On Fri, Jul 15, 2022, 17:24 <wowfunha...@gmail.com> wrote: > is it possible to provide > some of the system packages with fresh frameworks, most important, SSL? > I'd need that for Mail (even TenFourBird doesn't work) and a working > browser... > > > So for SSL, what you want to do is set up a proxy server that can act as a > "man in the middle" for your Mac's SSL traffic. This proxy will intercept > the legacy SSL traffic coming from your Mac and translate it into modern > HTTPS traffic before sending it to the server. Similarly, it will intercept > the server's modern SSL traffic and translate it into legacy SSL traffic > before sending it to your Mac. This will allow plain ol' Apple Mail to > connect to modern providers (and fix an assortment of other random stuff). > > There are a number of programs that can act as a MiTM proxy, but I > personally use Squid. For legacy Intel Macs running e.g. Snow Leopard, I > actually have an installer on > https://jonathanalland.com/old-osx-projects.html that sets up everything > automatically. > > The only problem is that you're on PowerPC. I have never been able to get > Squid working reliably on Mac PPC with the necessary features enabled. So, > what you need to do instead is set up Squid on a secondary machine on your > network, and use the IP address of that machine as your proxy server in > System Preferences. This secondary machine could be an old PC or a > Raspberry Pi. > > There are a few too many variables for me to provide precise setup > instructions, but you will want Squid's configuration file to look > something like the below: > > http_port 3128 ssl-bump generate-host-certificates=on > cert=/path/to/squid.pem key=path/to/squid-key.pem > > tls_outgoing_options cafile=/path/to/cacert.pem > sslcrtd_program /path/to/security_file_certgen > > acl local_addresses ssl::server_name_regex ^192\.[0-9]+\.[0-9]+\.[0-9]+$ > ^10\.[0-9]+\.[0-9]+\.[0-9]+$ ^172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+$ > acl loopback_addresses ssl::server_name_regex > ^127\.[0-9]+\.[0-9]+\.[0-9]+$ ^::1$ > acl apple_domains ssl::server_name_regex ess\.apple\.com$ > ^sw.*\.apple\.com$ ^iphone-services\.apple\.com$ > acl excluded any-of local_addresses loopback_addresses apple_domains > ssl_bump splice excluded > ssl_bump bump all > > acl fetched_certificate transaction_initiator certificate-fetching > cache allow fetched_certificate > http_access allow fetched_certificate > sslproxy_cert_error deny all > > http_access allow localhost > http_access deny to_localhost > http_access allow local_addresses > http_access deny all > > You can obtain Mozilla's cacert.pem from > https://curl.se/docs/caextract.html. > > You can generate the squid.pem and squid-key.pem certificates with > something like: > > openssl req -x509 -newkey rsa:4096 -subj '/CN=Squid' -nodes -days 999999 > -keyout squid-key.pem -out squid.pem > > Afterwards, you will also need to add Squid.pem to Keychain Access on your > Mac, and set its trust settings to "Always Trust" for "Secure Socket Layer > (SSL)" traffic. This is what allows the proxy server to decrypt, translate, > and re-encrypt your HTTPS traffic. >
Of course you can run this on another machine? I'm thinking of making my server/router have something like this for my old machines.
