Beginner's problems with old hardware

wowfunhappy at gmail.com wowfunhappy at gmail.com
Fri Jul 15 21:23:51 UTC 2022 

> is it possible to provide
> some of the system packages with fresh frameworks, most important, SSL?
> I'd need that for Mail (even TenFourBird doesn't work) and a working
> browser...

So for SSL, what you want to do is set up a proxy server that can act as a "man in the middle" for your Mac's SSL traffic. This proxy will intercept the legacy SSL traffic coming from your Mac and translate it into modern HTTPS traffic before sending it to the server. Similarly, it will intercept the server's modern SSL traffic and translate it into legacy SSL traffic before sending it to your Mac. This will allow plain ol' Apple Mail to connect to modern providers (and fix an assortment of other random stuff).

There are a number of programs that can act as a MiTM proxy, but I personally use Squid. For legacy Intel Macs running e.g. Snow Leopard, I actually have an installer on https://jonathanalland.com/old-osx-projects.html that sets up everything automatically.

The only problem is that you're on PowerPC. I have never been able to get Squid working reliably on Mac PPC with the necessary features enabled. So, what you need to do instead is set up Squid on a secondary machine on your network, and use the IP address of that machine as your proxy server in System Preferences. This secondary machine could be an old PC or a Raspberry Pi.

There are a few too many variables for me to provide precise setup instructions, but you will want Squid's configuration file to look something like the below:

http_port 3128 ssl-bump generate-host-certificates=on cert=/path/to/squid.pem key=path/to/squid-key.pem

tls_outgoing_options cafile=/path/to/cacert.pem
sslcrtd_program /path/to/security_file_certgen

acl local_addresses ssl::server_name_regex ^192\.[0-9]+\.[0-9]+\.[0-9]+$ ^10\.[0-9]+\.[0-9]+\.[0-9]+$ ^172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+$
acl loopback_addresses ssl::server_name_regex ^127\.[0-9]+\.[0-9]+\.[0-9]+$ ^::1$
acl apple_domains ssl::server_name_regex ess\.apple\.com$  ^sw.*\.apple\.com$ ^iphone-services\.apple\.com$
acl excluded any-of local_addresses loopback_addresses apple_domains
ssl_bump splice excluded
ssl_bump bump all

acl fetched_certificate transaction_initiator certificate-fetching
cache allow fetched_certificate 
http_access allow fetched_certificate
sslproxy_cert_error deny all

http_access allow localhost
http_access deny to_localhost
http_access allow local_addresses
http_access deny all

You can obtain Mozilla's cacert.pem from https://curl.se/docs/caextract.html.

You can generate the squid.pem and squid-key.pem certificates with something like:

openssl req -x509 -newkey rsa:4096 -subj '/CN=Squid' -nodes -days 999999 -keyout squid-key.pem -out squid.pem

Afterwards, you will also need to add Squid.pem to Keychain Access on your Mac, and set its trust settings to "Always Trust" for "Secure Socket Layer (SSL)" traffic. This is what allows the proxy server to decrypt, translate, and re-encrypt your HTTPS traffic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20220715/b14f4022/attachment.htm>

More information about the macports-users mailing list