That's the source code to the Security framework itself; the problem is that it has build dependencies which Apple has not open sourced. Last time I tried this with the Mavericks version (at least five years ago now), I had to use replacements from projects such as
Darling, and in the end I wasn't able to build a working framework.
This is absolutely something I want to eventually try again, now that AI coding tools have expanded the scope of what's feasible. However, there are a few reasons I'm putting it off:
- AquaProxy now handles more than just TLS—it also adds custom headers (needed for Dictionary) and URL redirects (needed primarily for the Help Center, but useful for e.g. Twitter/Bluesky). Without a proxy, I'm not sure where these fixes would live.
- AquaProxy supports TLS 1.3. Today, this isn't necessary, but I suspect servers may start requiring it in the near future, so I would need to get it working.
- I try to avoid working on security sensitive code. I end up needing to do it anyway, but this is literally called the Security framework.
I think it's super cool that you have it (partially?) working on Snow Leopard and I'm only a little jealous! For now, I feel like AquaProxy works across four different operating systems and is reliable.
I am almost done with the project just final verification and cleaning. It is definitely important what this project could bring to complement the Aquaproxy. Few observations correct me if I am wrong:
I am almost done with the project just final verification and cleaning. It is definitely important what this project could bring to complement the Aquaproxy. Few observations correct me if I am wrong:
I am not replacing the framework bundle. I am replacing the
Mach-O binary inside a framework that on 10.6 isn't itself signed in a way that gets enforced.
CS_KILL applies to a process whose
own pages fail validation, and on
Snow Leopard the dynamic-library validation that would kill a process for loading an unsigned
dylib doesn't exist — that's a later addition. Empirically: the framework has been swapped repeatedly today and
Safari,
security, sudo authorization,
loginwindow, and
SecurityAgent all run.
I hand-rolled
ECDSA verification today reading 0.9.8 struct layouts through mirrored structs. That works, and it's carefully bounded — full signature verification, explicit validity-window checks, anchor requirement — but it's exactly the code you don't want to get subtly wrong, and a mistake fails open.
AquaProxy delegating verification to
Go's crypto/x509 plus
SecTrustEvaluate is a genuinely better place for that responsibility to live.
This is a
TLS 1.2 backport. Adding 1.3 to
Snow Leopard's SecureTransport is a different order of effort — new handshake state machine, HKDF, new record layer.
AquaProxy gets 1.3 for free because Go does it. If servers start requiring 1.3, the proxy survives and this doesn't.
On headers/redirects — that's not a TLS concern at all, and the SIMBL suggestion is reasonable. But it's real work that
AquaProxy already has done.
What this project actually offers:
Apps that don't honor the HTTPS proxy setting. Non-HTTP TLS. Anything calling SSLHandshake directly — the project docs cite iTunes specifically, and note it uses a different code path than Safari. And apps that see the server's real certificate rather than a generated one, which matters if anything inspects or pins it. Also no per-interface configuration, and it works before any user-level process starts.
That's a narrower value proposition than "better than a proxy." It's
complementary: the proxy handles the browsing case broadly across four OSes; this fixes the platform for the cases a proxy can't reach.
Let me know what you think.