projects that between them illustrate and test all the components that make up ICS. All these samples are also available pre-compiled from the wiki pages so they can be easily tested without needing to build them. There is also a new sample OverbyteIcsSnippets that contains small samples of codes for HTTP REST, upload and download, WebSockets, FTP, simple sockets and send email. The unit includes several almost self contained methods each implementing a single functions, which are hopefully easier to follow than the normal samples used to develop ICS and are heavily documented to try and explain usage.

3 - For OAuth2 authentication, TRestOAuth now supports both embedded and standard browsers, the embedded browser gives a better user experience with the window closing automatically once authentication is complete and not needing a local web server. Beware it may not be supported by Windows or end points. Launching a web page into the standard browser may replace a page being viewed, there may be firewall or other problems connecting to the localhost web server and the browser window remains open upon completion. So the end user should ideally be given a choice of which browser to use. There is a new TOAuthBrowser component and TOAuthLoginForm window that uses TEdgeBrowser (Delphi 10.4 and later) or TWebBrowser (no longer supported by Google) to display the login web pages. The LoginHint property is display in the login window and copied to the clipboard so it may be pasted into the login account field. Any applications using OAuth2 and requiring the embedded browser will need updating to add TOAuthBrowser. Only available for Delphi 2007 and later. The embedded browser can be tested with the sample OverbyteIcsHttpRestTst.

4 - Added new WebSocket client and server components. WebSocket is a full duplex TCP protocol for web servers to support interactive web pages, typically dynamic updating such as chat sessions, spell checkers as you type, search hints, etc, using ws:// or wss:// URLs. The client is TSslWebSocketCli which descends from TSslHttpRest with new methods to connect, send text, bytes, a binary stream or pings, and events for new connections, received or sent frames. The WebSocket server uses the ICS web server with a new class THttpWSSrvConn which overrides THttpAppSrvConnection and provides the same WebSocket methods and events as the client, it's a duplex protocol so client and server can send data. The WebSocket client is tested with the sample OverbyteIcsHttpRestTst and the server with the sample OverbyteIcsSslMultiWebServ which has Echo, EchoPing and Chat demonstration URLs.

5 - Added new MQTT protocol client and server components. MQ Telemetry Transport is a lightweight, publish-subscribe, machine to machine network protocol for message queue/message queuing service. The MQTT protocol defines two types of network entities: a message broker and a number of clients. An MQTT broker is a server that receives all messages from the clients and then routes the messages to the appropriate destination clients. An MQTT client is any device (from a micro controller up to a fully-fledged server) that
runs an MQTT library and connects to an MQTT broker over a network. TIcsMQTTServer and TIcsMQTTClient handle the MQTT protocol, tested by sample OverbyteIcsMQTTst which has both client and server,

6 - Made many improvements to the TDnsQuery component, to make it easier to use in other components and applications, adding synchronous methods and support for trying lists of DNS servers where one or more don't respond. It is also easier to access the arrays of different DNS answers. Added AAAALookup method for IPv6, similar to ALookup, sets array of IPv6 addresses. Allow lookup using multiple DNS servers if one or more fail, from a supplied list or internal public server list including Google, Cloudfare, OpenDNS and others, only works with the new sync methods. Added OnLogEvent primarily for debugging multiple requests and servers, may mostly be ignored.

7 - Added new components TIcsDomainNameCache and TIcsDomNameCacheHttps designed to simplify forward domain name and reverse IP address lookup in applications, to avoid needing use of TWSocket or TDnsQuery components often several to support parallel lookups. There are synchronous methods that wait until a response is received and asynchronous methods that return immediately with an event called when the response is available. Lookups may be performed using uses winsock so results come from the operating system cache, using the TDnsQuery component to make requests to specific servers or public DNS servers, or using DNS over HTTPs for secure lookups. Up to 100 parallel lookups are supported although defaults to five, with waiting lookups queued and performed first in, first out. TIcsDomainNameCache is mainly for use with diagnostic components but also for servers logging remote access. Used in the OverbyteIcsNetTools, OverbyteIcsNetMon, OverbyteIcsBatchDnsLookup, OverbyteIcsDDWebService and OverbyteIcsSslMultiWebServ sample applications. Could potentially be used in other high level applications to avoid using the operating system DNS cache.

8 - ICS servers and clients can now use SSL/TLS certificates from the Windows Store instead of PEM and PFX disk files, with some limitations. PEM and PFX ICS has long being able to read certificates from the Windows Store, but reading some private keys failed due to Windows APIs issues, for which a workaround has now been implemented so LoadFromStore is now able to read EC keys as well as RSA. TMsX509List allows all certificates and private keys in a store to be loaded, with the new FindBest method finding a certificate matching a search string, checking common name, part friendly name or any alternate domain name, selecting the one with the latest expiry if more than one. If the certificate name is a wildcard (*), this will be matched with any first node For clients, this is illustrated in the sample OverbyteIcsHttpRestTst to select a client certificate, for servers, IcsHosts has a new property SslLoadSource which can be set to CertWinStoreUser or CertWinStoreMachine. with former causing the store to be searched for the host name. Note the application will need administrator rights to load certificates from the Local Machine store, it will also not read keys from external hardware devices, and probably not in Trusted Platform Modules either. The sample OverbyteIcsPemTool can be used to view, select and extract certificates from the Windows Store.

9 - There are a lot of general stability improvements in various low level components, protecting inherited class destroy methods from exceptions at higher levels to avoid memory leaks, such as closing a socket left open before destroy, particularly with Win64 applications. Generally free objects instead of destroying them. IcsX509VerifyErrorToStr now checks OpenSSL is loaded to avoid an exception when it's called. If neither OpenSSL DLL can be found, report both names instead of just oldest. Ensure OpenSSL is loaded before using hash functions.

10 - For ICS servers, increased the default IcsHosts security level to sslSrvSecHigh for TLS/1.2 minimum, with certificate key size 2,049 bits and SHA-256 digest. Added CliCertMethod to IcsHosts to allow specific hosts to request a client SSL/TLS certificate rather than all hosts.

11 - HTTP clients have a number of improvements. Some servers allow the GET and DELETE requests to have content similarly to PUT so allow this if new Options httpoGetContent is specified. Beware to set SendStream to nil if no content is intended. Try to prevent the header and content from being sent as separate TCP packets which may confuse some middleware. Always check if SendStream exists before accessing it. Added OnSyncRequestWait event called while waiting for sync operations to finish, so it can be stopped before timeout expires. Improved EHttpException messages with more detail. In TSslHttpRest, when a client certificate is requested, check it has a private key and log some information about it, better logging if no certificate. The sample OverbyteIcsHttpRestTst has a new Client SSL Certificate drop down box with options to load the certificate from a PEM/PFX file, or from the Windows Current User Store or Windows Local Machine Store (admin rights needed). A real application could offer a selection of which certificate to use as browsers do. Added ics-client-test.pem as default Client SSL Certificate, for testing against ICS servers.

12 - FTP clients have a number of improvements. Added NoopAsync method sends NOOP no operation command to try and keep the control connection alive during long transfers, note there is no sync version and the response is ignored (but logged). Beware some older FTP servers may treat NOOP as illegal and fail the transfer (including ICS FTP server V8.70 and earlier). NOOP is sent by TIcsHttpMulti defaulting to 10 minutes. Without this change, FTP transfers to some public servers are failing after two or more hours due to the control connection having been closed by a router or firewall somewhere for inactivity, now tested OK with 50GB uploads (VM images). Added UTF8_ON and UTF8_ONAsync commands as an alternate to using Opts command with an argument. Increased sync timeout to 30 seconds and make sure reset with Progress more often so requests don't timeout. Fixed unicode compiler bug parsing Cmlsd/XCmlsd command response. Don't compress iso, pdf, vhd, vhdx files by default. Disable MD5/CRC32 by default, connections are now reliable and they are slow.

13 - The FTP server has a fix to allow the NOOP keep-alive command to be sent while a file transfer command is being processed without causing it to fail. Added exception handling generating directory listings due to strange directory inputs by hackers causing a problem. Give msgNoPortPsv response if PORT, EPRT, EPSV or PASSIVE command has not been sent when a directory command requiring a data channel is received.

14 - When ordering SSL/TLS certificates from Let's Encrypt, the local web server can now listen on both IPv4 and IPv6 addresses for domains with both. Removed OAuth2 authentication code from the component and get the tokens using and event. Simplified checking DNS challenges with the new TDnsQuery sync methods. Added MsCertLoc property to specify which Windows Certificate Store to save certificates if OutFmtWinStore is specified.

15 - When sending SMTP HTML emails, the EMailImages property may be used to add streams as well as files, instead of ImageStream and StreamArray which never worked properly. Use EMailImages.AddObject(filename, TStream) where file name will be used instead of opening the file (the file need not exist).

16 - The proxy server component has a new OnSrvSslHandshakeDone event called when new client connects to proxy server allowing application to check for a client certificate and abort the connection, needs CliCertMethod to be set in IcsHosts to sslCliCertRequire or sslCliCertOption, so a client certificate is requested. Fixed auto certificate ordering reading well-known file on unicode compilers.

17 - OverbyteIcsWSocket includes various new utility functions. WSocketSockAddrToStr converts TSockAddrIn6 with IPv4 or PIv6 address to a string, WSocketIPAddrToSocAddr convert a string IPv4 or IPv6 address into TSockAddrIn6, WSocketFamilyToAF to find family for Windows APIs from TSocketFamily, WSocketIPv6Same to compare two TIcsIPv6Address. Added an overloaded ReceiveTB that returns a TByte instead of the received size, it also no longer fails if the buffer is not initialised.

18 - OverbyteIcsUtils corrects RFC3339_DateToStr to add colon to time zone, RFC3359 requires +00:00, ISO also accepts +0000. Added StringToUtf8TB convert string to TBytes, IcsTextOnStart case insensitive text at start of line, and IcsTBytesToString to convert TBytes to unicode string. IcsWcToMb and IcsMbToWc now use cross platform RTL functions instead of OverbyteIcsIconv and USE_ICONV which have been removed. IcsIconvNameFromCodePage is now POSIX instead of USE_ICONV.

19 - Added ICS Internet Packet Monitoring Components which display internet packets using raw sockets or Npcap NDIS driver, similarly to Wireshark. They are based on Magenta Systems Internet Packet Monitoring Components but updated with IPv6 and new filtering by protocol and IP address to restrict the amount of data being captured. TIcsMonSocket in OverbyteIcsMonSock provides internet packet monitoring using raw sockets. TIcsMonPcap in OverbyteIcsMonPcap provides internet monitoring using the Npcap NDIS driver. The class TIcsMonFilterClass filters captured packets. There is a new sample OverbyteIcsNetMon that is a simplified Wireshark, displaying captured packets or just totaling traffic. Packets may be captured to a textual log for easy saving or to a grid for improved display including examining each packet separately. Filters include all local IPs including broadcast and multicast, or specific protocols or services, in all case either accepting or rejecting packets according to the filter settings, dynamically during capture. This makes it easy to ignore a lot of local LAN traffic from appliances that can obscure higher level traffic.

20 - Added Internet Protocol Helper Component for Windows, updated from the Magenta Systems units with full IPv6 support and new components. TIcsIpChanges in OverbyteIcsIpHlpApi monitors IP address changes and calls an event for new IPs configured or old ones removed, useful for servers where the listening address suddenly disappears. TIcsNeighbDevices in OverbyteIcsIpHlpApi builds a historic LAN MAC device and IPv4 and IPv6 address table using ARP,neighbourhood and IP range scanning with reverse host lookup. Both are tested with sample OverbyteIcsNetTools. There are many new IpHlp functions including IpHlpAdaptersInfo, IpHlpNetworkParams, IpHlpConnsTable, IpHlpTCPStatistics, IpHlpIfTable2, IpHlpAdaptersAddr, IpHlpIpAddrTable, IpHlpIpNeighbTable, IpHlpIPForwardTable, IpHlpGetRouteProtocol and IpHlpIpPathTable, all of which return various Windows networking tables and information that is useful for diagnosing network problems, all illustrated by the sample OverbyteIcsNetTools. For completeness, the sample also includes other ICS components, for Whois, NsLook, Ping and Trace Route. Other new functions include IpHlpGetDnsServers to get a list of DNS servers for this PC, IcsGetMacVendor which uses the Organizationally Unique Network Interface Identifier nmap-mac-prefixes.txt file to get the MAC adaptor vendor, very useful for identifying strange IoT devices on a LAN.

21 - Updated the OpenSSL DLLs included with ICS to 1.1.1v and 3.1.2. Updated all the certificate root stores. Also supports 3.0.10 which can be downloaded from the wiki pages.

22 - Added two new FMX samples, IcsHttpRestTstFmx and IcsSslMultiWebServ, converted from the VCL versions, rather messy since no proper TRadioGroup in FMX so changed to TlistBox without a caption, TListView exists in FMX but without columns so they become TStringGrid, TGrid would be better except it uses virtual data (which the help fails to mention) which needs a lot of rewriting. A few more FMX samples using new ICS components will be added for the next release

Now part of ICS V8.60 and later, as TIcsMailQueue

Magenta Systems Mail Queue Component
Version 2.5 - 26 Nov 2018 (2,414,770 bytes)

Magenta Systems Mail Queue Component has two main benefits over a simple TSslSmtpCli component: it supports extended retries over many hours or days, and supports multiple SMTP relay servers or looks-up MX servers, while alleviating the need for the application to handle retries. The component also allows HTML mail to be sent using SSL, something THtmlSmtpCli does not currently support. Mail is queued to disk, so retries will continue if the application is restarted.

TMagMailQueue is designed to prepare, queue and send email. Preparing the email is done using the ICS THtmlSmtpCli component so it may be plain text or HTML email with one or more file attachments.

Once the mail properties in QuHtmlSmtp have been specified, it is queued using the QueueMail method which saves it to an EML spool file.

The component runs a thread which checks the queue for new EML spool files, and attempts to forward them to one or more SMTP Mail Servers using TSslSmtpCli, optionally with SSL. If mail delivery succeeds, the spool file may be deleted or moved to an archive folder. If mail delivery fails, the spool file remains in the queue and further attempts are made separated by the times in minutes listed in the RetryList list. If all delivery attempts fail, the spool file may be deleted or moved to a badmail folder.

Note that some email servers support grey listing and reject the first email attempt from a new sender but allow a retry 10 or 15 minutes later, something that is very effective in blocking spam emails (since they don't usually retry).

If multiple mail servers are specified, delivery is attempted once using each server, for each retry attempt. Each mail server is specified as TMailServer and there is no limit to the total.

Each time the queue is updated or a delivery attempt made, the queue is saved to file in the control folder, so the component may be stopped and restarted with failed attempts continuing.

The EML spool files are compatible with those created by many Microsoft email applications such as CDO, and the AddtoQueue method can also be used to queue existing EML files with the queue details specified in MailQuItem.

Note, this component is intended for sending low volume email from individual Delphi applications, with more flexibility than a simple TSslSmtpCli component. For use as a heavy duty SMTP server, queue processing could be improved to avoid moving records around as much or saving them to disk as often, and mail bodies could be read as required from disk instead of being read entirely to memory first. A mail pickup folder could be added which is scanned for new EML files.

Files and Folders Used

The TMagMailQueue component heavily uses disk files, in different sub-directories within the mail root directory specified in property MailQuDir, these are:

control - contains MailQuItems.Ctl a single row file with the next message item number, and MailQuItems.Hdr which is a CSV file containing one row for each mail item still in the queue.
spool - contains any queued email files, named in the format item00000001.eml with the number increasing, taken from MailQuItems.Ctl
archive - if ArchiveSent property is true, once an email has been successfully sent it is moved into the archive directory
badmail - if DeleteFailed property is false, once an email has exceeded all the retry attempts it is moved into the badmail directory, from where it may be manually requeued if necessary

If logging of sent email is specified, the default file name FileQuSent property is MailQuSent-yyyymmdd.log inb CSV format similar to MailQuItems.Hdr.

A demo application mailqudemo.exe illustrates simple email queuing. The zip contains the EXE demo and required SSL files.

Release Notes

18th January 2011 - 1.0 - first public release. Not yet tested with Delphi 2009 or later.

2nd March 2011 - 1.2 - automatically create mailqueue directory in demo application, removed missing uses statement. Support queuing mail with OwnHeaders bypassing htmlmail. Log event definition changed.

11th August 2011 - 1.2 - updates subroutines for Win64 support, removed one unneeded unit from uses.

5th Oct 2011 - 1.3 - Debug logging works properly Don't retry emails that fail too large for server (error 552)

11th Sept 2012 - 1.4 - ICS V8, IPv6

23rd March 2013 - 1.5 - Added Mail Server SocketFamily and LocalAddr6 for IPv6

10th Dec 2014 - 1.6 - Better SSL handshake reporting

27th Oct 2015 - 2.0 - requires ICS V8.19 October 2015 or later.
Check and report SSL certificates using PEM file or Windows Cert Store
Allow three SMTP servers to be specified for each email in queue
Lookup DNS MX records and send to those SMTP servers
Queue keeps last response or error in queue
Mail completed log (same CSV format as queue)
Queue changed event to tell client something is happening
QueueMail method now returns item number (not boolean)
New UnQueueMail method to remove item number from queue
Demo save settings in INI file
Demo new View Mail Queue window to see what's waiting
Added SMTP Send Method, relay, specific or lookup MX mail servers
Added HELO Sending Host Name may be needed if using MX mail servers

Warning - if using MX DNS servers and multiple recipients, need to queue mail multiple times !!!! This will be fixed real soon.

7th July 2016 - 2.1 - requires ICS V8.30 July 2016 or later.
Support SSL enhancements in ICS for OpenSSL 1.1.0
Don't change SSL directory, let application control it
Use default SSL root bundle if none specified

1st December 2016 - 2.2 - requires ICS V8.39 November 2016 or later.
Better error handling.
Use OpenSSL host checking.
Fixed bug that meant failed email was not deleted from queue.
Don't queue email without recipients.
Use timer to update windows to avoid problems with mass email performance.

6th March 2017 - 2.3 - requires ICS V8.43 March 2017 or later.
Simplified SSL certificate reporting.

11 Mar 2017 - 2-4 - Added WaitSend to wait until everything sent.

22th Jun 2018 - 2.5 - requires ICS V8.55 20 June 2018 or later.
Added RetryWithoutSsl which retries an SSL failure without SSL.
Added SslCliSecurity to set client security level.
Using IcsWndControl for threaded message handling.
SendSmtpClient now created new for each attempt in case of prior faillure causing terminal corruption.
If SSL certificate verify fails, next attempt is another server.
Supports TLSv1.3 with OpenSSL 1.1.1.

26th November 2018 - 2.5 - tested with ICS 8.58
Added final OpenSSL 1.1.1a DLLs, recompiled.

Now part of ICS V8.60 and later.

Now part of ICS V8.60 and later, as TIcsIpStrmLog

Magenta Systems IP Log Streaming Component
Version 2.8 - 14 Dec 2018 (4,156,649 bytes)

TMagIpLog is designed for IP stream logging, using TCP Client, TCP Server, UDP Client or UDP Server protocols, sending simple text lines across a network so they may be displayed or written to disk remotely. The component allows two way communication with TCP and UDP, so may also be used for simple protocols such as communication between two applications. The component supports multiple client sockets so may be used to send data to two or more different remote servers at the same time.

For TCP and UDP clients, the component will optionally ping the remote computer first before opening an IP connection to allow faster failure retries and some confirmation that UDP may work. TCP client provides repeated connection retry attempts, including re-establishing a lost connection. UDP client will optionally keep pinging the remote during a connection to ensure it's still there. UDP server sends data to the IP address and port from which it last received data. TCP server supports multiple remote clients connecting. Received data is parsed for various line endings optionally removing control characters and triggering an event for a received line. The only other two events are optional, one for state changed when starting and stopping, the second offering progress information and errors.

The component supports both IPv4 and IPv6, host name lookup for TCP and UDP Client, and SSL connections for TCP Client and TCP Server, including remote server certificate checking using either a local PEM bundle root file or the Windows Certificate Store.

A demo application testiplog.exe illustrates use of TMagIpLog as a TCP or UDP client or server, and both in the same program sending data locally. The same component may be used in a client or server application, to send or receive.

The Magenta Systems ComCap application may also be used to capture IP streams to files or a database.

Using TMagIpLog:

1 - Drop the component onto a form (or create it in code, see testiplog.exe).

2 - Specify LogProtocol as one of logprotUdpClient, logprotUdpServer, logprotTcpServer, logprotTcpClient.

3 - For client protocols, specify RemoteHost (name or IP address) and RemoteIpPort, CheckPing true if ping to be used, RetryAttempts to non-zero if continual retries not needed, RetryWaitSecs for delay between retries .

4 - For server protocols, LocalIpAddress is 0.0.0.0 to listen on all local addresses, LocalIpPort must be non-zero.

5 - For sending data, AddCRLF to false if line already have terminating characters, UdpNoCRLF to false if UDP should send CRLF.

6 - For receiving data, LineEndType to one of lineendCR, lineendLF, lineendCustom (set in hex in CustomLineEnd) or lineendPacket (for UDP), then MaxLineLen if a line should be returned before lineend is found, normally non-ASCII characters are removed, set StripControls to false if they should be replaced by spaces, RawData to true if CR, LF, FF and control characters should not be removed.

7 - Assign onLogRecvEvent if data is to be received, onLogChangeEvent if tracking of start and stop is needed, onLogProgEvent if progress information is needed for logging.

8 - Call StartLogging. The LogChangeEvent and LogProgEvent will trigger when LogState changes to logstateOK when data may be sent.

9 - To send a line, if function GetAnyStateOK is true, call SendLogLine. MaxSendBuffer specifies the amount of data that can be buffered otherwise SendLogLine will fail.

10 - Received data will trigger LogRecvEvent once per line.

11 - Call StopLogging to stop. Buffered data may continue to be sent after close, keep calling CheckStopped until true when it's really finished and component may be destroyed.

12 - To send an unlimited size stream, create a stream in the application with TBufferedFileStream or TFileStream, and pass it to SendStream. LogState changes to logstateOKStream while it's being sent, then back to logstateOK as it finishes, the application should then free the stream.

13 - There is no specific handling for receiving a stream, textual data will be handled according to the normal line end properties, and can be saved to another stream in LogRecvEvent. Binary data is more problematic, set RawData to true and MaxLineLen to get a buffer load at a time, but the last buffer load will need to be extracted with GetPartialLine using a timeout, this is called automatically when the connection is closed.

14 - To send to multiple clients, set MaxSockets to the number needed, then use the function SetRemotes to specify the remote host and port for each socket number, base 0. The events all return Socnr to indicate which socket. MaxSockets also specifies how many remote clients can connect to TCP Server, but note that Socnr is dynamic and changes as remote clients come and go.

15 - To support SSL on TCP/IP client or server, drop an TSslContext component on the form, assign it to the LogSslContext property and set the ForceSsl property to true. For better performance, set LogSslSessCache to a TSslAvlSessionCache component.

16 - For SSL TCP Server, the SslContext component must have the SslCertFile and SslPrivKeyFile properties set to the file names of an SSL certificate and Private Key PEM files respectively, and SslCipherList set to sCipherMozillaSrvBack for strong but backward compatiblle cipher support. The component includes sample self signed certificate and password files iplog-cert.pem and iplog-prvkey.pem, and you can create your own with the ICS SSL sample application Pemtool, or buy commercial PEM certificates.

17 - For SSL TCP Client, the SslContext component must have the SslCAFile property set to the file name of a PEM root certification authority file containing trusted root certificates. Such a file is supplied with the component RootCaCertsBundle.pem containing various root certificates covering most major registries. SslContext SslCipherList can be left as the default to allow connection to any server. The LogSslVerMethod property can be logSslVerNone to skip certificate verification, logSslVerBundle to check using the CA bundle file or logSslVerWinStore to check using the Windows certificate store (a little slower, bur maybe more certificates). To check if certificates have been revoked set LogSslRevocation to true, beware this needs public internet access and can be very slow or fail. LogSslReportChain set to true reports certificate details checked.

Release Notes

18th August 2007 - 1.1 - using OverbyteIcsFtpSrvT instead of OverbyteIcsLibrary, UDP receive packets may be from multiple hosts, always keep IP.

5th August 2008 - 1.2 - made compatible with ICS V7 and Delphi 2009. Note only supports ANSI with Delphi 2009.

20th August 2009 - 1.3 - fixed problem with MaxSockets being reported as closed in the event when only one was open, tested with Delphi 2010.

9th August 2010 - 1.4 - removed cast warnings with Delphi 2009 and later

22nd Sept 2011 - 1.5 - added SndBufSize and RcvBufSize to increase buffer sizes and speed

11th Sept 2012 - 1.6 - better error for too many clients with server added CurSockets property for current number of server sockets

7th July 2014 - 2.0 - now only ICS 8 and later, using new ICS ping.
Added IPv6 and SSL support, including server certificate checking.
Added host name support for UDP and TCP client with DNS lookup.
Added LogProtocols suffixed 6 for IPv6.
Cleaned up some progress messages, identify error progress events.
Removed line length limit of 1024 that was not checked.
Added send a stream of unlimited length.
Get buffered partial received line during close.
Default line end is LF instead of CR so UNIX files are processed.

13th July 2015 - 2.2 - requires ICS V8.18 June 2015 or later.
Added better SSL handshake error reporting.
Added lineendCRLF, only support FF as lineend if using CR.
Added Debug Info button for ICS info level logging.
Added SSL Server DH Params, set ECDHCurves, both for ECDH ciphers.
Note OpenSSL no longer support dhparam512, minimum is 768 bits.

23rd Oct 2015 - 2.3 - requires ICS V8.19 October 2015 or later.
Better SSL client and server certificate reporting.

8th July 2016 - 2.4 - requires ICS V8.30 July 2016 or later.
Fixed certificate reporting typo.
Removed TBufferedFileStream, not needed.
Added SrvTimeoutSecs to close idle server sessions, note needs ICS V8.30 or later to fix a SSL bug that stopped SrvTimeoutSecs working.
Added Socket property to get current socket, mainly for statistics
Report session length and data xmit/recv before closing

23rd Nov 2016 - 2.5 - requires ICS V8.39 November 2016 or later.
Added GetSendWaiting to check how many bytes of send data not yet sent.
Increased default MaxSendBuffer size to 64K.
Added property TotRecvData total data received since connection, or when method ResetRecvData was called.
Added property MaxRecvData which causes onLogRecvEvent to be called when that length has been received. May be used for fixed length binary packets or where received data contains a content length such as a HTTP response header followed by binary data.
Server takes exclusive access of addr/port.
Fixed bug with multiple clients not using correct port.
Added SSL Server Name Indication support.
Check multiple client SSL host names correctly.
Removed USE_SSL so SSL is always supported.
Removed TX509Ex now using TX509Base.
Using OpenSSL certificate verification host checking.
Server now supports LogSslReportChain to report server certificates, checks expired and reports chain.

7th March 2017 - 2.6 - requires ICS V8.43 March 2017 or later.
set IcsLogger for context so it logs more stuff.
Simplified reporting SSL certs in client handshake.
Improved validation of server certificates.
Use threaded DNS lookup.

22nd June 2018 - 2.7 - requires ICS V8.55 20 June 2018 or later.
Support TLSv1.3, no real changes.
Don't start SSL handshake twice.
Cleaned up SSL error handling.
Added SslCliSecurity to set client security.

14th December 2018 - 2.8 - tested with ICS 8.58
Added final OpenSSL 1.1.1a DLLs, recompiled.
Removed madexcept.

Pending major changes to use IcsHosts in 3.0.

Now part of ICS V8.60 and later. Uses IcsHosts.

Now part of ICS V8.60 and later, as TIcsWhoisCli with a new sample application

Whois Component and Demo
Version 1.0 - 2 Nov 2005 (254,079 bytes)

A Whois component and demonstration application. Whois is a protocol to interpret a remote server for information about a domain name or an IP address, and return textual information about 'owner' of the name or address. The demo application interprets the result and will perform a secondary query to another Whois server if necessary.

Now part of ICS V8.60, as TIcsTimeClient and TIcsTimeServer with a new sample application

SNTP Time Server and Client Components
Version 1.0 - 9 Mar 2006 (11,405 bytes)

TTimeServ is an updated version of Nathan Anderson's time server component adding SNTP support. TWSTimeClient is an updated version of Chris Barber's time client component adding SNTP support and functions to change the PC UTC time. SNTP provides time correction with fractional seconds, unlike the earlier Time protocol that is round seconds only.

Magenta Systems Ltd, 9 Vincent Road, Croydon CR0 6ED, United Kingdom
Phone 020 8656 3636, International Phone +44 20 8656 3636
https://www.magsys.co.uk/
Copyright © 2025 Magenta Systems Ltd, England. All Rights Reserved.