Last updated: 07/09/2024

Background

Having Classilla available for your vintage Mac is awesome, but many websites are simply not viewable out of the gate – their security requirements are too modern. The Classilla TLS 1.3 website explains the situation well:

Many current websites no longer support TLS 1.0, which is the maximum security protocol natively available in Classilla. However, the later TLS 1.2 and 1.3 protocols can be added to Classilla 9.3.4b using Crypto Ancienne, which can be run as a proxy.

Ideally, Crypto Ancienne would run on your Mac right beside Classilla – and, long story short, that is supported – but getting the development environment properly set up can be more trouble than its worth. In my experience, it’s WAY easier just to have another machine be the proxy. It could even be just a Raspberry Pi on your LAN running NetBSD, which is what this document describes.

Everything you need to know can be found on Classilla’s website and the Crypto Ancienne GitHub repository, but the process is actually more straightforward than what it looks at first glance. Let me show you.

Install carl

Crypto Ancienne boils down to a miniscule and very portable program called carl. All I needed to do was download the source code:

git clone https://github.com/classilla/cryanc.git

And then compile it:

cc -o carl carl.c

You could run ./carl -p right now ("-p" for proxy mode) but it won’t work as you expect. If you quickly glance through the documentation, it’s easy to miss the important detail: carl only functions with the help of inetd(8) or similar.

Fortunately, it’s super easy to get that going on NetBSD. Add an entry like this one to inetd.conf(5) (Replace the /home/charlotte/... thing with the full path to the carl binary, of course):

8765 stream tcp nowait:600 charlotte /home/charlotte/devel/cryanc/carl carl -p

And then make sure inetd itself is enabled in rc.conf(5):

inetd=YES

And then service inetd start.

Configure Classilla to use carl

(Finally, we can return to the instructions on Classilla’s website. I’ve slightly modified them to match our use case.)

Now that Crypto Ancienne is installed and carl is listening, Classilla must be configured to use it.

  1. With Classilla started, go to about:config and set network.http.proxy.use-http-proxy-for-https to true. This instructs Classilla to send unencrypted requests for encrypted resources to the proxy. This setting must be false for any other HTTP proxy.

  2. Go to Classilla’s Preferences window. Under Advanced > Proxies, enter the NetBSD machine’s hostname and 8765 for the host and port numbers for “SSL Proxy.” You can leave “HTTP Proxy” blank unless you want to also proxy unencrypted traffic through carl, which is supported (in that case, use the same values there). Click “OK.”

  3. Access any URL starting with https:// and Classilla will forward the request to carl, which will handle the encryption. Note that the padlock icon never shows the connection is secure because technically it isn’t (the connection between Classilla and carl is unencrypted, but if the connection is via localhost, by definition it can’t be intercepted). As a result, in this configuration Classilla also cannot verify certificates or server identities.

That’s it!

Outsourcing the TLS/SSL heavy lifting to Crypto Ancienne makes Classilla way more usable and relevant. Most modern websites still don’t look too good in Classilla (CSS3 and overstuffed JavaScript are the main culprits). But, speaking for myself, setting up carl is well worth the time – it opens up a whole new world of information for your old Mac.