Back in 2013 I wrote a little thingy on browsing with a SE/30. With recent developments in security and the push by Google and many others towards encryption and pushing sites to be full https we encounter a number of issues on our venerable hardware. For one, encryption adds significant overhead to processor usage and an increase in page load times. In addition we now live in the age of Heartbleed and POODLE which have broken SSL3, and so most if not all smart sites no longer support SSL3 connections. This is not even to mention the now obsolete RC4 and MD5 encryption ciphers which have serious vulnerabilities.
I hardly need mention that the most modern browsers for 68K were made over a decade ago the most modern of which is iCab 2.99 which was released sometime in the mid-2000's. My favorite is Netscape 4.0.8 while Internet Explorer 4 is an option as well as Wannabe and Lynx fill out the text only ranks.
With most sites going away from HTTP and SSL3 in favour of TLS many browsers can't even attempt to begin loading pages as they have no common language anymore to speak, not that they rendered well on the modern web anyhow. (I mean hey, we all knew this day was coming).
So, as with all things 68K, I had to find a way to hack it, so at least we had some common language, and heck if we can help out our old browsers a bit with cleaning up pages before they arrive, all the better!
1 GB RAM
8 GB HDD image
Macintosh Centris 650
108MB RAM (2x16MB, 2x32MB and 8MB onboard RAM)
9GB 7200RPM Seagate SCSI HDD
Mac OS 8.1
Working at a school I'm quite familiar with content filtering to keep the youth of this generation on the straight and narrow, one tool in our arsenal is Squid. Squid is an internet proxy that also has a nifty feature called SSL Bump. This allows the proxy to intercept SSL or TLS connections and modify the connection before it allows it to pass to the client. This is what is known as a Man in the Middle exploit and it's becoming increasingly hard to make work in the days of new methods to mitigate this kind of exploit (much to the chagrin of this parent and IT person).
For our purposes we're going to take that incoming hyper-secure TLS connection with some fancy high cipher encryption and present a new certificate to the client with a weak cipher and a SSL3 connection that will be compatible with Internet Explorer 4.
The reason I've chosen IE4 is because I was not able to get Netscape 4.0.8 happy with certificate. iCab would have been my second choice but it only offers a proxy for http connections.
So here goes....
Installing and Compiling OpenSSL with SSL3 and Weak Ciphers
I'm assuming you know how to install a base install of Debian on a VM or real machine and give it a static IP on your local network.
K... For some reason this doesn't work to build with a root user, so might as well do it as a normal user.
1. Grabbest some build tools
2. Buildest a directory
# Get build tools apt-get -y install devscripts build-essential fakeroot debhelper dh-autoreconf cdbs
3. Grabbest the code
#my home directory is as follows... Use your own username mkdir /home/username/opensslbuild cd /home/username/opensslbuild
4. Open the rules file
apt-get source openssl
5. Modify the rules file to include the following flags on the CONFARGS line. Yes I've enabled SSL2 as well for compatibility.
6. Build the package
enable-ssl3 enable-ssl3-method enable-ssl2 enable-weak-ssl-ciphers
7. What you'll get now is a bunch of deb and udeb files in your directory. You can now install them by issuing the following...
#Change directory cd /home/username/opensslbuild/openssl-1.1.0f #Build package dpkg-buildpackage
8. Prevent openssl and libssl-dev from updating
dpkg --install libssl1.1_1.1.0f-3+deb9u1_amd64.deb dpkg --install libssl1.1-dbgsym_1.1.0f-3_deb9u1_amd64.deb dpkg --install libssl-dev_1.1.0f-3+deb9u1_amd64.deb dpkg --install libssl-doc_1.1.0f-3+deb9u1_all.deb dpkg --install openssl1_1.1.0f-3+deb9u1_amd64.deb dpkg --install openssl-dbgsym_1.1.0f-3+deb9u1_amd64.deb
apt-mark hold openssl libssl-dev
2. Grab source:
#Make build directory mkdir /root/squidbuild cd /root/squidbuild # Get build dependences for squid apt-get -y build-dep libecap apt-get -y build-dep squid3 apt-get install libdbi-perl
3. Modify build rules file:
#Get Squid Source apt-get source squid
4. Add the following lines under DEB_CONFIGURE_EXTRA_FLAGS
#Open rules file nano squid3-3.5.23/debian/rules
5. Build the code!
--with-openssl \ --enable-ssl \ --enable-ssl-crtd
6. Deb files will appear again after the build procedure. Install those nuggets.
#Change Directory cd /root/squidbuild/squid3-3.5.23 #Build it dpkg-buildpackage -rfakeroot -b
dpkg --install squid3-3.5.23-5_all.deb dpkg --install squid_3.5.23-5_amd64.deb dpkg --install squid-cgi_3.5.23-5_amd64.deb dpkg --install squidclient_3.5.23-5_amd64.deb dpkg --install squid-common_3.5.23-5_all.deb
2. Build a weak certificate for interception
cd /etc/squid mkdir ssl_cert chown proxy:proxy ssl_cert chmod 700 ssl_cert cd ssl_cert
3. Modify the
cd /etc/squid/ssl_cert #Yes it's a 10 year certificate openssl req -newkey RSA:512 -MD5 -days 36500 -nodes -x509 -keyout myCA.pem -out myCA.pem #This is used if you need a certificate to import into the users browser openssl x509 -in myCA.pem -outform DER -out myCA.der
4. Initialize Certificate DB
# WELCOME TO SQUID 3.5.23 # ---------------------------- # acl Safe_ports port 443 # https #acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports #http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost #Enter your own subnet of course... acl localnet src 192.168.1.0/255.255.255.0 http_access allow localnet http_access allow localhost manager http_access deny manager #http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 ssl-bump \ cert=/etc/squid/ssl_cert/myCA.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
5. Prevent Aptitude from updating our custom squid
ln -s /usr/lib/squid3/ssl_crtd /bin/ssl_crtd /bin/ssl_crtd -c -s /var/spool/squid3_ssldb chown-R proxy:proxy /var/spool/squid3_ssldb
apt-mark hold squid3 squid3-common
iptables -t nat -A PREROUTING -i <your_eth> -p tcp --dport 80 -j REDIRECT --to-ports 3128 iptables -t nat -A PREROUTING -i <your_eth> -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128
iptables-persistent. This will preserve the rules between reboots. We've placed the rules in first as iptables-persistent will generate its config off of the current rules.
From here you should now reboot your server and test your config so far...
apt-get install iptables-persistent
Internet Explorer 4
After some testing between IE 4.0.1 and Netscape 4.0.8 I've had better success with IE 4. First, it seems to render pages more faithfully and secondly I can't for the life of me get Netscape to work for me even with Squid bumping on. My major issues with IE however are that it crashes fairly regularly (taking OS 8.1 with it) and it doesn't render PNG images unlike Netscape.
The PNG issue can be overcome and we can tweak some other things to help it behave better as I'll show below... The PNG fixing will come a bit later in another page I think.
By default this is what we get browsing to Google without a proxy or anything configured.
Oh... don't even try getting into an https configured page.... Here I am trying google as a https. No common protocol.
Let's tweak the settings in IE a bit...
1. Go to Edit - Preferences...
3. Also Java.... Who knows what that would try to do. Disable it.
4. I also hate getting a whole bunch of messages when we change zones. We can disable those settings too.
5. Next lets configure the proxy. You can configure yours using the settings I have below but using your own server IP. Notice I'm putting in the default port for Squid for both Normal and Secure settings just like we put in our IP Tables above.
Be careful... I've noticed that sometimes my settings for the secure proxy spontaneously revert to tunnel for some reason. Make sure this remains normal
6. Let's try it now... K... Not really sure what exactly this means, does it mean that there is no installed root certificate for our server? Does it mean the server is sending stuff in clear text? I'll have to dig into this further with some packet sniffing later. But it says continue... who cares. Click past it.
Voila! Look at that, common protocol, and now we're back in!
Stay tuned for Part 3. There I will explain how to pretty up pages by using squid to compress images and other content modifications.
PART 3!!! >>
Intercept HTTPS CONNECT messages with SSL-Bump
OpensSSL Compilation and Installation (Build flags)
Internet Explorer 4.01 (SIT)
Last Updated: November 10, 2018