Fixing Mavericks's Outdated HTTPS

[goosnarrggh]

I still read your post in a Mail notification message. iTunes 10.6.3 has no issues logging in, but iTunes 11 has. However, Genius doesn't work in both. Genius and logging have been problematic since the fall of 2019 since the public release of Catalina with new Music app. Apple Phone Support was of no help. Later, around January, the issues temporarily went only to return again. I think they did that deliberately. I'd not be surprised if they had their own plants monitoring some discussions here, because exactly a day after I posted to one of the threads about my observations namely that the login&Genius in iTunes 11 had itself miraculously restored, they resumed in old course. Fixing HTTPS compatibility with the method implemented by the OP restores the connectivity only partially, but it has no a profound effect on the underlining WebKit engine used by corresponding stock apps such as iTunes and MAS (and the latter, surprisingly still connects) that requires updates at a more fundamental level which is nearly impossible by anybody but Apple themselves.

Yeah, I deleted my original post because I realized too late that I had probably misinterpreted the main thrust of this thread and so my entire comment was probably off-topic. Trying to <EDIT> improve </EDIT> the signal-to-noise ratio.

 

[Wowfunhappy]

I noticed Squid sometimes wasn't starting up by itself after I restarted my computer, so I made a little change to the launchd plist which seems to fix it. In the attachment in the first post.

At some point I'm also going to compile a copy of Squid on Snow Leopard so it works on 10.6–10.8. Those systems need this even more than Mavericks does...

 

[maverick28]

Could you share the steps that you took to compile that? I'd then try to do it myself in Lion. I have Xcode installed, would be curious to carry that out.

 

[Wowfunhappy]

I've just updated the attachment in the first post with a version of Squid built on Snow Leopard. This means it should work on Snow Leopard or newer! @vorob, you may want to give it another shot if you're still interested.

Could you share the steps that you took to compile that? I'd then try to do it myself in Lion. I have Xcode installed, would be curious to carry that out.

No need now, but I had to use Macports. But, critically, I had to edit the port file to add --enable-ssl-crtd to configure.args.

 

[maverick28]

I did everything as the previous time, but Safari doesn't connect through the proxy.

 

[Wowfunhappy]

Same questions as normal: is Squid running according to Activity Monitor, and what happens if you run /Library/Squid/squid in a Terminal?

It definitely worked in Snow Leopard last night, and I switched over Mavericks as well just for the heck of it. It would be odd if it worked in Snow Leopard and Mavericks but not Lion...

 

[maverick28]

/Library/Squid/squid dyld: Symbol not found: __ZNKSt9exception4whatEv Referenced from: /Library/Squid/squid Expected in: /usr/lib/libc++abi.dylib in /Library/Squid/squid Trace/BPT trap: 5

 

[Wowfunhappy]

Oh, now that's interesting! What happens if you delete libc++abi.dylib and libc++.1.dylib from /usr/lib/ ? I think those are only actually needed in Snow Leopard, I included them in the archive because it was simpler than providing separate instructions and I didn't expect them to do any harm. I might have been wrong about the last part.

Edit: Wait, no... I think that libc library is still needed on 10.7 and 10.8? The way the MacPorts page is written is confusing me. But it's weird, because MacPorts doesn't seem to have have any versions of libc for darwin11 or darwin12, only darwin10...

 

[maverick28]

Same. It's loaded but doesn't run. However, I took a closer look at this part of the error: Expected in: /usr/lib/libc++abi.dylib. The libraries were installed in /usr/local/lib as per instructions. So the code in the binary calls a library that's in another location. There are no lib directories in usr.

 

[Wowfunhappy]

The /usr/opt thing is expected, it has to do with how MacPorts works. Mac OS will always find libraries in /usr/local/lib if they aren't present elsewhere (unless you've done something weird to your PATH settings, and if you did, you'd know.)

I'm honestly at a bit of a loss. Clearly, Lion's built-in C++ libraries are too old for Squid, but the Lion port for libcxx is (literally) just a message that reads "libcxx is an empty port on this OS version because the functionality is already provided by the OS." So, um, both of those things can't be true. Oh, and just to top it off, the Snow Leopard version of the library apparently doesn't work on Lion.

Very odd. I think it might just be the case that Squid isn't going to work on 10.7 for the time being, even though it works on both 10.6 and 10.9. There's something going on with the C++ toolchain, and that's a technology blindspot I don't really understand at all.

---

...y'know, since you specifically have both a Mavericks and a Lion computer, you could just have Lion connect to the instance of Squid running on Mavericks. Open squid.conf on the Mavericks computer, and add a line:

http_access allow 192.168.1.XX

...anywhere above the last line ("http_access deny all"), replacing 192.168.1.XX with the IP address of your Lion computer.

Then, in System Preferences on the Lion computer, instead of telling the Proxy Server as "localhost", put in the IP address of the Mavericks computer.

For obvious reasons, this will only work if both computers are turned on and connected to the same network. It's less self-contained so I don't particularly like it, but I'm not sure how else to fix. It also goes without saying I haven't personally tested a setup like this, but I think it should work?

Fitting that this happens on Lion. I'm happy for everyone who keeps old versions of OS X running—but I also hate Lion. It's basically 2012's Catalina, right down to all the broken legacy apps...

 

[maverick28]

Since you specifically have both a Mavericks and a Lion computer, you could just have Lion connect to the instance of Squid running on Mavericks. Open squid.conf on the Mavericks computer, and add a line:

http_access allow 192.168.1.XX

...anywhere above the last line ("http_access deny all"), replacing 192.168.1.XX with the IP address of your Lion computer.

Then, in System Preferences on the Lion computer, instead of telling the Proxy Server as "localhost", put in the IP address of the Mavericks computer.

For obvious reasons, this will only work if both computers are turned on and connected to the same network. It's less self-contained so I don't particularly like it, but I'm not sure how else to fix. It also goes without saying I haven't personally tested a setup like this, but I think it should work?

Fitting that this happens on Lion. I'm happy for everyone who keeps old versions of OS X running—but I also hate Lion as a release. It's basically 2012's Catalina, right down to all the broken legacy apps...

This isn't going to work because all the 3 operating systems are installed on the same computer.

 

[Wowfunhappy]

Same. It's loaded but doesn't run. However, I took a closer look at this part of the error: Expected in: /usr/lib/libc++abi.dylib. The libraries were installed in /usr/local/lib as per instructions. So the code in the binary calls a library that's in another location. There's no lib directories in usr.

Wait a second, I just re-read this.

It looks like XCode installs its own copy of libc++.1.dylib in /usr/lib. I wonder if that's getting used for some reason instead of our version. What happens if you do DYLD_LIBRARY_PATH=/usr/local/lib/ /Library/Squid/squid?

 

[maverick28]

dyld: Symbol not found: __ZNKSt9exception4whatEv Referenced from: /Library/Squid/squid Expected in: /usr/lib/libc++abi.dylib in /Library/Squid/squid Trace/BPT trap: 5

I copied every library except the c++ ones to the installation location because they're shipped with the OS.

 

[maverick28]

I copied the rest of the libraries, then run your last suggested command and got


2020/09/01 08:50:43| WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'. 2020/09/01 08:50:43| WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'. 2020/09/01 08:50:43| WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.

However, Safari 5 resumed (see SSL compatibility check, was all "bad" before) ? ? ? ? ? ? ? ? ? ? ?

With that being said Apple sites remained an impenetrable defence be it Safari 5 or Safari 9. The former loaded the main page of their developer site but I was rejected the auth window.

 

[maverick28]

However, a small annoyance is that when I restart my Mac squid doesn't start, so I have to run it manually. Before that I set and exported DYLD_LIBRARY_PATH and added it to my .bashrc config file.

 

[Wowfunhappy]

Yeah, the environment variable is not in the launchd plist so it’s not going to work automatically after a reboot. What I want to try next, when I have a free day, is editing the binary to always pull in the libraries from the current directory, to both solve the problem *and* let you put the libraries alongside everything else in /Library/Squid/, which is cleaner.

I do not recommend keeping that environment variable set in bashrc, I think that could potentially break other software.

 

[Wowfunhappy]

Okay @maverick28, let me know if the updated copy attached to the first post works properly in Lion without changing DYLD_LIBRARY_PATH. No promises since I don't have a Lion machine to test, but I think this should successfully avoid the problem, while making the overall setup a bit nicer.

With that being said Apple sites remained an impenetrable defence be it Safari 5 or Safari 9.

Yes, this makes sense, because remember, all traffic to apple.com is exempted from the proxy. I expect that if you remove .apple.com from squid.conf, all Apple domains will work in Safari (unless the problem was never related to https to begin with). However, this may break any OS apps that use certificate pinning, which is a fancy a way to say that they ignore the "Squid" certificate we added to Keychain Access.

On the other hand, certificate pinning is kind of a more modern practice, so there's a possibility it wasn't done on Lion. You could also figure out what specific subdomains the affected apps use (perhaps by looking inside access.log) and only exclude those—I didn't take this approach because my first priority was to avoid breaking anything.

---

By the way, this time around I've also added some lines to squid.conf to exempt local IP addresses (like 192.168.1.123) from the proxy. This fixes Docker, which I need for work, and IMO it makes logical sense in general, since those addresses should belong to computers you control.

 

[maverick28]

Reporting on progress: I did everything again and - knock the wood - it works. First, I unloaded your LaunchAgent then copied from the downloaded folder everything excerpt the plist and certificates (to save time and efforts) in Terminal, loaded the agent. All went good, and I restarted to be sure it runs on load. It does. Thank you. I wish I knew as much as you do - networking is the most confusing part of computing for me.

 

[Wowfunhappy]

Picking up from the other thread (I'm trying to keep things in one place!)

My, Wowfunhappy has been making really wonderful things. Mad props to him!
There's a couple of questions that I have.
I have just installed Wowfunhappy's patch. At some point I was asked if I would like to allow incoming connetions to Squid. I picked a "yes" but do I really need it to?

Oh, you have OS X's built-in firewall enabled, right? I don't use that, so I never noticed the prompt. Interesting! I'm not sure... Squid is certainly accepting connections, but they're coming from (and only allowed to come from) your own machine. I don't know if that counts as incoming or not. I'd be interested to see what happens if incoming connections aren't allowed.

It also doesn't take my credentials for iTunes App Store. Will I have the ability to download apps and back them up like before? Or do I have to move back to iTunes 10 in order to do that? I'd do it if necessary but dang, my music library is huge..

Something is up, iTunes should work! This is exactly why the proxy excludes Apple.com domains—it's because I don't want to break the built-in apps.

I wonder if iTunes uses an address like iTunes.com instead of apple.com...

Confession: I actually don't have iTunes installed, so I can't test this easily. If you look in /Library/Squid/logs/access.log right after trying to log into iTunes, does it list any URLs that look... interesting? Again, I'm hoping to see iTunes trying to connect to a non-Apple.com but clearly Apple-owned domain. If we can find what it's trying to access, we can exclude those from the proxy.

 

[otetzone]

Here's what it says:

1602422322.570 500 ::1 TCP_TUNNEL/200 7788 CONNECT configuration.apple.com:443 - HIER_DIRECT/104.79.198.100 -
1602422365.972 23668 ::1 TCP_TUNNEL/200 5924 CONNECT qtpartners.apple.com:443 - HIER_DIRECT/17.179.32.233 -
1602422408.043 30963 ::1 TCP_TUNNEL/200 12863 CONNECT query.ess.apple.com:443 - HIER_DIRECT/17.167.225.11 -
1602422436.470 0 ::1 NONE/200 0 CONNECT p09-fmip.icloud.com:443 - HIER_NONE/- -
1602422563.623 294 ::1 TCP_TUNNEL/200 6410 CONNECT upp.itunes.apple.com:443 - HIER_DIRECT/104.79.198.100 -
1602422578.732 284 ::1 TCP_TUNNEL/200 6410 CONNECT upp.itunes.apple.com:443 - HIER_DIRECT/104.79.198.100 -

 

[Wowfunhappy]

Those are all apple.com domains that should be excluded... except one. I don't think this is going to work, but it's worth a try:

Open /Library/Squid/Squid.conf in a text editor, and change:

acl excluded_domains ssl::server_name .apple.com .pypi.org .pythonhosted.org

to

acl excluded_domains ssl::server_name .apple.com .icloud.com .pypi.org .pythonhosted.org

And then in the Terminal, run /Library/Squid/squid -k reconfigure.

@maverick28 You're using iTunes, right? Did you have to do anything special to get it working?

 

[otetzone]

Still no go.. Doesn't take my credentials and when I'm trying to check any apps at the App Store, it gives me "This page is temporary unavailable".

Here's the log -

1602422365.972 23668 ::1 TCP_TUNNEL/200 5924 CONNECT qtpartners.apple.com:443 - HIER_DIRECT/17.179.32.233 -
1602422408.043 30963 ::1 TCP_TUNNEL/200 12863 CONNECT query.ess.apple.com:443 - HIER_DIRECT/17.167.225.11 -
1602422436.470 0 ::1 NONE/200 0 CONNECT p09-fmip.icloud.com:443 - HIER_NONE/- -
1602422563.623 294 ::1 TCP_TUNNEL/200 6410 CONNECT upp.itunes.apple.com:443 - HIER_DIRECT/104.79.198.100 -
1602422578.732 284 ::1 TCP_TUNNEL/200 6410 CONNECT upp.itunes.apple.com:443 - HIER_DIRECT/104.79.198.100 -
1602422685.355 246 ::1 TCP_TUNNEL/200 6410 CONNECT upp.itunes.apple.com:443 - HIER_DIRECT/104.79.198.100 -
1602422854.712 0 ::1 NONE/200 0 CONNECT wowfunhappy.com:443 - HIER_NONE/- -
1602422855.894 1090 ::1 TCP_MISS/503 389 GET https://wowfunhappy.com/ - HIER_DIRECT/98.124.199.65 text/html
1602422855.957 0 ::1 NONE/200 0 CONNECT wowfunhappy.com:443 - HIER_NONE/- -
1602422856.175 217 ::1 TCP_MISS/503 389 GET https://wowfunhappy.com/favicon.ico - HIER_DIRECT/98.124.199.65 text/html
1602423219.258 100 ::1 TCP_TUNNEL/200 36345 CONNECT init.itunes.apple.com:443 - HIER_DIRECT/104.79.198.100 -
1602423219.548 267 ::1 TCP_TUNNEL/200 6410 CONNECT upp.itunes.apple.com:443 - HIER_DIRECT/104.79.198.100 -
1602423224.643 795 ::1 TCP_TUNNEL/200 6786 CONNECT p46-buy.itunes.apple.com:443 - HIER_DIRECT/17.36.202.35 -
1602423227.752 3091 ::1 TCP_TUNNEL/200 2704 CONNECT p46-buy.itunes.apple.com:443 - HIER_DIRECT/17.36.202.35 -
1602423234.815 0 ::1 NONE/200 0 CONNECT s.mzstatic.com:443 - HIER_NONE/- -
1602423235.055 198 ::1 TCP_MISS/200 2925 GET https://s.mzstatic.com/sap/setupCert.plist - HIER_DIRECT/104.79.198.100 text/xml
1602423235.088 24 ::1 TCP_TUNNEL/200 46 CONNECT play.itunes.apple.com:443 - HIER_DIRECT/72.246.151.216 -
1602423242.702 4949 ::1 TCP_TUNNEL/200 1819 CONNECT p46-buy.itunes.apple.com:443 - HIER_DIRECT/17.36.202.35 -

Uh, just to clarify - I'm using Mavericks machine

 

[Wowfunhappy]

Yeah, I didn't really expect that to work. I'm a little stuck at this point though, I might need to set up a clean VM and do some testing myself next week. Also curious to hear from maverick28.

(Just checking, you went to my website at some point, right? I was just surprised to see my own domain in the logs!)

 

[otetzone]

(Just checking, you went to my website at some point, right? I was just surprised to see my own domain in the logs!)

True, however it wouldn't open neither in Firefox ESR nor in Safari.

I don't know whether it would make sense to try to block incoming connections at OSX firewall for Squid at this point. Please let me know if you want me to check anything, I'll be glad to help on my side. Do I need to revert squid.conf back or it's okay to leave it as it is now?

 

[Wowfunhappy]

True, however it wouldn't open neither in Firefox ESR nor Safari..

You should tell Firefox to not use the proxy. I believe I have instructions for that in the download. Firefox ignores the certificates in Keychain (grr), but more importantly it has its own, modern SSL implementation so there's no need.

But the fact that wowfunhappy.com (which is nothing special, it's just a Github Pages site) wouldn't load in Safari is actually super telling! Something about the proxy is very much not working correctly.

If you search for Squid in Activity Monitor, does anything come up? Have you tried rebooting, just in case that clears something out? Did you definitely add the Squid certificate to your keychain?

Edit: Okay, I just saw the screenshot you edited in. So Squid is definitely running. If you’re sure you followed the setup instructions, please PM a copy of /Library/Squid/logs/cache.log.