setting up apache2 (or squid) to serve as an SSL/TLS proxy for older systems? ==> Works Great!

Wowfunhappy@gmail.com wowfunhappy at gmail.com
Fri Dec 18 22:41:26 UTC 2020 

I'm delighted to hear it was useful! I really admire all of your work to keep software compatible with old systems, and it's the only reason I was able to get Squid working to begin with! The included copy of Squid came out of MacPorts, with some minor edits to make everything work nicely. I did a poor job of documenting these tweaks, but basically:

• I added --enable-ssl-crtd to configure.args in the port file
• To make Squid live in a self-contained location outside of MacPorts, I edited other configuration arguments to point to my desired location in the Library folder, and I did some further trickery with install_name_tool after compiling so it would search for libraries in the correct places.

Curl doesn't automatically respect the system's proxy settings for some reason, but it will work if you specify a proxy on the command line. You can do:

curl --proxy localhost:3128 -O https://github.com/ninja-build/ninja/archive/v1.10.2/ninja-1.10.2.tar.gz

Python is more annoying; it respects the system proxy, but ignores the system keychain, and so freaks out. This is why I excluded the domains pip uses in Squid's config file, but I don't want to get into the habit of adding exclusions for every little thing, lest it balloon out of control.

I wish I could have actually updated Apple's Security.framework on Mavericks (the OS I care most about), as has been done in the past for Leopard. But I couldn't get the Mavericks version of the damn thing to even compile properly, much less actually update the cipher suites.


On Dec 18, 2020, at 5:09 PM, Ken Cunningham <ken.cunningham.webuse at gmail.com> wrote:

> I installed your DMG version of the setup on a clean 10.6.8 machine I had sitting.
> 
> It works just great! That is exactly the kind of fix I was wondering about, and you’ve put together a great little installer.
> 
> 
> With your squid proxy running, the old original Safari browser registers as showing all current SSL capability at <https://howsmyssl.com>.
> 
> MacPorts’ port command can download software from high-security SSL sites like github without any trouble:
> 
> eg.
> 
> sudo port clean —all ninja
> sudo port -d fetch —no-mirror ninja
> 
> now works perfectly with the squid proxy enabled,
> 
> --->  Fetching distfiles for ninja
> DEBUG: elevating privileges for fetch: euid changed to 0, egid changed to 0.
> DEBUG: dropping privileges: euid changed to 503, egid changed to 501.
> DEBUG: Executing org.macports.fetch (ninja)
> --->  ninja-1.10.2.tar.gz does not exist in /opt/local/var/macports/distfiles/ninja
> --->  Attempting to fetch ninja-1.10.2.tar.gz from https://github.com/ninja-build/ninja/archive/v1.10.2
>  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>                                 Dload  Upload   Total   Spent    Left  Speed
>  0   126    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
> 126   126  126   126    0     0     85      0  0:00:01  0:00:01 --:--:--   264
> 100  208k  100  208k    0     0    98k      0  0:00:02  0:00:02 --:--:—   98
> 
> 
> and fails as always when it is not enabled.
> 
> --->  Fetching distfiles for ninja
> DEBUG: elevating privileges for fetch: euid changed to 0, egid changed to 0.
> DEBUG: dropping privileges: euid changed to 503, egid changed to 501.
> DEBUG: Executing org.macports.fetch (ninja)
> --->  ninja-1.10.2.tar.gz does not exist in /opt/local/var/macports/distfiles/ninja
> --->  Attempting to fetch ninja-1.10.2.tar.gz from https://github.com/ninja-build/ninja/archive/v1.10.2
> 
>  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>                                 Dload  Upload   Total   Spent    Left  Speed
>  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0DEBUG: Fetching distfile failed: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
> Error: Failed to fetch ninja: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
> 
> 
> 
> I don’t 100% understand all the inner workings — I noticed that calling the old curl in /usr/bin did not work to download the same file for some reason:
> 
> $ /usr/bin/curl -O https://github.com/ninja-build/ninja/archive/v1.10.2/ninja-1.10.2.tar.gz
> 
> curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
> 
> 
> 
> But that is looking like minor stuff.
> 
> We’ve been struggling for a while now to provide a capable port command (and other commands) to software that will allow a current SSL to work. Looks like you’ve really hit the ball out of the park with this one.
> 
> Thanks,
> 
> Ken
> 
>

More information about the macports-users mailing list