What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

So you’ve visited a blocked site and the behaviour is different?

Say xyz.com is in the blocklist you are using, and you’ve typed that into the URL bar and you DON’T see the cert error?

I believe @dugaduga hasn't imported his Pixelserv CA into browsers/clients. Here is the HOWTO if that's the case.
 
non pixelserv-tls issue but nonetheless related...

I haven't tinkered my network for a very long time. Something exciting happened in the past weekend that I want to share with the audience in this thread.

Finally I migrated to Unbound as my main DNS server that regrettably I haven't done so earlier in retrospect.

Also did a quick & dirty (but effective & convincing) comparison between Cloudflare and Google DNS. In a nutshell, Cloudflare is doing much better at my point of presence.

A picture worth thousand words, and visit my latest blog post for explanation.

Screen Shot 2018-07-03 at 12.18.58 PM.png
 
Luckily it's an easy fix :D

Re-uploaded 2.1.3-test.2. New builds have a timestamp similar to "compiled: Jul 3 2018 11:58:xx"

Pls re-run the one-liner script to install. Updated instructions in #2035 as well.

Updated. Will keep you posted.
 
@kfp after extensive testing from the blocklist I found that some sites do indeed show a cert error. So I've just imported the CA. Wow so many layers to this onion :) What exactly does this do?
 
@kvic I had to reset my router and formatted USB in the process to get a clean setup (retaining the CA certs). Prior to doing so, I was seeing tav of around 14 ms, but following the reset, on 2.1.3-test.2, I am seeing tav between 150 - 300 ms and MEM% of 2.7 across processes. Now this may be in part due to certificates having been cleared and requiring regeneration, however I would expect that to be a one-time event per site and not materially affect the tav over time. With a clean install of AB-Solution, entware, and pixelserv-tls, are any other entware modules or tweaks required to see the lower process use and increased performance?
Code:
pixelserv-tls 2.1.3-test.2 (compiled: Jul 3 2018 11:58:22 flags: tfo) options: 192.168.50.4

uts    0d 10:16    process uptime
log    1    critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc    2    number of active service threads
kmx    18    maximum number of service threads
kvg    1.21    average number of requests per service thread
krq    16    max number of requests by one service thread

req    5740    total # of requests (HTTP, HTTPS, success, failure etc)
avg    1604 bytes    average size of requests
rmx    57113 bytes    largest size of request(s)
tav    203 ms    average processing time (per request)
tmx    10070 ms    longest processing time (per request)

slh    1036    # of accepted HTTPS requests
slm    26    # of rejected HTTPS requests (missing certificate)
sle    0    # of rejected HTTPS requests (certificate available but bad)
slc    647    # of dropped HTTPS requests (client disconnect without sending any request)
slu    2993    # of dropped HTTPS requests (other TLS handshake errors)
uca    0    slu break-down: # of unknown CA reported by clients
uce    2774    slu break-down: # of unknown cert reported by clients

sct    50    cert cache: # of certs in cache
sch    4311    cert cache: # of reuses of cached certs
        
scm    15    cert cache: # of misses to find a cert in cache
        
scp    2    cert cache: # of purges to give room for a new cert
sst    3    sess cache: # of cached TLS sessions (for older non-RFC5077 clients)
ssh    297    sess cache: # of reuses of cached TLS sessions
ssm    35    sess cache: # of misses to find a TLS session in cache
ssp    0    sess cache: # of purges to give room for a new TLS session
 
Reading back to some posts, it does appear that I might need to uninstall libopenssl v1.0.2o and load the version with the appropriate flag for performance. Is there guidance for doing so on a greenfield install for anyone loading through the amtm method and installing from within AB-Solution?
 
pixelserv-tls 2.1.3-test.2 working flawless for 10 hours.

Any chance of getting libopenssl 1.0.2o-1 compiled with the proper tag soon?
 
Reading back to some posts, it does appear that I might need to uninstall libopenssl v1.0.2o and load the version with the appropriate flag for performance. Is there guidance for doing so on a greenfield install for anyone loading through the amtm method and installing from within AB-Solution?

Memory usage @ 2.7% is due to libopenssl v1.0.2o not optimised. tav could be a transient issue. Without optimisation, libopenssl takes extra cpu cycles to manage its useless memory pool. But I won't expect in the order of 100ms..

Downgrade libopenssl v1.0.2o to v1.0.2n-1c

To downgrade from a higher version to 1.0.2n-1c, see #1669

Rationale for good to downgrade

What's new in 1.0.2o is one fix to a potential security issue. That's it. IMHO, not a big deal to live without. See #2016

EDIT:
updated downgrade instructions.
 
Last edited:
Memory usage @ 2.7% is due to libopenssl v1.0.2o not optimised. tav could be a transient issue. Without optimisation, libopenssl takes extra cpu cycles to manage its useless memory pool. But I won't expect in the order of 100ms..

Downgrade libopenssl v1.0.2o to v1.0.2n-1c

To uninstall latest libopenssl, see #1913

To install 1.0.2n-1c, see #1669

Rationale for good to downgrade

What's new in 1.0.2o is one fix to a potential security issue. That's it. IMHO, not a big deal to live without. See #2016
I think it was mentioned before, however running:
Code:
opkg install http://bin.entware.net/aarch64-k3.10/test/libopenssl_1.0.2n-1c_aarch64-3.10.ipk
loads the new version, is there a way to obtain the version you referenced?
Code:
Downloading http://bin.entware.net/aarch64-k3.10/test/libopenssl_1.0.2n-1c_aarch64-3.10.ipk
Installing libopenssl (1.0.2o-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/libopenssl_1.0.2o-1_aarch64-3.10.ipk
Configuring libopenssl.
admin1@RT-AC86U:/tmp/home/root# opkg list-installed |grep libopenssl
libopenssl - 1.0.2o-1
 
Same thing happened with me too ( see few posts below the original reply I posted ) the workaround is to manually install it
 
Same thing happened with me too ( see few posts below the original reply I posted ) the workaround is to manually install it
Where are you obtaining the file to manually install?

Edit: I thought the redirect from opkg meant the 1.0.2n-1c wasn't available, but by browsing to: http://bin.entware.net/aarch64-k3.10/test/, the file was able to be downloaded. Now to figure out the command to manually install.
 
Last edited:
@zyxmon , can we please have a test binary of 1.0.2o-1 compiled with the flag mentioned here? We had access to a test binary for 1.0.2n-1c earlier. Seems like there are some security fixes in the new version.
 
I think it was mentioned before, however running:
Code:
opkg install http://bin.entware.net/aarch64-k3.10/test/libopenssl_1.0.2n-1c_aarch64-3.10.ipk
loads the new version, is there a way to obtain the version you referenced?
Code:
Downloading http://bin.entware.net/aarch64-k3.10/test/libopenssl_1.0.2n-1c_aarch64-3.10.ipk
Installing libopenssl (1.0.2o-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/libopenssl_1.0.2o-1_aarch64-3.10.ipk
Configuring libopenssl.
admin1@RT-AC86U:/tmp/home/root# opkg list-installed |grep libopenssl
libopenssl - 1.0.2o-1

Updated downgrade instructions. Pls see #2053 again..
 
Where are you obtaining the file to manually install?

Edit: I thought the redirect from opkg meant the 1.0.2n-1c wasn't available, but by browsing to: http://bin.entware.net/aarch64-k3.10/test/, the file was able to be downloaded. Now to figure out the command to manually install.

You can also do,

Code:
wget (file link)

This will download the file in current directory. Then,

Code:
opkg install (file name)

Don't forget to remove the earlier libopenssl by doing this,

Code:
opkg --force-depends remove libopenssl
 
From here:
http://bin.entware.net/aarch64-k3.10/test/libopenssl_1.0.2n-1c_aarch64-3.10.ipk

Download that file with the help of a browser and SSH it your router /tmp folder.

Then use:

opkg install /tmp/libopenssl_1.0.2n-1c_aarch64-3.10.ipk

Make sure to first remove the already installed libopenssl.
This fixed it completely. Mem is at 1% now and tav is 13 ms.

@kvic Your updated instructions will help anyone just coming to this and those of us that went through a reset and a fresh install of entware.
 
You can also do,

Code:
wget (file link)

This will download the file in current directory. Then,

Code:
opkg install (file name)

Don't forget to remove the earlier libopenssl by doing this,

Code:
opkg --force-depends remove libopenssl

I've updated downgrade instructions in #1669. Remove & install in one-go..no need for separate typing.

For downgrade, going forward we can either refer to #1669 or #2053.

Perhaps we shall clean up the latest posts a bit on the downgrade process. It's quite confusing :)
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top