wolfSSL Embedded SSL/TLS Library | Products – wolfSSL
www.wolfssl.com
Reading more into it now before trying...
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
TLS 1.3 PPC
- Thread starter Aaferti_Kuazar
- Start date
- Sort by reaction score
www.wolfssl.com
Reading more into it now before trying...
mbedtls does not support TLS 1.3? That would be surprising.
But anyway, what is the issue with OpenSSL?
????
I don't have an 'issue' with anything.....
Smaller footprint less resources is why I was looking at it, cant be a bad thing. You're right, I'm wrong about mbed. Was looking at a few comparisons between the two and that was mentioned. Didn't realize it was an older comparison. So thanks for that.
I am surprised that someone can live without OpenSSL, but okay.
...
On my other systems I have it.
On my leopard install, something that doesn't take up resources makes sense to me....
Idk why.
I sense sarcasm.
I can live without a lot of things.
Sarcasm is one of them.
If you have a problem with me posting on here let me know.
I've been on enough forums to know that vibe.
Matter of fact.
You can message me.
Unless you want to keep it public....
Thanks for your time
Sorry if I made a wrong impression, you could use, of course, whatever you find convenient.
My point was that too much stuff needs OpenSSL anyway, so not having it gonna limit the system usability. If one has it, then another SSL library for a dedicated usage with some port increases “footprint”.
(OpenSSL takes minimal disk space and compiles in a matter of minutes, so I do not really understand the problem to begin with. It also has a decent support from the upstream.)
Crypto Ancienne has been around for a long time, I don't understand why you don't use it. It works with any browser.
github.com
GitHub - classilla/cryanc: TLS for the Internet of Old Things
TLS for the Internet of Old Things. Contribute to classilla/cryanc development by creating an account on GitHub.
github.com
Looks like this "might" work on all platforms supported by LWK...wolfSSL Embedded SSL/TLS Library | Products – wolfSSL
Reading more into it now before trying...
The current version of wolfssl fails already at configure due to having wrong macros in types.h 🤷
Let’s see if this is fixable.
Re wolfSSL
Well, this took quite a bit more than I expected: https://github.com/macports/macports-ports/pull/25560
May still need something for Leopard. Build fine now on 10.6 ppc.
Well, this took quite a bit more than I expected: https://github.com/macports/macports-ports/pull/25560
May still need something for Leopard. Build fine now on 10.6 ppc.
After being unable to find a solution which doesn't rely on having a second machine, I made my own basic proxy program for PowerPC OS X.
My program uses OpenSSL 1.1.1w to upgrade Webkit and other TLS/SSL connections to TLS 1.2/1.3, as needed. While I have only tested it with HTTPS with Leopard-Webkit, it presumably could work for other protocols and programs.
To set-up the program:
(a) download aproxy-0.0.1.zip
(b) unzip the program on your Desktop
(c) configure your Mac / Leopard-Webkit to use localhost:8080 for HTTPS proxy
(d) open a Terminal, go to the folder where you unzipped the files, and run ./aproxy
When you run the program for the first time (and whenever proxy-ca.pem expires), the program will generate a temporary CA root certificate that it will use. The certificate is set to expire every 90 days. The certificate generated will be stored in the file proxy-ca.pem, with the private key stored in proxy-key.pem.
The program will open Keychain Access and prompt you to add it as a trusted certificate.
However, if you prefer, you could also generate your own CA X509 certificates and import them manually, instead.
Note: If you don't add the CA certificate as a trusted root, you can still use the proxy, but Safari will prompt you multiple times to accept certificates and there will be some errors on webpages (most often images will loading).
Let me know if you have any questions.
The main potential bug to be aware of is that very occasionally you may have to refresh a page if it doesn't load (however, this may be fixed as I was previously using a).
There is also a limitation that the proxy will fail to handle extremely large "CONNECT" proxy request headers > 16kb. I haven't encountered this as a problem to date and don't expect it to be an issue with Leopard-Webkit / HTTPS. Nonetheless, this is something to keep in mind when testing the program with other protocols like IMAP, etc.
Security features:
(a) the program will fail to load any website or component of it, if the X509 certificate of the server its connecint to doesn't verify using proxy-roots.pem (the root certificate store obtained from Curl). The program will also print out an error message to the Terminal whenever such an event occurs.
(b) the program does not accept inbound connections from other machines - i.e. you should not be able to connect to port 8080 from another machine on your network.
(c) the program provides a reasonably detailed log of error messages, which can be saved and used for debugging, including the certificate information for any outbound connection it makes.
Let me know if you encounter any bugs or have some features you would like to suggest.
The program is provided as-is, freeware for personal use.
P.S. I don't have Patreon, but would greatly appreciate donations of working PowerPC Mac hardware and software.
(Next project - Leopard-Webkit)
G4 Cube 450 MHz OS X 10.4 (would love to upgrade to a Sonnet 1.8 GHz one day)
G5 DP 2.0 GHz OS X 10.5 (for compiling and Leopard-Webkit)
My program uses OpenSSL 1.1.1w to upgrade Webkit and other TLS/SSL connections to TLS 1.2/1.3, as needed. While I have only tested it with HTTPS with Leopard-Webkit, it presumably could work for other protocols and programs.
To set-up the program:
(a) download aproxy-0.0.1.zip
(b) unzip the program on your Desktop
(c) configure your Mac / Leopard-Webkit to use localhost:8080 for HTTPS proxy
(d) open a Terminal, go to the folder where you unzipped the files, and run ./aproxy
When you run the program for the first time (and whenever proxy-ca.pem expires), the program will generate a temporary CA root certificate that it will use. The certificate is set to expire every 90 days. The certificate generated will be stored in the file proxy-ca.pem, with the private key stored in proxy-key.pem.
The program will open Keychain Access and prompt you to add it as a trusted certificate.
However, if you prefer, you could also generate your own CA X509 certificates and import them manually, instead.
Note: If you don't add the CA certificate as a trusted root, you can still use the proxy, but Safari will prompt you multiple times to accept certificates and there will be some errors on webpages (most often images will loading).
Let me know if you have any questions.
The main potential bug to be aware of is that very occasionally you may have to refresh a page if it doesn't load (however, this may be fixed as I was previously using a).
There is also a limitation that the proxy will fail to handle extremely large "CONNECT" proxy request headers > 16kb. I haven't encountered this as a problem to date and don't expect it to be an issue with Leopard-Webkit / HTTPS. Nonetheless, this is something to keep in mind when testing the program with other protocols like IMAP, etc.
Security features:
(a) the program will fail to load any website or component of it, if the X509 certificate of the server its connecint to doesn't verify using proxy-roots.pem (the root certificate store obtained from Curl). The program will also print out an error message to the Terminal whenever such an event occurs.
(b) the program does not accept inbound connections from other machines - i.e. you should not be able to connect to port 8080 from another machine on your network.
(c) the program provides a reasonably detailed log of error messages, which can be saved and used for debugging, including the certificate information for any outbound connection it makes.
Let me know if you encounter any bugs or have some features you would like to suggest.
The program is provided as-is, freeware for personal use.
P.S. I don't have Patreon, but would greatly appreciate donations of working PowerPC Mac hardware and software.
(Next project - Leopard-Webkit)
G4 Cube 450 MHz OS X 10.4 (would love to upgrade to a Sonnet 1.8 GHz one day)
G5 DP 2.0 GHz OS X 10.5 (for compiling and Leopard-Webkit)
Just in case you might be interested, there are two related issues:
1. There is an image of 10.6.8 for PowerPC now, but it needs to sort out internet access (DNS/DHCP do not work, possibly due to UDP). See: https://forums.macrumors.com/threads/10-6-snow-leopard-powerpc-development.2439769/
UPD 2024.12.16. Internet works now, though DNS is resolved via TCP (and no DHCP).
2. Some work has been done to get a modern browser onto PowerPC Macs – White Star (a fork of Palemoon). The build is fixed now, but the app does not yet work. See: https://github.com/dbsoft/White-Star/issues/2
P. S. If anything from related MacPorts software that you may need does not build or work, ping me. I think 10.6 ppc is in good shape now (and has pre-built software via macos-powerpc.org site), but 10.5 is far less tested.
Last edited:
Thank you for letting me know, I think I can see what's causing that bug.
Since I have only been using the program in Terminal, version 0.0.1 is expecting to run in the same directory that it's located and needs the root certificate store ./proxy-roots.pem to run properly. So, what's probably happening on your computer is that it is mistakenly searching for ~/proxy-roots.pem rather than /Users/Home/Downloads/aproxy-0.0.1/proxy-roots.pem This is because when you double-click on an executable, it runs it from the home directory rather than the directory the program is located.
In any event, I've updated to version 0.0.2 which should hopefully fix this bug. Please let me know if it still persists.
Last edited:
Thanks. Fortunately, I was able to get some good results with some preliminary optimization work and now it is averaging about 5-8% CPU on my DP 2.0 Ghz PowerMac G5 when loading webpages and 0.0% when idling. Attached is a copy.
@GA204 Wow - that's much better, didn't see it peak past 25% on the Powerbook. Well done!
@GA204 I've done scripts to change network proxy preferences and launch aproxy as a hidden process, and kill the process and return network settings to normal - here with a Fluid instance running Wikipedia.
This has worked very well on my machines running 10.5 - many thanks again! Any chance of your code building on 10.4 to upgrade Safari (4.0.3 plus TigerKit available) to TLS 1.3?
Yes, I've just compiled a beta release for OS X 10.4 Tiger.
However, unlike Leopard, whenever you are prompted to import the certificate on Tiger, you need to select the X509Anchos keychain. This will normally happen the first time you run the program and whenever the proxy's certificates expire and need to be regenerated (by default every 3 months). I've included a screenshot of the prompt below for clarity.
Cool! Is there a particular reason you are expiring the certificate after 90 days? I'm not seeing an obvious security benefit, since it's a generated certificate that is only used locally. You should be able to generate a certificate that lasts for hundreds of years via something like:
Code:
openssl req -x509 -newkey rsa:4096 -subj '/CN=Squid' -nodes -days 800000 -keyout squid-key.pem -out squid.pemDoes the proxy perform AIA Chasing for websites that require it?
Not to take anything away from PPC, but I wonder if this could also be compiled for Intel and used slightly more modern systems. Something small, lightweight, and dependency-free could be useful everywhere! In other words, I am seconding the source code request.
