pkgutil --expand "/path/to/Legacy Mac Proxy.pkg" /path/to/output/folder
to take a look inside.A self-signed certificate is used between the browser† and the proxy. However, the proxy still uses "official" certificates to communicate with the website. The proxy is responsible for ensuring that that certificate chain is valid. (I do want it to actually verify the certificates, not merely accept everything.)So what's the benefit of fetching intermediate certs?
In SL Interweb stops working. Any workaround?If you're using OS X 10.6 (Snow Leopard), 10.7 (Lion), 10.8 (Mountain Lion), or 10.9 (Mavericks), I encourage you to give it a try
InterWeb is a Firefox-based browser. Make sure you follow the instructions in the readme to set the browser to bypass the proxy.In SL Interweb stops working. Any workaround?
It is interesting that updating the root certificates with latest Mozilla certificates:InterWeb is a Firefox-based browser. Make sure you follow the instructions in the readme to set the browser to bypass the proxy.
works on Mavericks onward but it does not work on earlier operating systems. This method has less impact on the CPU in comparison to the squid server method, but unfortunately it is not universal. Any Idea why does it not work on all operating systems?
- Update your System Root certificates. Download Latest Mozilla Certificates:
Where theCode:curl --etag-compare etag.txt --etag-save etag.txt --remote-name https://curl.se/ca/cacert.pem
- Save this script as
trustroot.sh
:Code:#!/bin/bash DIR=${TMPDIR}/trustroot.$$ mkdir -p ${DIR} trap "rm -rf ${DIR}" EXIT cat "$1" | (cd $DIR && /usr/bin/split -p '-----BEGIN CERTIFICATE-----' - cert- ) for c in ${DIR}/cert-* ; do security -v add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "$c" done rm -rf ${DIR}
- Issue this command:
Code:chmod 755 trustroot.sh sudo ./trustroot.sh /path/to/cacert.pem
/path/to/
should be replaced by your actual path. The certificates will then operate as trusted roots in addition to the certificates in the originalSystem Roots
keychain. This will eliminate thecertificate expired error
issue in Safari.
Tiny correction—Mac OS X 10.9 Mavericks actually supports TLS 1.2 (it was the first version of Mac OS to do so). What's missing aiui are modern cipher suites.But even with proper certificates, many servers will only do a TLS 1.2 handshake, while Apple's version of secureTransport in 10.9 that's used by all cocoa apps can only do TLS 1.1 handshake.
I was thinking about an Raspberry as an option, but is there any easy to follow information available in the net?Btw you don't need to run the squid server locally on your machine, you can always run it on an external raspberry pi or something if you're concerned about CPU usage.
There is a decent possibility the proxy will allow you to connect to your email provider in Apple Mail.Anyway, Mail does still not work, and I dont know if this update could have any advantage for us ?
There is a decent possibility the proxy will allow you to connect to your email provider in Apple Mail.
It's working for me.The Dictionary app fails to connect to Wikipedia again.
/
/Applications/Dictionary.app/Contents/MacOS/Dictionary
/Applications/Dictionary.app/Contents/Frameworks/ProxyFix.dylib
/usr/share/icu/icudt51l.dat
/System/Library/ColorSync/Profiles/Generic Gray Gamma 2.2 Profile.icc
/System/Library/ColorSync/Profiles/Generic Gray Profile.icc
/System/Library/ColorSync/Profiles/sRGB Profile.icc
/System/Library/ColorSync/Profiles/Generic RGB Profile.icc
/System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Resources/AppleKeyboardLayouts-L.dat
/private/var/folders/pr/34n7_cwx0_1bz_k7xcy1hjyc0000gn/C/com.apple.IntlDataCache.le.kbdx
/private/var/db/mds/messages/se_SecurityMessages
/Users/home/Library/Caches/com.apple.Dictionary/Cache.db-shm
/private/var/folders/pr/34n7_cwx0_1bz_k7xcy1hjyc0000gn/C/com.apple.LaunchServices-044501.csstore
/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/Resources/SArtFile.bin
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/Extras2.rsrc
/System/Library/Fonts/LucidaGrande.ttc
/System/Library/Fonts/Helvetica.dfont
/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/Resources/ArtFile.bin
/System/Library/Frameworks/OpenCL.framework/Versions/A/Libraries/ImageFormats/unorm8_bgra.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/Resources/tokruleLE.data
/System/Library/Frameworks/AppKit.framework/Versions/C/Resources/Latn1.data
/System/Library/Frameworks/AppKit.framework/Versions/C/Resources/Latn2.data
/System/Library/Fonts/Keyboard.ttf
/System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/Resources/com.apple.datadetectorscore.cache.urlifier.system
/System/Library/ColorSync/Profiles/Generic CMYK Profile.icc
/Library/Fonts/Baskerville.ttc
/usr/share/langid/langid.inv
/usr/lib/dyld
/private/var/db/dyld/dyld_shared_cache_x86_64
/dev/null
/dev/null
/dev/null
count=2, state=0x2
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/Extras2.rsrc
/Users/home/Library/Caches/com.apple.Dictionary/Cache.db
/Users/home/Library/Caches/com.apple.Dictionary/Cache.db
/Users/home/Library/Caches/com.apple.Dictionary/Cache.db-wal
/Users/home/Library/Caches/com.apple.Dictionary/Cache.db-shm
/Users/home/Library/Caches/com.apple.Dictionary/Cache.db-wal
192.168.1.65:60194->a184-85-156-64.deploy.static.akamaitechnologies.com:http
192.168.1.65:60199->a184-85-156-64.deploy.static.akamaitechnologies.com:http
192.168.1.65:60194->a184-85-156-64.deploy.static.akamaitechnologies.com:http
->0x503269c805942aef
->0x503269c7ffcb5cdf
192.168.1.65:60195->a184-85-156-64.deploy.static.akamaitechnologies.com:http
192.168.1.65:60200->a184-85-156-64.deploy.static.akamaitechnologies.com:http
192.168.1.65:60195->a184-85-156-64.deploy.static.akamaitechnologies.com:http
192.168.1.65:60196->a184-85-156-64.deploy.static.akamaitechnologies.com:http
192.168.1.65:60196->a184-85-156-64.deploy.static.akamaitechnologies.com:http
192.168.1.65:60199->a184-85-156-64.deploy.static.akamaitechnologies.com:http
192.168.1.65:60200->a184-85-156-64.deploy.static.akamaitechnologies.com:http
192.168.1.65:60201->a184-85-156-64.deploy.static.akamaitechnologies.com:http
192.168.1.65:60201->a184-85-156-64.deploy.static.akamaitechnologies.com:http
Should this proxy be able to fix git clone with https?
git config --global http.sslVerify false
. This of course has security implications, but it probably isn't a major concern as long as you're cloning repositories on a trusted internet connection. You could also clone via SSH instead.Ah yeah it’s for my work so probably not good to turn off the SSL. But you were right about the ssh, I got that to work thanks. Took me a while to find the right encryption method for a certificate that mavericks can do and GitHub also supports.Getting command line tools to respect the proxy and/or certificate is a bit hit-or-miss. Most of them work as long as you check the option to `Set Environment Variables` when installing the proxy, but not always.
You might consider telling git to to stop verifying SSL by runninggit config --global http.sslVerify false
. This of course has security implications, but it probably isn't a major concern as long as you're cloning repositories on a trusted internet connection. You could also clone via SSH instead.