Beginner's problems with old hardware

Wowfunhappy@gmail.com wowfunhappy at gmail.com
Sat Jul 16 03:06:23 UTC 2022 

> OTOH I seem to have a little experience with low level debugging from a
> former employment, so the project seems manageable somehow for the first
> view, under the initial restriction that I'd get some more insight into
> both PPC architecture and ABIs and MacOSX low level details (and, of
> course, dtrace).

Well, if you want to go that route, SecureTransport is part of Security.framework. This framework is open source.  https://opensource.apple.com/releases/

internetzel managed to partially update the framework's SSL capabilities back in 2018 as part of Leopard Webkit (an amazing accomplishment in itself), but my understanding is it never fully worked with TLS 1.2. You'd probably want to start where he left off.

https://sourceforge.net/projects/leopard-webkit/
https://sourceforge.net/p/leopard-webkit/wiki/BuildInstructionsSecurity/

Krackers had an alternate idea a few months back which was very clever: You could use method swizzling to replace `NSURLConnection` with your own OpenSSL-based implementation, assuming that's what most Cocoa apps are using. This would be a less complete fix, but it's probably more manageable than fully replacing Security.framework.

I think this is all too much work versus setting up a proxy, but it would be super cool if you got it working!

> Of course you can run this on another machine? I'm thinking of making my server/router have something like this for my old machines.

Yes, this is explicitly what I was suggesting to OP, because they are on PPC and I've never been able to get Squid working reliably on PPC.


On Jul 15, 2022, at 9:45 PM, Andrew Udvare <audvare at gmail.com> wrote:

> 
> 
> On Fri, Jul 15, 2022, 17:24 <wowfunhappy at gmail.com> wrote:
>> is it possible to provide
>> some of the system packages with fresh frameworks, most important, SSL?
>> I'd need that for Mail (even TenFourBird doesn't work) and a working
>> browser...
> 
> So for SSL, what you want to do is set up a proxy server that can act as a "man in the middle" for your Mac's SSL traffic. This proxy will intercept the legacy SSL traffic coming from your Mac and translate it into modern HTTPS traffic before sending it to the server. Similarly, it will intercept the server's modern SSL traffic and translate it into legacy SSL traffic before sending it to your Mac. This will allow plain ol' Apple Mail to connect to modern providers (and fix an assortment of other random stuff).
> 
> There are a number of programs that can act as a MiTM proxy, but I personally use Squid. For legacy Intel Macs running e.g. Snow Leopard, I actually have an installer on https://jonathanalland.com/old-osx-projects.html that sets up everything automatically.
> 
> The only problem is that you're on PowerPC. I have never been able to get Squid working reliably on Mac PPC with the necessary features enabled. So, what you need to do instead is set up Squid on a secondary machine on your network, and use the IP address of that machine as your proxy server in System Preferences. This secondary machine could be an old PC or a Raspberry Pi.
> 
> There are a few too many variables for me to provide precise setup instructions, but you will want Squid's configuration file to look something like the below:
> 
> http_port 3128 ssl-bump generate-host-certificates=on cert=/path/to/squid.pem key=path/to/squid-key.pem
> 
> tls_outgoing_options cafile=/path/to/cacert.pem
> sslcrtd_program /path/to/security_file_certgen
> 
> acl local_addresses ssl::server_name_regex ^192\.[0-9]+\.[0-9]+\.[0-9]+$ ^10\.[0-9]+\.[0-9]+\.[0-9]+$ ^172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+$
> acl loopback_addresses ssl::server_name_regex ^127\.[0-9]+\.[0-9]+\.[0-9]+$ ^::1$
> acl apple_domains ssl::server_name_regex ess\.apple\.com$  ^sw.*\.apple\.com$ ^iphone-services\.apple\.com$
> acl excluded any-of local_addresses loopback_addresses apple_domains
> ssl_bump splice excluded
> ssl_bump bump all
> 
> acl fetched_certificate transaction_initiator certificate-fetching
> cache allow fetched_certificate 
> http_access allow fetched_certificate
> sslproxy_cert_error deny all
> 
> http_access allow localhost
> http_access deny to_localhost
> http_access allow local_addresses
> http_access deny all
> 
> You can obtain Mozilla's cacert.pem from https://curl.se/docs/caextract.html.
> 
> You can generate the squid.pem and squid-key.pem certificates with something like:
> 
> openssl req -x509 -newkey rsa:4096 -subj '/CN=Squid' -nodes -days 999999 -keyout squid-key.pem -out squid.pem
> 
> Afterwards, you will also need to add Squid.pem to Keychain Access on your Mac, and set its trust settings to "Always Trust" for "Secure Socket Layer (SSL)" traffic. This is what allows the proxy server to decrypt, translate, and re-encrypt your HTTPS traffic.
> 
> Of course you can run this on another machine? I'm thinking of making my server/router have something like this for my old machines.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20220715/56115df6/attachment.htm>

More information about the macports-users mailing list