Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Other Aqua Proxy: Fix connection issues on OS X 10.6 – 10.9.
- Thread starter Wowfunhappy
- Start date
-
- Tags
- networking software
- Sort by reaction score
@maverick28 Thank you for the screenshots, it's just more foolproof. However, I really am out of ideas at this point, I'm sorry. Try restoring Dictionary from an OS installer.
It forbids doing that, says "Dictionary is a system app that can't be modified" (this is TM). And if the original version was already modified to work with Squid, then restoring it will unlikely help.
I think I'm onto something. That ProxyFix.dylib may not do its job properly.
Quote (credit to ChatGPT):
I tried the last command, and it returned nothing. If AI made legitimate assumptions, then the dylib needs to be rebuilt for Aqua.
- Running the Dictionary binary returns repeated "SSL handshake failed" errors.
- Checking the Dictionary process for matching entries pointing to ProxyFix with dtruss and fs_usage didn't produce any.
Objective-C:sudo dtruss -p 14877 2>&1 | grep ProxyFix sudo fs_usage -w -f filesystem -e 14877 | grep -i proxyfix - So did strings
Code:strings /Applications/Dictionary.app/Contents/MacOS/Dictionary | grep -i proxyfix - Checking Dictionary for loaded ProxyFix.dylib was successful only with vmmap and lsof:
C-like:vmmap 14877 | grep -i proxyfix --> __TEXT 0000000105919000-000000010591a000 [ 4K] r-x/rwx SM=COW /Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib__LINKEDIT 000000010591b000-000000010591c000 [ 4K] r--/rwx SM=COW /Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib __DATA 000000010591a000-000000010591b000 [ 4K] rw-/rwx SM=PRV /Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib lsof -p 14877 | grep -i proxyfix --> Dictionar 14877 user txt REG 1,1 9308 15727004 /Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib - otool -L, DYLD_PRINT_LIBRARIES, dyldinfo returned nothing.
Quote (credit to ChatGPT):
I tried the last command, and it returned nothing. If AI made legitimate assumptions, then the dylib needs to be rebuilt for Aqua.
And furthermore (a long excerpt from the exchange with ChatGPT):
That output is very telling, and it raises a red flag.
You found:
0000000000000f20 T _main
0000000000000ea0 T _myCFReadStreamCreateForHTTPRequest
In standard macOS dynamic libraries:
➡️ This could mean:
You want to see something like:
__attribute__((constructor))
static void proxyfix_init() {
// Setup code
}
To check for it:
otool -tv /Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib | grep -i constructor
Or dump all symbols and look for likely initialization names:
nm -m /Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib | grep -i init
If nothing shows up, that suggests the dylib has no startup logic—no hook into the host app.
If the library is meant to proxy network traffic, it should define symbols like send, recv, or CFReadStreamCreate* that match system or Core Foundation APIs, possibly with DYLD_INSERT_LIBRARIES.
nm -gU /Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib | grep send
If only _myCFReadStreamCreateForHTTPRequest appears, it's possible the proxy logic is not replacing anything, and the app would have to explicitly call this function.
Run nm or strings on the Dictionary binary itself:
nm -g /Applications/Dictionary.app/Contents/MacOS/Dictionary | grep myCFRead
If it doesn't reference _myCFReadStreamCreateForHTTPRequest, then the app is not using the dylib at all, even if it's loaded.
From what you've shown:
If not, it’s likely dead weight—a dormant component that’s not wired up.
END QUOTE
--> nothing.
--> nothing
--> nothing
--> nothing
Bash:
nm -gU /Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib
---> 0000000000000f20 T _main
0000000000000ea0 T _myCFReadStreamCreateForHTTPRequestThat output is very telling, and it raises a red flag.
🔎 nm Output Explained
You found:
0000000000000f20 T _main
0000000000000ea0 T _myCFReadStreamCreateForHTTPRequest
- T means these are global symbols defined in the text (code) section—so they're available for use by other code.
- _main in a dylib is very unusual.
❗️ The presence of _main in a dylib is not typical or desirable
In standard macOS dynamic libraries:
- There should not be a main() function—because dylibs aren't standalone executables.
- If main is present, it's often a sign the dylib was accidentally built as a full program (like a command-line tool) but then renamed as a .dylib.
➡️ This could mean:
- ProxyFix.dylib is not properly constructed as a plugin/interposer.
- Its intended entry point, such as a constructor function (with __attribute__((constructor))) or interposing symbols, is missing or broken.
⚙️ What to check next
✅ 1. Is there a constructor function?
You want to see something like:
__attribute__((constructor))
static void proxyfix_init() {
// Setup code
}
To check for it:
otool -tv /Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib | grep -i constructor
Or dump all symbols and look for likely initialization names:
nm -m /Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib | grep -i init
If nothing shows up, that suggests the dylib has no startup logic—no hook into the host app.
✅ 2. Check for interposing symbols
If the library is meant to proxy network traffic, it should define symbols like send, recv, or CFReadStreamCreate* that match system or Core Foundation APIs, possibly with DYLD_INSERT_LIBRARIES.
nm -gU /Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib | grep send
If only _myCFReadStreamCreateForHTTPRequest appears, it's possible the proxy logic is not replacing anything, and the app would have to explicitly call this function.
✅ 3. Is the app actually calling into this dylib?
Run nm or strings on the Dictionary binary itself:
nm -g /Applications/Dictionary.app/Contents/MacOS/Dictionary | grep myCFRead
If it doesn't reference _myCFReadStreamCreateForHTTPRequest, then the app is not using the dylib at all, even if it's loaded.
✅ Summary
From what you've shown:
- ProxyFix.dylib is structurally loaded, but likely non-functional.
- The presence of _main suggests it was compiled incorrectly (perhaps as an executable, not a plugin).
- There's no evidence yet that the host app calls its functions or it hooks/interposes anything.
Recommendation
- Rebuild it as a true plugin/interposer, not a standalone executable.
- Add either:
- A constructor function for automatic init, or
- Proper interposing symbols with DYLD_INSERT_LIBRARIES.
If not, it’s likely dead weight—a dormant component that’s not wired up.
END QUOTE
Bash:
nm -g /Applications/Dictionary.app/Contents/MacOS/Dictionary | grep myCFRead
Bash:
nm -gU /Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib | grep send
Bash:
nm -g /Applications/Dictionary.app/Contents/MacOS/Dictionary | grep myCFRead
Bash:
otool -tv /Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib | grep -i constructorI'm really sorry you're having trouble with the Dictionary app, but it is a problem specific to your computer, and not with the ProxyFix library broadly. The Dictionary app works fine for me on both of my Macs and all of my test VMs. But you are also welcome to compile your own copy of the library, it's only 25 lines of code.
Let me know if you get it working!
Let me know if you get it working!
Last edited:
I wanted to be helpful and raise awareness. I didn't mean to "dedicate this thread to one issue". Meanwhile, issues with this implementation not connecting to Wikipedia have already transpired (they were reported here), and there's a chance it may potentially hit more people, making updating to the Aqua Proxy from Squid non-viable. That's it.
Last edited:
And, BTW, there are important caveats, not mentioned in the Readme.rtf file inside the installation package, that I forgot to share before the Dictionary mess - for the uninitiated.
- Before adding a new iCloud Mail account in Mail, you must delete every iCloud account storing your Mail credentials in the Internet Accounts section of the System Preferences. If you don't do this, the System Preferences force-drop you where you had been before, at the Apple pre-configured iCloud account. Neither System Preferences nor Apple Mail will present the configuration prompts to enter new account information in this case. You can add it after you're done with mail: upon re-adding your iCloud account, just uncheck Mail, and leave other services alone.
- With iCloud accounts gone, you may set up a new mail account either in the System Preferences or Apple Mail; the location doesn't matter. Regardless of IMAP or SMTP, your app-specific password is required, not optional.
- This point is the most crucial: your iCloud account in Apple Mail must explicitly point to the iCloud domain, as in JohnAppleseed@icloud.com. This is not necessarily your Apple ID if your Apple ID is a Google, Yahoo, Hotmail or another 3-rd party e-mail address. This must be a first-party.
P.S. Just like the Dictionary, Notes also experience the inability to sync with iCloud (the SSLHandshake error).
Last edited:
For some reason I can log in my mail through the mail app, but don't you log in SMTP, I'm doing something wrong?
Thanks! I actually do say this in the readme, it's in the last paragraph of the example section. I was trying to make the instructions generic to all email providers instead of just iCloud. This might have been a mistake, but it's a tricky balance; if I make the instructions too specific, I have to update them whenever an email provider changes something on their end. If I write too much, many people won't read it or will miss critical pieces.
It should work if you enable Notes under your IMAP mail account, as opposed to under iCloud. In other words, it should look like this:
When adding the account in System Preferences, you probably entered something wrong in the "Outgoing Mail Server Info" section. It's tricky, you have to get everything exactly right! I find Apple Mail's SMTP settings UI confusing, so I actually recommend deleting the account from System Preferences and re-adding the whole thing.
Take special care to follow the readme exactly in the "Outgoing Mail" section. In particular, note that the SMTP server you use in the outgoing mail section is not the same as the IMAP server you use in the incoming mail section. So John Appleseed needs to enter johnappleseed@icloud.com@imap.mail.me.com for incoming mail but johnappleseed@icloud.com@smtp.mail.me.com for outgoing mail. I think this is the piece you got wrong based on the log window, but I may not be reading the log correctly.
If you still can't get it working, send me screenshots of all the "Outgoing Mail Server Info" screens and I'll try to figure out what's wrong.
The point is that I am using Snow Leopard, unfortunately we do not have the account options within the preference of systems. But I will send you how my configuration is in Apple Mail.
Strangely this is all right, I even did a test to receive and received my test, but send that the problem is .. it identifies my only password as incorrect.
Follow my Apple Mail configuration.
Oops! I forgot the UI was different on Snow Leopard, sorry!
Annoyingly, the configuration does look right to me, you entered the ports and addresses correctly. When you say this is your "only password" does that mean your real iCloud password? You do need to create an app-specific password and use that, did you?
Did you try entering "localhost" instead of "127.0.0.1" for the server address? This should be the same thing, but maybe it makes a difference?
This specific password of app, I took the test with localhost but to no avail, the SMTP server is pleading with the password and does not send the message haha.
Okay, I can reproduce this on Snow Leopard! Thanks for your help, I'm currently trying to figure out exactly what is wrong—it's a little annoying since the problem only occurs on Snow Leopard, and my build process to get Snow Leopard working involves a lot of steps.
Other pet peeves emerged in the first wave, which I left behind (IMAP iCloud Mail):
- You will lose access to your aliases from within Apple Mail if you set ones (I did, I lost).
- "Advanced Users": It's not so advanced because the commands and their purpose are clear-cut. However, modifying the flags.txt file (as per the Readme instruction) in any way will disconnect your IMAP Mail account (regardless of which one of --log-urls and --force-mitm). The author didn't elaborate on the actual effect of these commands. If it's what's called "SSL bumping" or "TLS termination" (known under different web-dev jargon terms), then SSL/TLS will override all your traffic, including the IMAP proxy for Mail. Logging URLs is certainly as practical as desired; however, the description is vague and doesn't explain where it logs: the log didn't show up in the Console, anyway.
- Every time you pop in this newly added account in the System Preferences, the latter raises a prompt you have to confirm to proceed.
- Under this account, after an unknown time interval elapses, it fails to enable Notes, popping an alert to the effect that it "wasn't able to set up this account" or "wasn't able to connect". "Notes" is added only on the account creation and seems OK at first. However, the System Preferences deselects the service later on.
Last edited:
@DurltazorOSXPower Please try the latest build, I think it will allow you to send mail: https://github.com/Wowfunhappy/AquaProxy/releases/download/2025.07.14/Aqua.Proxy.dmg
@maverick28 The video you uploaded includes your email auth token! Anyone with this information can log into your email. I recommend taking that down and regenerating your app password as soon as possible!
Neither of those flags affect email; however, if you added a flag which the IMAP proxy saw as invalid (because it was intended for the http proxy), it would have refused to start. This should be fixed in the latest version I just uploaded for DurltazorOSXPower. However, these flags are mostly for debugging and you may run into weird problems if you use them.
@maverick28 The video you uploaded includes your email auth token! Anyone with this information can log into your email. I recommend taking that down and regenerating your app password as soon as possible!
Neither of those flags affect email; however, if you added a flag which the IMAP proxy saw as invalid (because it was intended for the http proxy), it would have refused to start. This should be fixed in the latest version I just uploaded for DurltazorOSXPower. However, these flags are mostly for debugging and you may run into weird problems if you use them.
Last edited:
Wowfunhappy, I come to you to congratulate you, perfectly corrected the email sending.
I managed to help Dictionary break out of jail, previously incapacitating secure handshakes with Wikipedia. Turned out the offender was an incorrect copy of the ISRGX1 cert. As soon as I wiped it out, downloaded and installed the new one from the Lets Encrypt site, and then rebooted, the Dictionary loaded Wikipedia. I had to trust it manually, though, because the Keychain Access distrusts installed certs by default.
Ensure that your installer has reliably installed only the valid copy of this and other certificates.
The cert's details where I got its downloadable link are at https://crt.sh/?id=9314791
Ensure that your installer has reliably installed only the valid copy of this and other certificates.
The cert's details where I got its downloadable link are at https://crt.sh/?id=9314791
Last edited:
Glad you got it working! Aqua Proxy won't replace any certificates you already have installed, so if you had a bad one that would definitely cause problems. I am confused how your "wrong" certificate had the correct public key, which should be cryptographically impossible, but whatever, as long as it's working now!
A minor severity. Mails from Mozilla Monitor won't load HTML. It affects the subfolder path monitor.mozilla.org/images/email/ on the sender's end.
It's preprocessed traffic. AquaProxy is the 2025/07/01 edition. Do you recommend updating to the one you shared the link to? Can it log HTTP(S) now without breaking things?
Ruby:
Req:
GET /images/email/icons/question-mark-circle-with-bg.png HTTP/1.1
Host: monitor.mozilla.org
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.78.2 (KHTML, like Gecko)
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Resp:
HTTP/1.1 406 Not Acceptable
Connection: keep-alive
cache-control: private, no-store
Accept-Ranges: bytes
Date: Tue, 15 Jul 2025 12:16:35 GMT
Via: 1.1 varnish
X-Served-By: cache-fra-etou8220078-FRA, cache-fra-etou8220093-FRA
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1752581795.393830,VS0,VE18
transfer-encoding: chunkedIt's preprocessed traffic. AquaProxy is the 2025/07/01 edition. Do you recommend updating to the one you shared the link to? Can it log HTTP(S) now without breaking things?
Hmm, this is another issue I can't replicate, unfortunately. https://monitor.mozilla.org/images/email/icons/question-mark-circle-with-bg.png loads fine for me.
If there's nothing private in that email, you want to try forwarding it to me (it's my macrumors username and then gmail), although I don't know why it would only fail to load in Apple Mail.
Updating won't hurt, but I don't think it will fix your problem. The flags are really intended for debugging and I don't want to promise either way.
As for Mozilla, the sender is breach-alerts@mozilla.com. You subscribe to it by tapping into the Mozilla platform, the same way as accessing apps linked to any of the major platforms, such as GitHub. It's an "alertletter" of sorts. I attached the zipped HTML representation of the emlx.
Can you enable these debugging options separately for each Aqua proxying channel or document them in more detail? If they break smth inadvertently, their use is limited.
Can you enable these debugging options separately for each Aqua proxying channel or document them in more detail? If they break smth inadvertently, their use is limited.
Yes, but I don't want to wait to receive an alert. I'm sorry, the URL seems to load fine for me, so I can't replicate the problem.
The only reason the flags exist is because I personally needed them while developing AquaProxy.