Beginner's problems with old hardware

[Hangglider]

On 15.07.22 23:23, wowfunhappy at gmail.com wrote:
>> is it possible to provide
>> some of the system packages with fresh frameworks, most important, SSL?
>> I'd need that for Mail (even TenFourBird doesn't work) and a working
>> browser...
>
> So for SSL, what you want to do is set up a proxy server that can act as
> a "man in the middle" for your Mac's SSL traffic. This proxy will
> intercept the legacy SSL traffic coming from your Mac and translate it
> into modern HTTPS traffic before sending it to the server. Similarly, it
> will intercept the server's modern SSL traffic and translate it into
> legacy SSL traffic before sending it to your Mac. This will allow plain
> ol' Apple Mail to connect to modern providers (and fix an assortment of
> other random stuff).
>
> There are a number of programs that can act as a MiTM proxy, but I
> personally use Squid. For legacy Intel Macs running e.g. Snow Leopard, I
> actually have an installer on
> https://jonathanalland.com/old-osx-projects.html that sets up everything
> automatically.
>
> The only problem is that you're on PowerPC. I have never been able to
> get Squid working reliably on Mac PPC with the necessary features
> enabled. So, what you need to do instead is set up Squid on a secondary
> machine on your network, and use the IP address of that machine as your
> proxy server in System Preferences. This secondary machine could be an
> old PC or a Raspberry Pi.
>
> There are a few too many variables for me to provide precise setup
> instructions, but you will want Squid's configuration file to look
> something like the below:
>
> http_port 3128 ssl-bump generate-host-certificates=on
> cert=/path/to/squid.pem key=path/to/squid-key.pem
>
> tls_outgoing_options cafile=/path/to/cacert.pem
> sslcrtd_program /path/to/security_file_certgen
>
> acl local_addresses ssl::server_name_regex ^192\.[0-9]+\.[0-9]+\.[0-9]+$
> ^10\.[0-9]+\.[0-9]+\.[0-9]+$ ^172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+$
> acl loopback_addresses ssl::server_name_regex
> ^127\.[0-9]+\.[0-9]+\.[0-9]+$ ^::1$
> acl apple_domains ssl::server_name_regex ess\.apple\.com$
> ^sw.*\.apple\.com$ ^iphone-services\.apple\.com$
> acl excluded any-of local_addresses loopback_addresses apple_domains
> ssl_bump splice excluded
> ssl_bump bump all
>
> acl fetched_certificate transaction_initiator certificate-fetching
> cache allow fetched_certificate
> http_access allow fetched_certificate
> sslproxy_cert_error deny all
>
> http_access allow localhost
> http_access deny to_localhost
> http_access allow local_addresses
> http_access deny all
>
> You can obtain Mozilla's cacert.pem from
> https://curl.se/docs/caextract.html.
>
> You can generate the squid.pem and squid-key.pem certificates with
> something like:
>
> openssl req -x509 -newkey rsa:4096 -subj '/CN=Squid' -nodes -days 999999
> -keyout squid-key.pem -out squid.pem
>
> Afterwards, you will also need to add Squid.pem to Keychain Access on
> your Mac, and set its trust settings to "Always Trust" for "Secure
> Socket Layer (SSL)" traffic. This is what allows the proxy server to
> decrypt, translate, and re-encrypt your HTTPS traffic.

Thanks for the response.

I already thought about that and read somewhere that squid won't work
reliably on PPC MacOSX (yet). I already know squid a little bit, but are
not very close to PPC architecture, even if I had  the huge fortune of
have been studied at one of the fathers of the Power processors, Mr.
Wilhelm Spruth.

OTOH I seem to have a little experience with low level debugging from a
former employment, so the project seems manageable somehow for the first
view, under the initial restriction that I'd get some more insight into
both PPC architecture and ABIs and MacOSX low level details (and, of
course, dtrace).

Of course, the idea of having a MitM box sounds nice, but only as a
little help until it's running on the box itself (reliably). Hope the
time remains... I have more hobbies than lifetime.

HG