pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[SMS786]

One interesting tidbit...

Without checking each certificate, you could easily assess by yourself whether you could possibly have certificates with duplicated serial numbers. Run "pixelserv-tls -B" on your router/server:

$ pixelserv-tls -B
CERT_PATH: /opt/var/cache/pixelserv
CERT_FILE: _.bing.com
 1. generate cert to disk: 694.013 ms    load from disk: 9.856 ms
 2. generate cert to disk: 281.175 ms    load from disk: 10.093 ms
 3. generate cert to disk: 434.943 ms    load from disk: 9.928 ms
 4. generate cert to disk: 490.977 ms    load from disk: 9.963 ms
 5. generate cert to disk: 444.670 ms    load from disk: 10.506 ms
 6. generate cert to disk: 414.943 ms    load from disk: 10.118 ms
 7. generate cert to disk: 538.423 ms    load from disk: 10.213 ms
 8. generate cert to disk: 855.620 ms    load from disk: 10.018 ms
 9. generate cert to disk: 1001.284 ms    load from disk: 9.946 ms
10. generate cert to disk: 758.863 ms    load from disk: 10.077 ms
generate to disk average: 591.491 ms
  load from disk average: 10.072 ms

If your "generate to disk average" time < 500ms, you're very likely to have certificates with duplicated serial numbers.

If it's above 500ms, you're very unlikely to have such certs.

I upgraded to test1 on my 68U and then purged my certs per the instructions..but my generation times are a bit over 500ms..any advice @kvic ?

CERT_PATH: /opt/var/cache/pixelserv
CERT_FILE: _.bing.com
 1. generate cert to disk: 348.555 ms   load from disk: 11.799 ms
 2. generate cert to disk: 1393.683 ms  load from disk: 11.864 ms
 3. generate cert to disk: 655.297 ms   load from disk: 14.112 ms
 4. generate cert to disk: 834.443 ms   load from disk: 11.876 ms
 5. generate cert to disk: 858.647 ms   load from disk: 12.675 ms
 6. generate cert to disk: 888.905 ms   load from disk: 11.839 ms
 7. generate cert to disk: 516.642 ms   load from disk: 11.884 ms
 8. generate cert to disk: 877.334 ms   load from disk: 11.772 ms
 9. generate cert to disk: 909.262 ms   load from disk: 11.800 ms
10. generate cert to disk: 955.180 ms   load from disk: 11.674 ms
generate to disk average: 823.795 ms
  load from disk average: 12.130 ms

 

[Asad Ali]

I upgraded to test1 on my 68U and then purged my certs per the instructions..but my generation times are a bit over 500ms..any advice

What was the average time on last version?
It's been so long since I last used my 68U for pixelserv-tls so I don't remember the average time for that lol

 

[SMS786]

What was the average time on last version?
It's been so long since I last used my 68U for pixelserv-tls so I don't remember the average time for that lol

Just a tad bit slower on previous versions, but virtually the same given error variance:

 

[kvic]

I upgraded to test1 on my 68U and then purged my certs per the instructions..but my generation times are a bit over 500ms..any advice @kvic ?

What's the clock freq of your 68U? If it's the original 800MHz version, the numbers look about right. So not much to worry about. Of coz, you could o/c to 1.2GHz without extra cooling. I got those numbers in #2021 on a 56U at 1.2GHz.

Also worth manually run it three times. The third time is often near optimal performance. And not forget to check your cores idle without other workload (e.g. a heavy download) when doing the benchmark.

 

[kvic]

@kvic Every 86U owner should definitely upgrade to 2.1.3-test.1 since it's insanely fast in generating certificates lol

Well, 60ms per cert likely to give a clash of >10 certs sharing the same serial numbers in the previous versions. That explains why the issue is profound in your case.

Another interesting tidbit...

Benchmark on 880MHz EdgeRouter X

$ pixelserv-tls -B
CERT_PATH: /var/cache/pixelserv
CERT_FILE: _.bing.com
 1. generate cert to disk: 883.722 ms    load from disk: 29.305 ms
 2. generate cert to disk: 621.543 ms    load from disk: 29.320 ms
 3. generate cert to disk: 466.556 ms    load from disk: 29.165 ms
 4. generate cert to disk: 943.789 ms    load from disk: 29.285 ms
 5. generate cert to disk: 703.542 ms    load from disk: 29.613 ms
 6. generate cert to disk: 592.990 ms    load from disk: 29.158 ms
 7. generate cert to disk: 708.445 ms    load from disk: 29.260 ms
 8. generate cert to disk: 266.180 ms    load from disk: 29.120 ms
 9. generate cert to disk: 676.855 ms    load from disk: 29.096 ms
10. generate cert to disk: 501.327 ms    load from disk: 29.266 ms
generate to disk average: 636.495 ms
  load from disk average: 29.259 ms

Comparing the result to #2021, this shows 1004Kc MIPS core is more efficient than Cortex-A9 ARM core (in 56U).

Perhaps another reason to pick a MIPS router at the same clock..

 

[SMS786]

What's the clock freq of your 68U? If it's the original 800MHz version, the numbers look about right. So not much to worry about. Of coz, you could o/c to 1.2GHz without extra cooling. I got those numbers in #2021 on a 56U at 1.2GHz.

Also worth manually run it three times. The third time is often near optimal performance. And not forget to check your cores idle without other workload (e.g. a heavy download) when doing the benchmark.

Interesting indeed. The nvram get clkfreq command returns 1000,666 which indicates that my 68U is of the C1 flavor. Will try to retry the tests throughout the day and see if there are any significant differences..

Thanks!

 

[Makaveli]

CERT_PATH: /opt/var/cache/pixelserv
CERT_FILE: _.bing.com
 1. generate cert to disk: 750.449 ms   load from disk: 9.837 ms
 2. generate cert to disk: 502.666 ms   load from disk: 9.717 ms
 3. generate cert to disk: 531.380 ms   load from disk: 9.900 ms
 4. generate cert to disk: 772.408 ms   load from disk: 9.742 ms
 5. generate cert to disk: 517.222 ms   load from disk: 9.812 ms
 6. generate cert to disk: 873.409 ms   load from disk: 9.936 ms
 7. generate cert to disk: 563.827 ms   load from disk: 9.819 ms
 8. generate cert to disk: 927.608 ms   load from disk: 9.776 ms
 9. generate cert to disk: 585.919 ms   load from disk: 9.864 ms
10. generate cert to disk: 617.001 ms   load from disk: 9.758 ms
generate to disk average: 664.189 ms
  load from disk average: 9.816 ms

So looks like I have some duplicates.

Now going to purge and upgrade to 2.1.3

Here are the new results on the new version.

CERT_PATH: /opt/var/cache/pixelserv
CERT_FILE: _.bing.com
 1. generate cert to disk: 715.261 ms   load from disk: 9.905 ms
 2. generate cert to disk: 482.235 ms   load from disk: 9.912 ms
 3. generate cert to disk: 594.416 ms   load from disk: 9.767 ms
 4. generate cert to disk: 529.492 ms   load from disk: 9.902 ms
 5. generate cert to disk: 474.879 ms   load from disk: 9.811 ms
 6. generate cert to disk: 649.465 ms   load from disk: 9.864 ms
 7. generate cert to disk: 654.849 ms   load from disk: 9.805 ms
 8. generate cert to disk: 922.391 ms   load from disk: 10.065 ms
 9. generate cert to disk: 439.045 ms   load from disk: 9.989 ms
10. generate cert to disk: 638.910 ms   load from disk: 9.912 ms
generate to disk average: 610.094 ms
  load from disk average: 9.893 ms

 

[kvic]

So looks like I have some duplicates.

Now going to purge and upgrade to 2.1.3

With 2.1.3-test.1, uniqueness won't depend on the timing of cert generation. Hence, it'll be extremely rare to have duplicate serial numbers. So no worries.

 

[penguin22]

@kvic I had to reload from scratch and took the opportunity to refresh installs following a clean format of my USB drive. Using amtm, everything went smooth including installation of pixelserv-tls, however I can't seem to get the beta to install. Running from either amtm or cli, it just seems to do nothing.

I can lookup DNS of kazoo.ga and ping it fine, so not sure if you have any thoughts.

Edit: Just looking at your site, I wonder if this has something to do with it:
This page (https://kazoo.ga/pixelserv-tls/) is currently offline. However, because the site uses Cloudflare's Always Online™ technology you can continue to surf a snapshot of the site. We will keep checking in the background and, as soon as the site comes back, you will automatically be served the live version.

Edit 2: It appears that the ssl cert for kazoo.ga might have expired, thus the site being offline. Shy of another repository for the beta, I don't think it's able to be downloaded until resolved.

 

[kvic]

@kvic I had to reload from scratch and took the opportunity to refresh installs following a clean format of my USB drive. Using amtm, everything went smooth including installation of pixelserv-tls, however I can't seem to get the beta to install. Running from either amtm or cli, it just seems to do nothing.

I can lookup DNS of kazoo.ga and ping it fine, so not sure if you have any thoughts.

Edit: Just looking at your site, I wonder if this has something to do with it:
This page (https://kazoo.ga/pixelserv-tls/) is currently offline. However, because the site uses Cloudflare's Always Online™ technology you can continue to surf a snapshot of the site. We will keep checking in the background and, as soon as the site comes back, you will automatically be served the live version.

Edit 2: It appears that the ssl cert for kazoo.ga might have expired, thus the site being offline. Shy of another repository for the beta, I don't think it's able to be downloaded until resolved.

There was a bug in my script. While the cert was automatically renewed, it failed to restart the server after renewal. Bug fixed. The website is also up now.

 

[penguin22]

Updated, cleared generated certificates and working great now on 2.1.3. I found it interesting that opkg only has 2.1.1 when you have 2.1.2 as an official release.

 

[kvic]

Updated, cleared generated certificates and working great now on 2.1.3. I found it interesting that opkg only has 2.1.1 when you have 2.1.2 as an official release.

Entware usually get updates from upstream (i.e. OpenWRT) or the team has to initiate update builds for Entware-only packages.

So the one-liner script created for pixelserv-tls beta installation helps to get the latest beta or the latest release (if not in beta).

 

[kvic]

2.1.3-test.2 is available (updated)

New build timestamp (compiled: Jul 3 2018 11:58:xx)

Changes

• Added "handshake failed: socket i/o error" logging in LEVEL 2.
• Added "handshake failed: reached max re-tries" in log LEVEL 2.

Install

Pls use the following one-liner script (or manually install from my Github page):

sh -c "$(wget -qO - https://kazoo.ga/pixelserv-tls/install-beta.sh)"

Note

If it's your first time upgrading from v2.1.2 or previous versions, pls purge all generated certs as per instruction in #2009

EDIT:
update instructions after re-uploading the binary.

 

[Protik]

2.1.3-test.2 is available

Changes

• Added "handshake failed: socket i/o error" logging in LEVEL 2.
• Added "handshake failed: reached max re-tries" in log LEVEL 2.

Install

Pls use the following one-liner script (or manually install from my Github page):

sh -c "$(wget -qO - https://kazoo.ga/pixelserv-tls/install-beta.sh)"

Unfortunately it's crashing in my AC-68U every hour or so.

 

[dugaduga]

Why am I seeing an invalid certificate issued by Pixelserv in both chrome and firefox breaking experts-exchange.com and what are the implications?

 

[kfp]

Why am I seeing an invalid certificate issued by Pixelserv in both chrome and firefox breaking experts-exchange.com and what are the implications?

An ad blocking list you are using includes experts-exchange.com.

 

[dugaduga]

Ok, its working now. All other blocked websites never resulted in this. Why did this happen?

 

[Makaveli]

Unfortunately it's crashing in my AC-68U every hour or so.

I'm also seeing this crashing.

 

[kfp]

Ok, its working now. All other blocked websites never resulted in this. Why did this happen?

So you’ve visited a blocked site and the behaviour is different?

Say xyz.com is in the blocklist you are using, and you’ve typed that into the URL bar and you DON’T see the cert error?

 

[kvic]

Unfortunately it's crashing in my AC-68U every hour or so.

I'm also seeing this crashing.

Luckily it's an easy fix

Re-uploaded 2.1.3-test.2. New builds have a timestamp similar to "compiled: Jul 3 2018 11:58:xx"

Pls re-run the one-liner script to install. Updated instructions in #2035 as well.