On 15.07.22 23:23, [email protected] wrote:
is it possible to provide
some of the system packages with fresh frameworks, most important, SSL?
I'd need that for Mail (even TenFourBird doesn't work) and a working
browser...
So for SSL, what you want to do is set up a proxy server that can act as
a "man in the middle" for your Mac's SSL traffic. This proxy will
intercept the legacy SSL traffic coming from your Mac and translate it
into modern HTTPS traffic before sending it to the server. Similarly, it
will intercept the server's modern SSL traffic and translate it into
legacy SSL traffic before sending it to your Mac. This will allow plain
ol' Apple Mail to connect to modern providers (and fix an assortment of
other random stuff).
There are a number of programs that can act as a MiTM proxy, but I
personally use Squid. For legacy Intel Macs running e.g. Snow Leopard, I
actually have an installer on
https://jonathanalland.com/old-osx-projects.html that sets up everything
automatically.
The only problem is that you're on PowerPC. I have never been able to
get Squid working reliably on Mac PPC with the necessary features
enabled. So, what you need to do instead is set up Squid on a secondary
machine on your network, and use the IP address of that machine as your
proxy server in System Preferences. This secondary machine could be an
old PC or a Raspberry Pi.
There are a few too many variables for me to provide precise setup
instructions, but you will want Squid's configuration file to look
something like the below:
http_port 3128 ssl-bump generate-host-certificates=on
cert=/path/to/squid.pem key=path/to/squid-key.pem
tls_outgoing_options cafile=/path/to/cacert.pem
sslcrtd_program /path/to/security_file_certgen
acl local_addresses ssl::server_name_regex ^192\.[0-9]+\.[0-9]+\.[0-9]+$
^10\.[0-9]+\.[0-9]+\.[0-9]+$ ^172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+$
acl loopback_addresses ssl::server_name_regex
^127\.[0-9]+\.[0-9]+\.[0-9]+$ ^::1$
acl apple_domains ssl::server_name_regex ess\.apple\.com$
^sw.*\.apple\.com$ ^iphone-services\.apple\.com$
acl excluded any-of local_addresses loopback_addresses apple_domains
ssl_bump splice excluded
ssl_bump bump all
acl fetched_certificate transaction_initiator certificate-fetching
cache allow fetched_certificate
http_access allow fetched_certificate
sslproxy_cert_error deny all
http_access allow localhost
http_access deny to_localhost
http_access allow local_addresses
http_access deny all
You can obtain Mozilla's cacert.pem from
https://curl.se/docs/caextract.html.
You can generate the squid.pem and squid-key.pem certificates with
something like:
openssl req -x509 -newkey rsa:4096 -subj '/CN=Squid' -nodes -days 999999
-keyout squid-key.pem -out squid.pem
Afterwards, you will also need to add Squid.pem to Keychain Access on
your Mac, and set its trust settings to "Always Trust" for "Secure
Socket Layer (SSL)" traffic. This is what allows the proxy server to
decrypt, translate, and re-encrypt your HTTPS traffic.
Thanks for the response.
I already thought about that and read somewhere that squid won't work
reliably on PPC MacOSX (yet). I already know squid a little bit, but are
not very close to PPC architecture, even if I had the huge fortune of
have been studied at one of the fathers of the Power processors, Mr.
Wilhelm Spruth.
OTOH I seem to have a little experience with low level debugging from a
former employment, so the project seems manageable somehow for the first
view, under the initial restriction that I'd get some more insight into
both PPC architecture and ABIs and MacOSX low level details (and, of
course, dtrace).
Of course, the idea of having a MitM box sounds nice, but only as a
little help until it's running on the box itself (reliably). Hope the
time remains... I have more hobbies than lifetime.
HG
