Set up Crypto Ancienne as a TLS proxy on Linux



Welcome, Guest \| Home \| Search \| Login \| Register


Author	Set up Crypto Ancienne as a TLS proxy on Linux (Read 112462 times)
ClassicHasClass 32 MB Posts: 39	Reply #15 on: August 29, 2023, 00:22 > In OX I created an https proxy with url:/ust/local/bin/carl on port 8765. I think that's what your problem is. How you tell the individual applications to use the carl proxy depends on the specific app (there are different instructions for Classilla and MacLynx, for example). Safari won't know how to use it, for example, so this is why you shouldn't make the change global. Once that setting is removed, it should fix the problem. Where did you enter this setting?

wove 1024 MB Posts: 1363	Reply #16 on: August 29, 2023, 01:15 Thanks for your input @ClassicHasClass There is much I do not know for sure. If you are running "Classic" on Tiger or running a Classic Mac OS in an emulator or VM, all the networking goes through the host, so I assumed that is where the proxy would go. The Classic environment provides no access to any to control panels. Safari on Tiger is not much better than any of the Classic Mac OS browsers, and it seemed to me it could use the same type of help as the older browsers. If an application running in a VM or the Classic environment, could directly access files on the host machine, I would be tempted to look for a more secure VM. I also have no idea why after turning the proxy off and deleting configuration files and restarting did not return the system back to normal operation. I will keep pecking away at it. For me this is more a learning experience than an urgent and overwhelming need.

ClassicHasClass 32 MB Posts: 39	Reply #17 on: August 29, 2023, 02:17 Unfortunately, there are two ways to run an SSL or TLS proxy. How Crypto Ancienne does it is the less common of the two. The most common way, and the way most browsers that (think they) speak SSL/TLS do it, is to use the proxy only to get a socket. The proxy does NOT do any of the encryption, the browser does. The reason for this is that otherwise the connection between you and the proxy would be unencrypted, and if the proxy is not on your local network, it could be snooped. Unfortunately, browsers that do this cannot use Crypto Ancienne without modification, and this applies to most browsers after SSL was a thing - including Safari. Classilla 9.3.4b was specially modified for the purpose; earlier versions of Classilla did the same thing too. For browsers completely unaware of what SSL is, but can be taught new protocols, they can be instructed to hand off the crypto by making an unencrypted request for an encrypted resource. OmniWeb and the Unix version of NCSA Mosaic are good examples, but MacLynx is especially good, because it already seemed to know how to do this (later versions of Lynx fall into the first category). Other browsers have to be modified, which sometimes can be done trivially and sometimes requires more work. Strictly speaking this is insecure, but if the proxy is on your local network then you're (probably) only snooping on yourself, and if the proxy is localhost, then it can't be snooped by definition. The upshot is, don't make this change global unless everything you'll do on that machine falls into the second category (and most of the time, that is not the case). Make the changes specific to those apps that can, like modifying lynx.cfg for MacLynx, or setting the SSL proxy in Classilla. One note for Knezzen/Bolkonskij: the instructions you have will listen on all interfaces. If you are behind a firewall or a good router then this is probably of little consequence, but if you're out on the unprotected network this could turn you into a public proxy. You might consider specifying localhost in that xinetd configuration.

Knezzen Administrator 512 MB Posts: 608 Village idiot	Reply #18 on: August 29, 2023, 08:20 Quote from: ClassicHasClass One note for Knezzen/Bolkonskij: the instructions you have will listen on all interfaces. If you are behind a firewall or a good router then this is probably of little consequence, but if you're out on the unprotected network this could turn you into a public proxy. You might consider specifying localhost in that xinetd configuration. Indeed, I should add a note about that. The guide is a replica of my home setup, where I have a Debian machine acting (amongst other things) as a TLS proxy for the machines on my home network. It's not open to the outside world as such.

Jatoba 256 MB Posts: 270 System 9 Newcomer!	Reply #19 on: March 07, 2024, 10:35 In my case, I tried setting up cryanc with the MachTen + Mac OS 9 + Classilla combo, but I couldn't get it to work. I followed all of the official instructions step-by-step, both for cryanc and Classila. All I get is a "Timeout" message, after making my request. I used HTTPS pages like https://www.google.com/ Apparently, someone else in the Garden also had this issue, and so I asked there as well, but for more exposure I decided to share this issue here, as well, in case someone ran into this and figured it out, or has otherwise an answer for this. I thought maybe there could be extra steps required in MachTen's Control Panel (there's a "Networking" section in it), but I never touched those configurations before, and I'm not sure what I should change there, if anything at all. Side note: If anyone tries these steps now, note that despite Classilla supposedly having Gopher support, Floodgap's download link for the MachTen binary does not work (gopher://gopher.floodgap.com/1/gopher/clients/mac/carl-machten-414.tar.gz), returning a page with gibberish "links" instead. I had to use a different client, such as Gophie, in order to be able to download it. Steps 3. and 4. also are using incorrect file names, so watch out. (Should be gunzip/tar carl-machten-414.tar[.gz], not carl-machten-56.tar[.gz]). Edit: Somehow BBcode won't allow us to use Gopher links here, by the way. It appends the HTTP protocol to them when using [url] tags.
Last Edit: March 07, 2024, 10:43 by Jatoba
Knezzen Administrator 512 MB Posts: 608 Village idiot	Reply #20 on: March 07, 2024, 14:16 Quote from: Jatoba Side note: If anyone tries these steps now, note that despite Classilla supposedly having Gopher support, Floodgap's download link for the MachTen binary does not work (gopher://gopher.floodgap.com/1/gopher/clients/mac/carl-machten-414.tar.gz), returning a page with gibberish "links" instead. I had to use a different client, such as Gophie, in order to be able to download it. Steps 3. and 4. also are using incorrect file names, so watch out. (Should be gunzip/tar carl-machten-414.tar[.gz], not carl-machten-56.tar[.gz]). You get that outcome because the link is using the "1" item type, which is the "gopher submenu" type. Try changing the 1 to a 9 which is the "binary file" item type. The link should look like this for a direct to file download: gopher://gopher.floodgap.com/9/gopher/clients/mac/carl-machten-414.tar.gz If you want to link to the directory the file is in it's the correct thing to do to use the "1" item type. The link would then look like this: gopher://gopher.floodgap.com/1/gopher/clients/mac/

Jatoba 256 MB Posts: 270 System 9 Newcomer!	Reply #21 on: March 07, 2024, 14:45 Ah ha, thanks @Knezzen! Good to know this "trick", since I'm really liking Gopher so far, and Classilla is great. I will keep that in mind from now on. Now if only I figured out what is missing in those steps to get Crypto Ancienne to work...

Knezzen Administrator 512 MB Posts: 608 Village idiot	Reply #22 on: March 08, 2024, 09:18 I can try to help you out over Hotline if you want to, as long as we post the findings here for everyone to enjoy

Jatoba 256 MB Posts: 270 System 9 Newcomer!	Reply #23 on: March 08, 2024, 09:27 I will gladly take you up on that offer! No one should be needing SSL/TLS just to check some plain text website that uses it for no good reason. I will try to pop by later today after work.

cballero 1024 MB Posts: 1176 System 7, today and forever	Reply #24 on: March 08, 2024, 17:08 Sadly, so many static, straight-HTML websites are forced by the modern Internet to conform as HTTPS-hosted sites or be forgotten in the sea of non-SSL, retro-sites.. I'm glad you're looking to remove this artificial limitation on your Mac! And as long as it's explained simply enough, we can all then implement these cool features that help us all take back forced-secured, plain-text websites! It really irks me when search engines like G make non-HTTPS websites look potentially unsafe in their search results with their 'truthiness' that's pure fiddle-faddle, aka 'gentleman-cow's meadow muffins' lol, since as you put so well, everyone should know that it makes absolutely zero-sense to require plain text websites to be made secure!

Jatoba 256 MB Posts: 270 System 9 Newcomer!	Reply #25 on: March 15, 2024, 21:10 I'm still stumped over this, but there was some progress: I'm no longer getting any timeout whatsoever with carl nor Classilla, and carl itself can retrieve an HTTPS page HTML as plain text, but I CANNOT for the life of me get it to act as a proxy for Classilla. Full details, with pictures, here: http://macintoshgarden.org/forum/tips-debugging-crypto-ancienne-machten-414#comment-102978
Last Edit: March 15, 2024, 21:12 by Jatoba
ClassicHasClass 32 MB Posts: 39	Reply #26 on: March 16, 2024, 04:33 I'm not sure why Classilla can't resolve localhost since that should be resolvable internally, but instead of localhost 8765 for the proxy, try 127.0.0.1 8765.

Jatoba 256 MB Posts: 270 System 9 Newcomer!	Reply #27 on: March 16, 2024, 09:26 Quote from: ClassicHasClass I'm not sure why Classilla can't resolve localhost since that should be resolvable internally, but instead of localhost 8765 for the proxy, try 127.0.0.1 8765. This is correct, we realized this requirement last night on Hotline, and also learned MANY more things along the way. Full details about everything here: http://macintoshgarden.org/forum/tips-debugging-crypto-ancienne-machten-414#comment-102983

cballero 1024 MB Posts: 1176 System 7, today and forever	Reply #28 on: March 16, 2024, 14:16 Related, I promise! So I managed to setup my host with STunnel a few days ago when I got over the 'how do I setup a CA' with random information (because it starts asking you things like planet, country, state or province, city, company name, yada yada..) and I'm like 'Watcha talkin' 'bout , Willis' with all of that identifiable information (so I finally clued-in that Stunnel doesn't even use said details, so at least you can add whatever you please as far as those questions go.. would be nice to know this beforehand!!! Ugh, but anyways.. lol) So, (and this* is the related part! lol)* when STunnel asks for something relating to your IP, (like I said, I did this a few days ago, I either re-rewatched a YT vid or reread a tut on it to confirm) you then have to add 127.0.0.1 as your localhost IP, not localhost, and it was highlighted to do it that way because it looks like only the former works, not the latter so if you would have asked me that specific question, lol, I had your answer using a related tool! Now the next part just relates to my STunnel status now *specifically, so this part is off-topic, lol: Having said all that, I have STunnel running obscurely in my notification tray thingy (wait, is that what that thing's called? lol, anywho..)* but I have no idea what to do with it now as it relates to either my Basilisk or SheepShaver emulators to get things like email clients and such going (and so my STunnel saga continues, now I have a config text file I have no clue how to wangle, lol) I know, 68040, you wrote out a detailed how-to someplace for me, but for the life of me, I searched and searched for it and came-up emptyhanded.. it'd be nice to have a written-out tut on that one too, just sayin' kinda' like the one's I did for setting-up Internet on BII, BII on Chrome OS or the reborn AOL Here are those links (I think Bolkonskij's gonna kill me that I've written all of these up for the MG and none for S7T.. but bro, I don't have the means of setting-up any cool tuts here, but you can nab any of the ones below and just copy and paste, right? I can always add some cool extras, images and such once any are up, just let me know when you do ) http://macintoshgarden.org/emulating-a-mac-android-device http://macintoshgarden.org/forum/success-got-internet-working-basilisk-ii-android (w/ pics and commentary) http://macintoshgarden.org/basilisk-ii-chrome-os-crostini http://macintoshgarden.org/apps/aim http://macintoshgarden.org/forum/aim-unofficial-68k-macs (always luv the convos w/my fellow Macsters)
Last Edit: March 16, 2024, 16:20 by cballero
ClassicHasClass 32 MB Posts: 39	Reply #29 on: March 16, 2024, 22:38 Quote Full details about everything here: http://macintoshgarden.org/forum/tips-debugging-crypto-ancienne-machten-414#comment-102983 I think I'd like to politely differ with you on some of your conclusions. localhost is 127.0.0.1, and the MacOS should resolve it as such (indeed, it works on my own systems, and others have reported it does). I'm glad substituting the IP worked for you, but it should be immediately resolvable without that. The fact it didn't work suggests there may be other problems with your networking configuration. Also, the program that's compiled to listen to localhost isn't carl, it's micro_inetd. micro_inetd is what does the listening, as the name implies. More to the point, if you look at the source code for it, it has 127.0.0.1 as the IP to listen to, so the localhost vs 127.0.0.1 distinction doesn't even apply here because it doesn't do any sort of DNS resolution to bind the port. I'm glad it's working for you, and I appreciate pointing out the typos which I have corrected, but (especially considering the fact this was free and I assisted you personally in E-mail) the summary in that thread is not very charitable and not particularly accurate.

	Pages: 1 [2] 3 4

© 2021 System7Today.com.
The Apple Logo, Macintosh™, Mac OS™, and others property of Apple Computer, Inc.
This site is in no way affiliated with Apple Computer, Inc.