This page is a wiki. Please login or create an account to begin editing.


10 posts / 0 new
Last post
Maximum R.I.S.C.'s picture
Joined: 2017 Oct 18
CALL TO ARMS! - any Tiger/Leopard Devs Here? Let's Fix OpenSSL in Tiger!!!

Uncle Steve Wants You! ;0p

But seriously, I've been maintaining a few apps for several years (like PPC Media Center - http://ppcluddite.blogspot.com/2016/06/new-ppc-media-center-version-6.html) and am currently working on a GUI for the WAY-COOL PianoPPC port of PianoBar Pandora client (that can actually run in a G3!! - http://desktopecho.com/pianoppc/)

But on every front we are hitting a wall with this TLS/OpenSSL-pocolypse hitting our old systems.
There IS a newer version that will install in Tiger (v1.0.2 - http://sevan.mit.edu/packages) but it has issues. It will report back, but then not really do anything more than that - despite having apparently full library support, curl, wget and whatever other backend internet protocols just can't use it.

Is there anyone on the Garden with a reasonable current Dev system and/or better understanding of backend network systems in Tiger and Leopard?

Am currently Patching PPC Media Center, but it is only a bandaid - as long as video servers like youtube will talk to insecure clients. TenFourFox has it's own solution, but it lives within the browser and can't really help the system.

The next thing to go will likely be network time support, and once that happens, unless TenFourFox finds a new rout, that will mean internet security certificates will start failing and then even with it's superior TLS will not be able to operate.

Much like the 2038/2040 date problem in OSX/OS9, this is a potential system-breaker for any real-world usage.

Won't be easy but for anyone interested in helping out this might well give your systems years more life.

Anyone interested in helping us fix this please email me avalbrec (@) gmail (DOT) com.

Thanks!!

Comments

nil0bject's picture
Offline
Joined: 2012 Nov 14

have you tried contacting those who are also(in a the past) working on it?
http://openssl.6102.n7.nabble.com/Building-OpenSSL-and-OpenSSH-on-Mac-OS...
https://curl.haxx.se/mail/lib-2017-02/0035.html

is openssl necessary. could you try something like libressl?

melomac's picture
Offline
Joined: 2018 Feb 26

I don't have Mac OS X 10.4 at hand but, what if you build from source one of the latest legacy build of the same openssl version:
https://github.com/openssl/openssl/releases/tag/OpenSSL_0_9_8zh
https://github.com/openssl/openssl/releases/tag/OpenSSL_0_9_7m
https://github.com/openssl/openssl/releases/tag/OpenSSL_0_9_6m

Don't forget to enable the shared library and try to use /usr as a prefix.

This may overwrite Apple's OpenSSL (libssl.dylib and libcrypto.dylib) or you could also:
- update the sym links in /usr/lib to point to new build
or:
- update faulty binaries linked libraries using install_name_tool

This is highly theoretical, but that should do.

Maximum R.I.S.C.'s picture
Joined: 2017 Oct 18

Thanks so much Guys - that is exactly the type of info I was hoping for. Also, Sevan (the gentleman who compliled the OpenSSL 1.0.2) has agreed to discuss possibly working with me on this.

Wish us all luck.

Maximum R.I.S.C.'s picture
Joined: 2017 Oct 18

UPDATE: So Sevan (@ sevan.mit.edu) thinks one of the things are up against is python. We are now testing a new setup (fortunately would run from existing packages and setup can be automated), that would create new replacements for:

• OpenSSL
• Python (3.4 if possible, otherwise 2.7)
AND most importantly • NTP (network Time Protocol).

He suspects we will be able to use existing frameworks from that point, if we can get apps that need the enhanced TLS to use these in /usr/pkg instead of the normal versions (can be hand-coded into the apps easily - like PPC Media Center).

The big trick is THIS. Network Time Protocol is critical for everything because it maintains the clock. Even TenFourFox with it's higher-level OpenSSL support is at the mercy of time-sync when validating security-certificates. So a big part of the upgrade will take the shape of making an hourly time-sync package.

If there are ANY applications currently being maintained that require networking (like say PianoPPC) that you'd like to see survive, please get them in touch with me on this so we can come up with a standardized upgrade/patch framework.

This could literally give us another 6 years of largely trouble-free use in Tiger and Leopard, if projects go on being maintained.

Maximum R.I.S.C.'s picture
Joined: 2017 Oct 18

UPDATE:

Well we have a pulse on Python 3.4 and NTP, but OpenSSL, while alive isn't talking to Python yet. THE GOOD NEWS is how many tools are
available in "The Real World" (PC/Mac & LINUX), once we get to this
point.

Debugging today - I suspect the issue is with Curl in OSX.

Here's to getting this fixed soon.

adespoton's picture
Offline
Joined: 2015 Feb 15

Curl should be fine except for the fact that the OpenSSL version it requires doesn't support the most recent versions of TLS. So someone will need to backport.

Once there's a copy of LibSSL that supports the latest TLS, everything else should just be able to use it.

Maximum R.I.S.C.'s picture
Joined: 2017 Oct 18

OpenSSL is updated to 1.0.2 but isn't being used by system curl - will likely have to update it as well.

adespoton's picture
Offline
Joined: 2015 Feb 15

How about curl from http://www.finkproject.org/download/index.php?phpLang=en ?

Philgood's picture
Offline
Joined: 2013 Jun 10

Any update on this ?