Other A proxy to fix HTTPS issues on old versions of OS X

[lyokian159]

No that's totally weird, has anyone else experienced this?

What happens if you just generate a new certificate? Remove Squid.pem from Keychain Access, then run in Terminal:

cd /Library/Squid/Certificates
sudo openssl req -x509 -newkey rsa:4096 -subj '/CN=Squid' -nodes -days 999999 -keyout squid-key.pem -out squid.pem

sudo security -v add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Library/Squid/Certificates/squid.pem

This was copy pasted from the code in the installer package.

Perhaps I should remove a nine in the number of days the cert is valid for, maybe it causes an overflow under certain weird conditions. It's not like any of us will live that long either way.

Same Behavior with the 999999 days. When i go to 99999 days, i get a cert vaild until Dec. 14th, 2025, which makes absolutely ZERO sense.

I am a bit stumped, it seems like openSSL is being completely strange

 

[Wowfunhappy]

Same Behavior with the 999999 days. When i go to 99999 days, i get a cert vaild until Dec. 14th, 2025, which makes absolutely ZERO sense.

I am a bit stumped, it seems like openSSL is being completely strange

What is the output of openssl version?

 

[lyokian159]

What is the output of openssl version?

.0.9.8r 8 Feb 2011

 

[Wowfunhappy]

Okay, I'm not sure what's up. For now just use the cert that expires in 2025, I'm probably going to update the installer to do that many expiry days by default because under the worst case scenario, it's better than the ticket expiring in the past.

If any other Snow Leopard users have had problems recently, please let me know.

 

[f54da]

Maybe try using a newer version of openssl and curl?

 

[startergo]

Curl in Mavericks:

https://swscan.apple.com/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Had to do:

sudo port uninstall curl
sudo port clean cmake @3.29.3_0

Which got installed with cmake

 

[Wowfunhappy]

To be clear, this package does not rely on curl in any way.

 

[startergo]

To be clear, this package does not rely on curl in any way.

macports complained before uninstalling that it is gonna break cmake

port info cmake
cmake @3.29.3 (devel)
Sub-ports:            cmake-gui, cmake-docs
Variants:             universal

Description:          An extensible, open-source system that manages the build
                      process in an operating system and compiler independent
                      manner. Unlike many cross-platform systems, CMake is
                      designed to be used in conjunction with the native build
                      environment. The cmake release port is updated roughly
                      every few months.
Homepage:             https://cmake.org

Build Dependencies:   clang-3.7
Library Dependencies: libcxx, curl, expat, zlib, bzip2, libarchive, ncurses,
                      legacy-support
Conflicts with:       cmake-devel
Platforms:            darwin, freebsd
License:              BSD
Maintainers:          Email: michaelld@macports.org, GitHub: michaelld
                      Email: mascguy@macports.org, GitHub: mascguy

 

[startergo]

Curl command was not in path after macports. Had to do recompilation from source. You need openssl from macports:

One solution was provided in http://curl.haxx.se/mail/archive-2014-10/0072.html

The idea is to make a static build of curl and then paste it to you /usr/bin/ or /usr/local/bin/. Briefly:

1. ~$ xcode-select --install
2. Download the latest version of curl from http://curl.haxx.se/download.html
3. cd to the directory and run
   ~$ ./configure --disable-shared --with-openssl --enable-threaded-resolver --with-nghttp2
   ~$ make -j `sysctl -n hw.logicalcpu_max`
4. Copy the compiled curl, which is located in ./src/curl to your /usr/bin/

Note: in the make command the sign "`" is indeed back quote, not single quote.

Still getting some errors:

Latest curl:
which curl
/opt/local/bin/curl
curl  http://swcdn.apple.com/content/downloads/60/32/041-88558/p8401wt6oaqmy9ttqo915h9gxwqfbrggz0/Safari9.1.3Mavericks.pkg -O ~/Downloads/Safari9.1.3Mavericks.pkg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 60.2M  100 60.2M    0     0  4954k      0  0:00:12  0:00:12 --:--:-- 4668k
curl: (3) URL rejected: No host part in the URL

Original Maverics curl:
/usr/bin/curl  http://swcdn.apple.com/content/downloads/60/32/041-88558/p8401wt6oaqmy9ttqo915h9gxwqfbrggz0/Safari9.1.3Mavericks.pkg -O ~/Downloads/Safari9.1.3Mavericks.pkg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 60.2M  100 60.2M    0     0  4639k      0  0:00:13  0:00:13 --:--:-- 4963k
curl: (3) <url> malformed

Edit: Solved with --HTTP2 request:

curl -vso /dev/null --http2  http://swcdn.apple.com/content/downloads/60/32/041-88558/p8401wt6oaqmy9ttqo915h9gxwqfbrggz0/Safari9.1.3Mavericks.pkg -o ~/Downloads/Safari9.1.3Mavericks.pkg
* Host swcdn.apple.com:80 was resolved.

* IPv6: 2620:149:a0f:f000::1

* IPv4: 17.253.119.201

*   Trying 17.253.119.201:80...

* Connected to swcdn.apple.com (17.253.119.201) port 80

> GET /content/downloads/60/32/041-88558/p8401wt6oaqmy9ttqo915h9gxwqfbrggz0/Safari9.1.3Mavericks.pkg HTTP/1.1

> Host: swcdn.apple.com

> User-Agent: curl/8.7.1

> Accept: */*

> Connection: Upgrade, HTTP2-Settings

> Upgrade: h2c

> HTTP2-Settings: AAMAAABkAAQAoAAAAAIAAAAA

>

* Request completely sent off

< HTTP/1.1 200 OK

< Server: dlb/1.0.2

< Date: Tue, 30 Apr 2024 00:27:57 GMT

< Content-Type: application/octet-stream

< Content-Length: 63197064

< X-Responding-Server: massilia_protocol_028:328000804:mr33p01if-zteh08083901.mr.if.apple.com:8083:24C211:02f32ea0392c

< X-Apple-Request-UUID: 56319847-6e83-4c9d-88d9-313342d9d024

< x-amz-storage-class: STANDARD

< X-Apple-MS-Content-Length: 16777216

< X-iCloud-Content-Length: 16777216

< X-Apple-Request-UUID: 56319847-6e83-4c9d-88d9-313342d9d024

< accept-ranges: bytes

< x-apple-obj-store-current-version-id: 73672530-2537-11ea-85c7-248a078d2a85

< x-icloud-versionid: 73672530-2537-11ea-85c7-248a078d2a85

< Last-Modified: Mon, 23 Dec 2019 03:51:07 GMT

< Cache-Control: max-age=2592000, public

< Strict-Transport-Security: max-age=31536000; includeSubDomains;

< Via: http/1.1 usqas4-vp-vst-006.ts.apple.com (acdn/153.14426), http/1.1 usqas4-vp-vfe-013.ts.apple.com (acdn/153.14426), http/1.1 usrtv2-edge-lx-004.ts.apple.com (acdn/153.14426), http/1.1 usrtv2-edge-bx-001.ts.apple.com (acdn/153.14426), http/1.1 usrtv2-edge-bx-001.ts.apple.com (acdn/153.14426)

< X-Cache: hit-fresh, miss, hit-fresh, miss, none

< CDNUUID: 7465f5a1-3e42-4d8a-99e5-dcd9bd811dc0-346966998

< Etag: "B9966C2344640932E472F2F391B5D563-13"

< Age: 1616144

< Connection: keep-alive

<

{ [88 bytes data]

* Connection #0 to host swcdn.apple.com left intact

Followed by:

curl  http://swcdn.apple.com/content/downloads/60/32/041-88558/p8401wt6oaqmy9ttqo915h9gxwqfbrggz0/Safari9.1.3Mavericks.pkg -o ~/Downloads/Safari9.1.3Mavericks.pkg

Or simply:

curl  --http2 http://swcdn.apple.com/content/downloads/60/32/041-88558/p8401wt6oaqmy9ttqo915h9gxwqfbrggz0/Safari9.1.3Mavericks.pkg -o ~/Downloads/Safari9.1.3Mavericks.pkg

 

[f54da]

I don't really follow why we're discussing curl all of a sudden, but it would be convenient if someone provided a statically built version of curl to replace the ancient on osx. Sure you can homebrew/macports/whatever but sometimes that's all overkill.

 

[startergo]

sudo port install m4 libtool clang-15 openssl automake autoconf nghttp2-tools nghttp2

One solution was provided in http://curl.haxx.se/mail/archive-2014-10/0072.html

The idea is to make a static build of curl and then paste it to you /usr/bin/ or /usr/local/bin/. Briefly:

1. ~$ xcode-select --install
2. Download the latest version of curl from http://curl.haxx.se/download.html
3. cd to the directory and run

autoreconf -ivf
automake
autoconf
./configure --disable-shared --with-openssl --enable-threaded-resolver --with-nghttp2
make -j `sysctl -n hw.logicalcpu_max`

1. Copy the compiled curl, which is located in ./src/curl to your /usr/bin/

Note: in the make command the sign "`" is indeed back quote, not single quote.

Or you can use https://github.com/jasonacox/Build-OpenSSL-cURL
But this requires :

Dependencies​

The build script requires:

• Xcode 10 or higher (12+ recommended)
• Xcode Command Line Tools
• pkg-config tool for nghttp2 (or brew to auto-install)

Or you can adapt this script to your needs.I compiled mine with Xcode 6.2

Build-OpenSSL-cURL/nghttp2/nghttp2-build.sh at master · jasonacox/Build-OpenSSL-cURL

Scripts to build OpenSSL, HTTP/2 (nghttp2) and cURL (libcurl) for MacOS, iOS and tvOS devices (x86_64, armv7, armv7s, arm64, arm64e). Now Supporting Apple Silicon, OpenSSL 3.0.x with TLS 1.3 and Ma...

github.com

 

[startergo]

golang also has issues:

make dev
package golang.org/x/tools/cmd/goimports: unrecognized import path "golang.org/x/tools/cmd/goimports" (https fetch: Get https://golang.org/x/tools/cmd/goimports?go-get=1: x509: certificate signed by unknown authority)
make: *** [deps] Error 1

Tried to download and install it:

echo -n | openssl s_client -connect proxy.golang.org:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./golang.cer
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = misc-sni.google.com
verify return:1
DONE

sudo security add-trusted-cert \
  -d \
  -r trustRoot \
  -k /Library/Keychains/System.keychain \
  golang.cer

But it still comes with x509: certificate signed by unknown authority

 

[Wowfunhappy]

Could you please make a separate thread for this, so we can keep this one focused on issues with the proxy package?

 

[f54da]

Which golang version? Golang used to do some funky things with certificate resolution. it's only with more recent versions that they call into keychain framework directly. I think you also have to explicitly open up keychain and mark the newly added cert as trusted everywhere. Or something like that, see the Go issues page for the precise set of steps needed.

 

[startergo]

I think you also have to explicitly open up keychain and mark the newly added cert as trusted everywhere

I did that of course. it is the last supported version for Mavericks 1.10.8. The Golang from macports gives other errors. Let's not clutter this thread though.

 

[f54da]

Ok, created https://forums.macrumors.com/threads/golang-on-10-9.2426869/ to discuss golang on 10.9. We can continue there.