Set up Crypto Ancienne as a TLS proxy on Linux



Welcome, Guest \| Home \| Search \| Login \| Register


Author	Set up Crypto Ancienne as a TLS proxy on Linux (Read 112463 times)
Bolkonskij Administrator 1024 MB Posts: 2023	Reply #30 on: March 17, 2024, 11:14 Cameron, knowing Jatoba / Jubadub for many years now, I don't think this was intended to be sounding as mean as you may have perceived it. IIRC, he's not a native English speaker and we tend to have our difficulties at times in finding the right words and / or literally translate from our native languages, which in English might sound rather harsh while being perfectly normal in our mother tongue. So please, don't get this wrong. I'm sure, Jatoba will clear this up too when he gets back online. Running a MacLynx instance on top of Crypto Ancienne on all my System 7 Macs myself, I can only repeat my gratitude to you for the amazing contributions you've been making to the retro Mac community - something very much appreciated. Please don't think that we're not valuing all your effort and time you're putting into this.
Last Edit: March 17, 2024, 11:16 by Bolkonskij
cballero 1024 MB Posts: 1176 System 7, today and forever	Reply #31 on: March 17, 2024, 14:29 I agree wholeheartdly! I have been trying to figure out the ABCs of both Crypto Ancienne and STunnel and both have been kicking my hiny up and down the street, and it hasn't been a pretty picture on my end! So any and all forum threads and posts related to the unraveling of this topic I consider pure gold since I will eventually get it setup myself. I'd love to eventually see and/or help draft some tuttorials and/or wikis here on the S7T and MG websites as these resources can really supercharge (and secure too, I believe?) our Internet experience on Classic Macs. I've read with keen interest (and some humble jeaolusy, to be fully transparent) as folks used these tools to jimmy these (proxy-like?) tools to make everything work! All this to say that I appreciate you all: ClassicHasClass, Jatoba, Knezzen, Bolkonskij, Wove, 68040 (and I'm positive that I am forgetting to thank half the room here, lol) as so many of us would certainly be completely lost in the woods concerning these advanced setups, (well, I still am, but less and less each time these topics are discussed at length) so let me be among many others to express my humble appreciation to those who clearly know what they are doing under-the-hood concerning tools like Crypto Ancienne and everyone sharing and documenting their experiences as they battle it out for us to read and follow along as we do the same!!!

Jatoba 256 MB Posts: 270 System 9 Newcomer!	Reply #32 on: March 17, 2024, 16:02 @ClassicHasClass Well, I will try to keep this short and to the point: 100% of what I wrote is intended solely as a guide to others, so that I don't "hoard" the knowledge all to myself, even more so considering this was a team effort. None of this should be taken as an "attack" to your (insanely good!) Mac contributions nor websites. I did point out where or what could be improved in the tutorials, but purely as constructive suggestions. Nothing more. I don't think "the summary in that thread is not very charitable and not particularly accurate", I even said my special thanks to you. Quoting myself (with emphasis just added): Quote Also, I wanted to say special thanks to everyone else who has been involved in trying to make this work: people at Mac OS 9 Lives, System 7 Today and Macintosh Garden, including the author of Crypto Ancienne himself. The tutorials can be improved, but your tools AFAIK are flawless. All the issues everyone have had is with MachTen itself, and getting its networking set up to use it, which are prerequisites to get the tools working. I don't think I said anything negative about Crypto Ancienne itself. I'm well aware "carl" isn't the one that is compiled to listen to "localhost": What I said was not "carl", but "Crypto Ancienne", which, in my understanding, is the combination of "carl" + "micro_inetd", at least on Power MachTen. I would not dare examine, let alone judge, your source code, I would need a few lifetimes to catch up to your level of programming wizardry. That being said, I also don't think there was any inaccuracy in stating, and emphasizing, the importance of using "127.0.0.1" instead of "localhost" as the value for the SSL Proxy field in Classilla: my Mac OS 9 setup and installation are very standard, with little to no tinkering, and so is my Power MachTen setup, hence chances are that this step will help most other people. Like you suggested, even if "localhost" is resolved correctly, "127.0.0.1" will still work, so recommending it instead serves as an additional safety net. A lot of the verbosity in my post essentially seeks to recreate the thought processes I went through, because it is easier for people to relate to it, see where everything was coming from, and implement what they need. This is my way of being transparent and helpful. I believed the transparency would also give you insight into the thought process of some potential readers, which maybe could help shape future tutorials and blog posts, rather than offend. None of what I said was a complaint, although it seems like it was taken that way. Does this clear things up? Or would you still say the summary of that thread to be not very charitable and inaccurate?

ClassicHasClass 32 MB Posts: 39	Reply #33 on: March 17, 2024, 21:08 I appreciate, and even encourage, folks to share their conclusions for the benefit of others. However, a public statement like: > Floodgap's instructions are WRONG when it says "Under Advanced > Proxies, enter localhost and 8765 for the host and port numbers for 'SSL Proxy.'". DO NOT ENTER "localhost". USE "127.0.0.1" INSTEAD. isn't just problematic, I'd also assert it's not even constructive. If your local machine is unable to resolve "localhost," then there's a problem somewhere (the timeouts you report on various sites that work on other machines may be indicative). More to the point, "wrong" (in capital letters, even) and "it didn't work for me" aren't the same thing. If you had said something to the effect of "try 127.0.0.1 if localhost doesn't work" instead, although I'd argue that's at best a temporary solution, it also doesn't imply that somehow I'm guiding people incompetently. One last nitpick: Crypto Ancienne is the crypto library and carl is the example application. A lot of people use Crypto Ancienne just for carl, which is cool and even intentional, but strictly speaking it's just a crypto package like OpenSSL or wolfSSL. Its chief difference is being targeted at old operating systems like MacOS, Power MachTen and so on. However, I grant that this is a subtle point. I'm happy to accept constructive suggestions, and you'll note I didn't argue with you about fixing the links and the filenames: that was absolutely my fault for not checking my copy-paste. But the rest of the post still reads like I wrote up useless instructions, and giving me credit for being helpful doesn't really cancel that out. We're all human. That said, it's your post, of course, so I'll respectfully not comment further so as not to additionally derail this thread.

Jatoba 256 MB Posts: 270 System 9 Newcomer!	Reply #34 on: March 18, 2024, 11:18 @ClassicHasClass I see, I agree, the post certainly has little in terms of tact and delicacy. It was written with the mindset, and adrenaline rush, of "OMG OMG! IT WORKS!!!! YAAAZZZZ! WRITE IT DOWN! WRITE IT DOWN!!!", so it is very raw by nature. I just wanted to make sure I wouldn't forget something, and that no one would be tripped over by this ever again, hence all the emphasis on various points. By the way, you can comment further if you would like, be it here, or even with an account in the Macintosh Garden: that is perfectly acceptable and reasonable, and I certainly would not mind it. In fact, even if I did mind it, my or anyone's permission is nonetheless not required, nor should it be. And, since this and the other threads are about Crypto Ancienne anyway, it would hardly be derailing! This discussion is on-topic enough IMHO. There is one other reason I wrote, and generally do write things, very "transparently" and "openly": it's because I also do invite discussion and debate: if we shut ourselves off, in particular our ears, we are doomed, be it with regards to nerdy things or serious matters. (In fact, with regards to the latter, if you don't mind, there is another, 100% unrelated topic I hoped for years I could address with you in private, because it is *extremely* sensitive. Is e-mailing you over such things fine?) So commenting further is encouraged! By design, my post is to be picked apart for improvements, corrections etc. (part of the whole "transparency" approach), as long as it's constructive and/or helpful. For example, if you or anyone else figures out what could lead to localhost not being resolved, and share it, that would be greatly appreciated. By the way, some more people checked, and it seems their Macs of varying models also cannot resolve localhost, but you are correct when you say there might be something else amiss that should be looked into. However I still wouldn't describe, pedantically-speaking, "choosing 127.0.0.1" as "at best a temporary solution", because it is also a valid solution even if localhost is working. Part of me still wonders... Would using an OpenDNS IP, instead of 1.1.1.1 and/or 8.8.8.8 on the Mac TCP/IP Control Panel, potentially cause this? I assume not, for a few reasons, but I can't really tell, due to my low networking knowledge. Anyway... I would gladly apply your suggestion and rephrase full-capital "WRONG" with "if localhost doesn't work, which AFAICT is what blocked most of us from getting this to work in the first place, USE 127.0.0.1 INSTEAD!". Problem is, the forum engine of the Macintosh Garden itself does not allow me to edit the post anymore, because users (understandably) cannot edit comments that have been responded to. However, I can very well clarify, verbally, my intent on that part, and add the above rephrased wording, in a follow-up comment/post. I will try doing that later this week as time permits. EDIT: It is done.
Last Edit: March 18, 2024, 12:05 by Jatoba
ClassicHasClass 32 MB Posts: 39	Reply #35 on: March 19, 2024, 03:52 Quote (In fact, with regards to the latter, if you don't mind, there is another, 100% unrelated topic I hoped for years I could address with you in private, because it is extremely sensitive. Is e-mailing you over such things fine?) I'm not sure what this is in reference to, but certainly.

ShinobiKenobi 256 MB Posts: 362 System 7 fan	Reply #36 on: April 19, 2024, 08:55 I've been trying to get this working for weeks, and I decided it's time to ask for help. - I set up a Raspberry Pi and compiled carl, installed xinetd, and did everything in the OP. What I'm using to test it is Classilla 9.3.4b on Mac OS 9.2.2 because it's right next to my main PC. - I followed the instructions here and set use-http-proxy-for-https to true. - I set the SSL proxy in Classilla's regular preferences window with RPi's ip and 8765 port. - I keep getting this error message: http://revontulet.org/2024/04/19/c78dd49f24344568886b0f2a1704a9bb.jpg - carl can retrieve wikipedia's homepage when I SSH into it from Windows 10 using the command line. - The only port that is listening is 22 which is for secured connections like SSH. - My LAN is configured as 192.168.1.0/24. What am I doing wrong? Thanks

Knezzen Administrator 512 MB Posts: 608 Village idiot	Reply #37 on: April 19, 2024, 09:11 Do you have a firewall enabled on the Raspberry Pi that stops you from accessing port 8765?

ShinobiKenobi 256 MB Posts: 362 System 7 fan	Reply #38 on: April 19, 2024, 09:30 Not from what I can tell. iptables is not installed, and I didn't see anything about a firewall in raspi-config. Edit: I found out they stopped including iptables and now use nftables. I've disabled it and flushed all rulesets. But I still can't connect to it.
Last Edit: April 19, 2024, 10:27 by ShinobiKenobi
ShinobiKenobi 256 MB Posts: 362 System 7 fan	Reply #39 on: April 19, 2024, 10:47 I restarted the server one more time and it works now. There was a line in my xinetd.conf file that was hanging up xinetd. I am now able to browse to Wikipedia. I'll also try other secure sites, but it appears to be working Thank you for your help!

cballero 1024 MB Posts: 1176 System 7, today and forever	Reply #40 on: May 03, 2024, 14:18 That's awesome, SK! I am getting slowly closer and brave enough to try Crypto Ancienne myself, so your success in solving your configuration of this tool gives me hope! Once I get some tine, I'll tackle it myself and see what hiccups I run into and post similarly, I may need everyone's help when I do so (as usual, lol)

ShinobiKenobi 256 MB Posts: 362 System 7 fan	Reply #41 on: May 03, 2024, 22:16 Thanks, cballero! That would be cool for you to set it up. Being able to use the internet normally after more than 20 years on classic Mac OS is so nice lol. It doesn't fix javascript problems with newer sites, but many secure sites work now.

xc68000 4 MB Posts: 5 System 7 Newcomer!	Reply #42 on: August 02, 2025, 19:31 I'm glad I stumbled across this. Thank you for posting. I have always had this dream of being able to roll up a rasppi with something that wouild allow TLS/SSL and also act as sort of web prox and also a Mail relay that I could use connect to modern email providers like GMail and allow my vintage machines to access.

cballero 1024 MB Posts: 1176 System 7, today and forever	Reply #43 on: August 02, 2025, 20:28 Well, we're glad you stumbled into our easy-going, classic Mac microcosm, xc68000—especially to uncover these neat, modernizing security and networking hacks!

ShinobiKenobi 256 MB Posts: 362 System 7 fan	Reply #44 on: February 16, 2026, 07:23 I had used this for a few months, running on my RaspPi. I don't remember why I stopped using it. Anyway, I just set it back up last night and today, running on a Debian headless server under VirtualBox, using 512 MB RAM. It probably doesn't even need that much. I set it up to be text-only. To become root on Debian is the short command "su", without the quotes. In case it helps others, I'll give the main things I learned because I had to do a little research once again this time, as I set this back up for the second time. You should have compiled the software according to the instructions found in the documentation that came with Crypto Ancienne. This is not an optimized setup. It was just the first settings I tried when I got it working. Keep in mind ClassillaHasClass mentioned that the carl configuration file given as an example in the first post listens on all interfaces. I plan on binding it to a specific interface, just on the occasion the VM becomes self-aware and spawns endless interfaces These were just the steps I took that got it working. Good references ************* Crypto Ancienne: TLS for the Internet of Old Things (modern browser needed) TLS 1.3 support for Classilla 9.3.4b The README.md file in the cryanc directory Howto: configure xinetd service under Linux or UNIX systems (modern browser needed) Main points ********* 1. In no way do I claim to to know more than the lay computer user about networking, so don't rely on my particular settings! 1.5 In no way do I claim that my GNU/Linux knowledge is above average. 2. I compiled carl using my regular GNU/Linux user account privileges. 3. With root privileges, I copied the carl program to /usr/local/bin. 4. With root privileges, I created a service configuration file in the /etc/xinetd.d/ directory, naming it carl. I use VIM. Sorry nano or emacs guys I tried them in college, didn't like them, and have used VIM for 20 years, and have totally forgotten how to use them. VIM isn't installed by default, but the predecessor to VIM, vi, is installed. But anyway, I created the file below: # vi /etc/xinetd.d/carl Here are the contents of what knezzen provided for the /etc/xinetd.d/carl file: service carl { disable = no socket_type = stream protocol = tcp port = 8765 wait = no user = root server = /usr/local/bin/carl server_args = -p -t } 5. (Optional?) Here are the contents of my /etc/xinetd.conf file: (Note: the lines after the last comment line, but before the ending bracket are what I added. These lines were not there by default on my installation. I read the article (last reference I listed), which is where I kinda copy-pasted-edited in my config lines here. These are most likely not optimal, but I thought something was better than nothing, and can be changed at any time.) # Simple configuration file for xinetd # # Some defaults, and include /etc/xinetd.d/ defaults { # Please note that you need a log_type line to be able to use log_on_success # and log_on_failure. The default is the following : # log_type = SYSLOG daemon info instances = 60 log_type = SYSLOG authpriv log_on_success = HOST PID log_on_failure = HOST cps = 25 30 } 6. With root privileges, I added the line: carl 8765/tcp to the /etc/services file. I put it in the proper place, numerically (not sure what would happen if it was out of order). A mistake of mine at the naming step here was messing me up, until I caught it after I was sure I had thought of everything I originally named the service "tlsproxy", and since that doesn't match "carl" (the name of the service in /etc/xinetd.d/), it just wouldn't work. I spent hours trying to figure out why it wouldn't work. But anyway, after 2, 3, 4, 5?, and 6 were done, I restarted xinetd, using the command (as root): systemctl restart xinetd I also restarted, using the command (as root): shutdown -r now This is the configuration I am using right now, and it works. Hopefully it helps others. Some useful commands I used to help troubleshoot my setup: 1. netstat -an \| grep LISTEN (to see all ports listening for connections) 2. netstat -lnp \| grep xinet (to see what all is running under xinetd) 3. systemctl restart xinetd (restarts xinetd)
Last Edit: February 17, 2026, 03:51 by ShinobiKenobi
	Pages: 1 2 [3] 4

© 2021 System7Today.com.
The Apple Logo, Macintosh™, Mac OS™, and others property of Apple Computer, Inc.
This site is in no way affiliated with Apple Computer, Inc.