Beginner's problems with old hardware
Andrew Udvare
audvare at gmail.com
Sat Jul 16 01:45:10 UTC 2022
On Fri, Jul 15, 2022, 17:24 <wowfunhappy at gmail.com> wrote:
> is it possible to provide
> some of the system packages with fresh frameworks, most important, SSL?
> I'd need that for Mail (even TenFourBird doesn't work) and a working
> browser...
>
>
> So for SSL, what you want to do is set up a proxy server that can act as a
> "man in the middle" for your Mac's SSL traffic. This proxy will intercept
> the legacy SSL traffic coming from your Mac and translate it into modern
> HTTPS traffic before sending it to the server. Similarly, it will intercept
> the server's modern SSL traffic and translate it into legacy SSL traffic
> before sending it to your Mac. This will allow plain ol' Apple Mail to
> connect to modern providers (and fix an assortment of other random stuff).
>
> There are a number of programs that can act as a MiTM proxy, but I
> personally use Squid. For legacy Intel Macs running e.g. Snow Leopard, I
> actually have an installer on
> https://jonathanalland.com/old-osx-projects.html that sets up everything
> automatically.
>
> The only problem is that you're on PowerPC. I have never been able to get
> Squid working reliably on Mac PPC with the necessary features enabled. So,
> what you need to do instead is set up Squid on a secondary machine on your
> network, and use the IP address of that machine as your proxy server in
> System Preferences. This secondary machine could be an old PC or a
> Raspberry Pi.
>
> There are a few too many variables for me to provide precise setup
> instructions, but you will want Squid's configuration file to look
> something like the below:
>
> http_port 3128 ssl-bump generate-host-certificates=on
> cert=/path/to/squid.pem key=path/to/squid-key.pem
>
> tls_outgoing_options cafile=/path/to/cacert.pem
> sslcrtd_program /path/to/security_file_certgen
>
> acl local_addresses ssl::server_name_regex ^192\.[0-9]+\.[0-9]+\.[0-9]+$
> ^10\.[0-9]+\.[0-9]+\.[0-9]+$ ^172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+$
> acl loopback_addresses ssl::server_name_regex
> ^127\.[0-9]+\.[0-9]+\.[0-9]+$ ^::1$
> acl apple_domains ssl::server_name_regex ess\.apple\.com$
> ^sw.*\.apple\.com$ ^iphone-services\.apple\.com$
> acl excluded any-of local_addresses loopback_addresses apple_domains
> ssl_bump splice excluded
> ssl_bump bump all
>
> acl fetched_certificate transaction_initiator certificate-fetching
> cache allow fetched_certificate
> http_access allow fetched_certificate
> sslproxy_cert_error deny all
>
> http_access allow localhost
> http_access deny to_localhost
> http_access allow local_addresses
> http_access deny all
>
> You can obtain Mozilla's cacert.pem from
> https://curl.se/docs/caextract.html.
>
> You can generate the squid.pem and squid-key.pem certificates with
> something like:
>
> openssl req -x509 -newkey rsa:4096 -subj '/CN=Squid' -nodes -days 999999
> -keyout squid-key.pem -out squid.pem
>
> Afterwards, you will also need to add Squid.pem to Keychain Access on your
> Mac, and set its trust settings to "Always Trust" for "Secure Socket Layer
> (SSL)" traffic. This is what allows the proxy server to decrypt, translate,
> and re-encrypt your HTTPS traffic.
>
Of course you can run this on another machine? I'm thinking of making my
server/router have something like this for my old machines.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20220715/91d8e261/attachment.htm>
More information about the macports-users
mailing list