ssl proxy

foetz

New member
Feb 19, 2019
19
7
3
more and more websites don't support tls 1.0 anymore which makes browsing with irix increasingly problematic. that's particularly annoying since most of the sites wouldn't need ssl at all. but looking at how websites developed in recent years that's not exactly a surprise.

anyway, to compensate this i thought about using an ssl proxy. i'm using a squid anyway so i thought about upgrading and making use of sslbump. now before i dig into that, maybe someone tried that already? or maybe there's a better way to have the ssl part done by something else?
 

Elf

Storybook
Feb 4, 2019
56
8
8
For what it's worth there is a new version of OpenSSL ported for IRIX, 1.0.2: https://github.com/larb0b/irixports/blob/master/openssl/package.sh
It should support newer TLS and could presumably be used to build a browser that supports it?

An SSL proxy will work although it pushes the problem of certificate validation back to the proxy so the interface for dealing with that can be somewhat clumsy. The squid + ssl_bump solution is a reasonable setup if you want to do that! I seem to remember a proxy whose explicit purpose was stripping off SSL locally, but unfortunately I don't recall what it was named and can't find it anymore.
 

foetz

New member
Feb 19, 2019
19
7
3
For what it's worth there is a new version of OpenSSL ported for IRIX, 1.0.2: https://github.com/larb0b/irixports/blob/master/openssl/package.sh
thanks but no gcc builds for me unless absolutely necessary :D

The squid + ssl_bump solution is a reasonable setup
and does what i want it to do. i gave it a quick try on an x86 just to see whether it works at all.

now the not so pleasant part is getting that compiled on irix. unfortunately a squid 3.x needs gcc and exceptions and rtti ... pretty much the worst case :p
but the main problem seems to be that irix has a different struct msghdr. not a big problem to replace that in squid but the related irix functions expect their native version. and that is exactly what's used heavily for ipc between squid itself and its ssl workers => crashes.
 

Elf

Storybook
Feb 4, 2019
56
8
8
Oh, you want to run the squid proxy on IRIX as well? I just assumed it would be running on another server with the IRIX machine as the client. If running squid on the IRIX machine it will still need to be compiled with a version of OpenSSL that supports newer TLS and ciphers.
 

hammy

Member
Jun 1, 2019
46
17
8
UK
thanks but no gcc builds for me unless absolutely necessary :D


and does what i want it to do. i gave it a quick try on an x86 just to see whether it works at all.

now the not so pleasant part is getting that compiled on irix. unfortunately a squid 3.x needs gcc and exceptions and rtti ... pretty much the worst case :p
but the main problem seems to be that irix has a different struct msghdr. not a big problem to replace that in squid but the related irix functions expect their native version. and that is exactly what's used heavily for ipc between squid itself and its ssl workers => crashes.
FYI, there is an openssl patch for 1.1.1a that's good enough for regular wget or openssh usage below (and I compile it with MIPSpro):


Configure with something like this

./Configure --prefix=$INSTALLDIR --openssldir=$INSTALLDIR/etc/ssl --libdir=$INSTALLDIR/$DIDBS_LIBDIR irix-mips3-cc threads shared

For the struct msghdr, I vaguely remember seeing something similar to your description - and I think I couldn't find the right combination of -D_SGI_SOURCE style defines that would pull in the needed definitions of msghdr.

Sorry I forgot where I did it and a quick grep didn't show anything up - but from memory, have a hunt in the /usr/include header files and pull out the _xpg#_recvmsg plus the actual struct and manually add it where it's needed rather than trying to get it from the system include files.
 
Reactions: foetz

foetz

New member
Feb 19, 2019
19
7
3
have a hunt in the /usr/include header files and pull out the _xpg#_recvmsg plus the actual struct and manually add it where it's needed
ah yeah, an xpg version of recvmsg(), that's a good idea. too bad it doesn't work with mipspro. otherwise i could just set _XPG.
 
Reactions: Elf

hammy

Member
Jun 1, 2019
46
17
8
UK
too bad it doesn't work with mipspro.
Above approach worked fine with MIPSpro AFAIR, I just created a little "irix_xpgmsghdr.h" within the project, and then find/replaced use of recvmsg and struct msghdr to the redefined versions in that header.

What probs you hitting with MIPSpro?
 

hammy

Member
Jun 1, 2019
46
17
8
UK
Got you. Yeah, that's the price of entry for "sticking with MIPSpro".

It's your time and pleasure, so I'll just wish you the best .-)
 

Unxmaal

Administrator
Feb 8, 2019
37
13
8
@foetz you might consider running something like wrp on another box external to your SGI gear.

Tenox is on our Discord too (and the forums?) and he's usually pretty responsive.

 

foetz

New member
Feb 19, 2019
19
7
3
another box external to your SGI gear.
no thanks. running a second box 24/7 is not an option. if i had that, the problem here wouldn't exist because then squid would work :p

as mentioned before, the problem is getting an ssl proxy that works on irix. so far i didn't find anything else but squid 3.x (or higher) which does what i'm looking for.
in the meantime i tried a couple of more things with squid. things like defining _XOPEN_5, manual copy & paste of the related functions and struct ... but no matter which combination i tried, it always breaks something else. so i think for now i'm done with squid and if i don't find anything else, the only other way i see is writing something myself.
 

Unxmaal

Administrator
Feb 8, 2019
37
13
8
no thanks. running a second box 24/7 is not an option. if i had that, the problem here wouldn't exist because then squid would work :p

as mentioned before, the problem is getting an ssl proxy that works on irix. so far i didn't find anything else but squid 3.x (or higher) which does what i'm looking for.
in the meantime i tried a couple of more things with squid. things like defining _XOPEN_5, manual copy & paste of the related functions and struct ... but no matter which combination i tried, it always breaks something else. so i think for now i'm done with squid and if i don't find anything else, the only other way i see is writing something myself.
Have you looked into using nginx? I think it could handle proxying ssl.
 

foetz

New member
Feb 19, 2019
19
7
3
sure and yes it can. same goes for apache, stunnel and a few others. however, they all can only do that for a fixed target. what i'm after tho is a proxy, not a static forwarder.