<pre style='margin:0'>
Renee Otten (reneeotten) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/9408e63e2cce6ea52ccde95e9cb5826871e9bc48">https://github.com/macports/macports-ports/commit/9408e63e2cce6ea52ccde95e9cb5826871e9bc48</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new 9408e63e2cc privoxy: Add HTTPS inspection notes
</span>9408e63e2cc is described below
<span style='display:block; white-space:pre;color:#808000;'>commit 9408e63e2cce6ea52ccde95e9cb5826871e9bc48
</span>Author: Steven Thomas Smith <s.t.smith@ieee.org>
AuthorDate: Thu Oct 28 07:44:27 2021 -0400
<span style='display:block; white-space:pre;color:#404040;'> privoxy: Add HTTPS inspection notes
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> * Add HTTPS inspection notes
</span><span style='display:block; white-space:pre;color:#404040;'> * Use EC private keys
</span>---
www/privoxy/Portfile | 54 +++++++++++++++++++++++++++++++++++++++++--
www/privoxy/files/openssl.cnf | 7 +++++-
2 files changed, 58 insertions(+), 3 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/www/privoxy/Portfile b/www/privoxy/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index ebdbe3610fb..dc19187f414 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/www/privoxy/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/www/privoxy/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -285,8 +285,15 @@ variant https_inspection \
</span> echo 1000 > serial
# CA encrypted key
<span style='display:block; white-space:pre;background:#ffe0e0;'>- openssl genrsa -aes256 -out private/ca.key.pem \\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -passout file:private/passphrase.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # EC
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl genpkey -out private/ca.key.pem -algorithm EC \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -pkeyopt ec_paramgen_curve:P-384 -aes256 \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -pass file:private/passphrase.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # RSA
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # openssl genrsa -aes256 -out private/ca.key.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # -passout file:private/passphrase.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> chmod go-rw private/ca.key.pem
# CA certificate
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -352,6 +359,49 @@ TLS_PRIVOXY_ROOT_CA
</span> }
}
}
<span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ notes "Configure HTTPS inspection by creating a local Privoxy \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+certificate authority (CA). As sudo:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cp -r ${prefix}/etc/privoxy/ca.macports ca.hostname && cd ca.hostname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # edit openssl.cnf for your local organizationName, commonName, etc.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sf-pwgen --algorithm memorable --count 2 --length 24 2>/dev/null \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ | paste -s -d -- '-' 1> private/passphrase.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ chmod go-rwx private/passphrase.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # avoid passphrases with '#' as the passhrpase is set in config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # private key (EC)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl genpkey -out private/ca.key.pem -algorithm EC \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -pkeyopt ec_paramgen_curve:P-384 -aes256 \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -pass file:private/passphrase.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # private key (RSA)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # openssl genrsa -aes256 -out private/ca.key.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # -passout file:private/passphrase.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Certificate PEM, DER, and P12
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl req -config openssl.cnf -new -x509 -days 3650 -sha256 \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -extensions v3_ca -out certs/ca.cert.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -key private/ca.key.pem -passin file:private/passphrase.txt -batch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl verify -CAfile certs/ca.cert.pem certs/ca.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl x509 -outform der -in certs/ca.cert.pem -out certs/ca.cer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl pkcs12 -export -out certs/ca.p12 -inkey private/ca.key.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -in certs/ca.cert.pem -passin file:private/passphrase.txt \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -passout pass:\$(head private/passphrase.txt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Install the Privoxy PKI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cp -p private/ca.key.pem certs/ca.cert.pem certs/ca.cer certs/ca.p12 \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/privoxy/CA
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Edit ${prefix}/etc/privoxy/config and set ca-password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Import and trust the CA in Keychain Access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Keychain\\ Access.app> Import ca.cer or ca.p12 into \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ the System keychain, trust for X.509.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Disable MITM for the CA on some FF configurations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Firefox.app> about:config> security.enterprise_roots.enabled> true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+"
</span> }
default_variants-append \
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/www/privoxy/files/openssl.cnf b/www/privoxy/files/openssl.cnf
</span><span style='display:block; white-space:pre;color:#808080;'>index 8c1f22d1193..af1d1facb82 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/www/privoxy/files/openssl.cnf
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/www/privoxy/files/openssl.cnf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -30,12 +30,17 @@
</span> # chmod go-rwx private/passphrase.txt
# CA encrypted key
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# EC
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl genpkey -out private/ca.key.pem -algorithm EC \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -pkeyopt ec_paramgen_curve:P-384 -aes256 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -pass file:private/passphrase.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RSA
</span> # openssl genrsa -aes256 -out private/ca.key.pem \
# -passout file:private/passphrase.txt
# CA certificate
# openssl req -config openssl.cnf \
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# -new -x509 -days 1460 -sha256 -extensions v3_ca -out certs/ca.cert.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -new -x509 -days 3650 -sha256 -extensions v3_ca -out certs/ca.cert.pem \
</span> # -key private/ca.key.pem -passin file:private/passphrase.txt -batch
# CA certificate text verification
</pre><pre style='margin:0'>
</pre>