What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Pixelserv-tls doesn't even generate its own root CA, we have to do it ourselves.

@thelonelycoder changed the generation algorithm to create a 1024bit root CA in the latest Diversion version and as per my testing, it's not compatible with Apple's changes in ios 13.
Give the course this has taken some people on , I think the best thing to do is give a install option or generate option that allows for the user to make the decision because this seems to potentially impact a lot of people
 
My Pixelserv CA generated under Jack Yaz Pixelserv-tls 2.3.0 is a 2048-bit certificate. I have no issues on iOS 13.3 devices. Do your stats show high slu values or other anomalies?

ios here, I checked, I’m 2048.
I have literally tens of thousands of dropped https requests, but internet, ad blocking working fine.
I’m confused........o_O
 
I can confirm that when I installed PixelServ 2.3.1 on the day it was released I was able to install and use it just fine with PC and iPhone IOS 13. I believe that's when the 2048 cert was being made.

I had to reset the router today so I installed the latest Diversion, then purged the certs, then disabled PixelServ 2.3. I then deleted PixelServ 2.3 and uploaded the latest from KVICs github, version 2.3.1. I renamed the file while in the terminal and made sure it was set to 0755.

Then I loaded Diversion back up and noticed my new PixelServ 2.3.1 was in its proper place so I purged the certs on last time and had Diverson issue me a new CA.RT to go along with the new PixelServ I had just installed.

I installed the certificate in my iPhone which is using IOS 13.3 and now get connection problems when attempting to connect to https sites.

I believe, however I could be wrong that the reason I'm getting https connection errors is because of the change from 2048 to 1024 in diversion .

TLDR: KVICS latest PixelServ 2.3.1 worked with 2048 for about 2 weeks but now that Diversion changed to 1024 it no longer works on my iPhone with IOS 13.3
 

Attachments

  • CA464716-0F7F-4453-9B2E-4FDA29CAB4A7.png
    CA464716-0F7F-4453-9B2E-4FDA29CAB4A7.png
    139.1 KB · Views: 263
OK, solved the pixelserv-tls certificate mess.
Frustrating, I know. But since this is about TRUST we want to make it right, once and for all.
Watch this space for a Diversion update and instructions.
 
Diversion 4.1.8 is now available

What's new in Diversion 4.1.8
- Adds warning in UI and quits blocking list update if hostslist(s) do not contain hosts URL(s).
- Adds warning in UI if blocking list(s) contain less than 200 domains.
- Correctly sets owner and permissions of all dnsmasq.log files to "nobody" and "0640" respectively.
- Correctly sets owner of /opt/var/cache/pixelserv files to "nobody".
- pixelserv-tls certificates key length is now shown in ep, 3.
- Reverts pixelserv-tls CA certificate key length generation back to 2048 bit. This only applies for new installations or when the CA certificate is regenerated.

Important, please read.
Due to an error of judgement, I changed the pixelserv-tls CA key length generation down to 1024 bits in Diversion 4.1.7.
Along with it, I missed to change one instance of this value in one of the files that may come into play when (re)generating the CA certificate.
On devices with elevated requirements for trusted certificates - such as iPads and iPhones with iOS 13.x - this triggers an untrusted certificate error.

All is OK when:
- The pixelserv-tls CA certificate was generated off of Diversion v4.1.4 up to v4.1.6, with pixelserv-tls v2.3.0 by @Jack Yaz or the new build v2.3.1 by @kvic.
You will need to regenerate the certificate when:
- The pixelserv-tls CA certificate was generated off of Diversion v4.1.7, with pixelserv-tls v2.3.0 by @Jack Yaz or the new build v2.3.1 by @kvic.
You will need to upgrade pixelserv-tls when:
- The pixelserv-tls version is 2.2.1 or older and you use devices with elevated requirements for trusted certificates.

To test if your device works with the certificate, open https://diversion-adblocking-ip.address in a browser. You may have to reload the page a couple of times to get the secure padlock icon.

Import the pixelserv-tls CA certificate into browsers and devices by following this guide carefully below the Import Pixelserv CA on client devices section: https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

For instructions how to upgrade pixelserv-tls or regenerate the CA certificate, see release notes for Diversion 4.1.4 (scroll down).

How to update
Use u to update to this latest version.
 
Last edited:
Nifty stocking stuffer!
 
You mean talented, smart and overly generous with a large community of strangers? I’d take that in a heartbeat!

Happy/Merry Holidays/Christmas!
Go ask @Adamm or @Jack Yaz . We've had our days when we regretted to ever have signed up on this board.
 
Go ask @Adamm or @Jack Yaz . We've had our days when we regretted to ever have signed up on this board.
You guys are amazing with the speed and accuracy that you address arising problems and feature requests. That reminds me it's about time again to make another donation to all of you. And don't forget Merlin.
 
Diversion 4.1.8 is now available

What's new in Diversion 4.1.8
- Adds warning in UI and quits blocking list update if hostslist(s) do not contain hosts URL(s).
- Adds warning in UI if blocking list(s) contain less than 200 domains.
- Correctly sets owner and permissions of all dnsmasq.log files to "nobody" and "0640" respectively.
- Correctly sets owner of /opt/var/cache/pixelserv files to "nobody".
- pixelserv-tls certificates key length is now shown in ep, 3.
- Reverts pixelserv-tls CA certificate key length generation back to 2048 bit. This only applies for new installations or when the CA certificate is regenerated.

Important, please read.
Due to an error of judgement, I changed the pixelserv-tls CA key length generation down to 1024 bits in Diversion 4.1.7.
Along with it, I missed to change one instance of this value in one of the files that may come into play when (re)generating the CA certificate.
On devices with elevated requirements for trusted certificates - such as iPads and iPhones with iOS 13.x - this triggers an untrusted certificate error.

All is OK when:
- The pixelserv-tls CA certificate was generated off of Diversion v4.1.4 up to v4.1.6, with pixelserv-tls v2.3.0 by @Jack Yaz or the new build v2.3.1 by @kvic.
You will need to regenerate the certificate when:
- The pixelserv-tls CA certificate was generated off of Diversion v4.1.7, with pixelserv-tls v2.3.0 by @Jack Yaz or the new build v2.3.1 by @kvic.
You will need to upgrade pixelserv-tls when:
- The pixelserv-tls version is 2.2.1 or older and you use devices with elevated requirements for trusted certificates.

To test if your device works with the certificate, open https://diversion-adblocking-ip.address in a browser. You may have to reload the page a couple of times to get the secure padlock icon.

Import the pixelserv-tls CA certificate into browsers and devices by following this guide carefully below the Import Pixelserv CA on client devices section: https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

For instructions how to upgrade pixelserv-tls or regenerate the CA certificate, see release notes for Diversion 4.1.4 (scroll down).

How to update
Use u to update to this latest version.
@thelonelycoder Great job on all releases.
 
I apologise for starting all this certificate authority drama, I didn't meant to offend you or anyone, just wanted to give feedback.
Don't, it's not you I had in mind.
 
I woke up today to only 500,000 hosts... steven blacks list I guess. The latest update VIA amtm deleted all my hostslists entries, left only stevenblacks list, had to import, thankfully I had manually set weekly backups; perhaps it happened during the previous new by weekly update feature, which ran last night @thelonelycoder other than that I don't know what it could be but hacker activity.
 
Last edited:
I woke up today to only 500,000 hosts... steven blacks list I guess. The latest update VIA amtm deleted all my hostslists entries, left only stevenblacks list, had to import, thankfully I had manually set weekly backups; perhaps it happened during the previous new by weekly update feature, which ran last night @thelonelycoder other than that I don't know what it could be but hacker activity.
I have no idea how that possibly could happen. There is NO code in Diversion that does this, except for the alerts if the discontinued support.it-mate.co.uk hosts file is in use.
 
I feel privileged and honored to be a small part of this big and wonderful community in this little corner of the web! :)

Wishing all the friends here new and old a Merry Christmas and a Joyous New Year for 2020!

The support offered and the spirit of sharing here are special and it inspires me to do whatever I can to contribute too. A multitude of thanks and gratefulness to each and everyone for giving your time and expertise for everyone's benefit.

Keep safe and enjoy all the season has to offer!
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top