Menu
What's new
By:
Filters Better Search

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jrmwvu04 said:
https://github.com/kvic-z/pixelserv-tls/blob/master/ChangeLog
Click to expand...

https://kazoo.ga/pixelserv-tls/

Release 2.3.1 (2019-12-13)
Changes
* NEW check and purge expired certs on-the-fly. Generate new ones to replace the expired automatically.
* NEW support the new TLS requirements on key size, cert valid period & etc from Debian 10 and Apple Inc.
Included findings & code contributed by emeidi and jackyaz.
* CHANGED fix compilation warnings with gcc-9/clang-9 (issue #33) contributed by KiloFoxtrotPapa.

Support the new TLS requirements from Debian & Apple Inc
Updated to meet Debian & Apple requirements on server certificates based on RSA with a minimum key size 2048 bits. Additionally reduced certificate valid duration from 10 years down to 825 days. Also newly generated certificates will add extension id-kp-serverAuth OID.

Your root CA certificate with key size 1024 bits (generated as per this wiki) should be fine. You're recommended to continue to use your existing root CA certificate. 1024 bit (in contrary to 2048 bit) helps to reduce workload on your router/server when doing automatic generation of server certificates.

However, if you're using intermediate CA certificate, you might run into issue with Apple software. I haven't verified personally but you may be required to upgrade to 2048 bit. Let me know below or through a github issue tracker if you have new findings.

Purge expired certificates & generate new ones to replace
This version comes with an enhancement to check certificates' expiry on-the-fly. Automatically generate new ones to replace the expired. As you could imagine a certificate valid period of 825 days as mandated by Apple is pretty short. This enhancement should eliminate any manual administration of the automatically generated certificates. They will simply keep working..automatically.

Installation for early adopters on Entware
Download the binary from Github. aarch64 for 64-bit ARM routers/servers. armv7 for 32-bit ARM routers/servers. Unzip the archive, locate & rename 'pixelserv-tls.<your architecture>.performance.dynamic' to 'pixelserv-tls'. Upload the file to your router/server and replace the one of the same name in '/opt/bin'.

Caution: If you're upgrading from v2.2.1-1 or earlier, remember to delete all certificate files except 'ca.crt' and 'ca.key' files in '/opt/var/cache/pixelserv' and then restart pixelserv-tls.

Caution: For users running the unofficial 'v2.3.0' patch to support Apple software, you're recommended to upgrade to v2.3.1 because I see a memory leakage in the patch that will de-stabilize your routers/servers.
 
Last edited:
I just did this update per the above instructions. I used Diversion to "Disable" pixelserv-tls first and purged certificates as a precaution. My main computer is Linux, so I used FileZilla to upload the never version, but it would not so I deleted the existing version first (after doing a full USB backup), then the new version upload worked. I checked permissions (755) and "Enabled" pixelserv-tls via Diversion.

Pixelserv-tls is running and seems fine, time will tell. Interesting the bit about the memory leak.
 
Treadler said:
Now a technologically challenged person like me just needs it to be automatically updateable via amtm.

The Lonely Coder will assuredly get to this at some time, but coffee must first be had..........:D
Click to expand...
This is no beta, Entware will have the updated packages with their next regular update.
 
Can somebody write step by step how to install a pixelserv on the raspberry_pi with pi-hole or adguard home?
Very good feature , but I do not know where else can ask.
 
Last edited:
FIN said:
Can somebody write step by step how to install a pixelserv on the raspberry_pi with pi-hole or adguard home?
Click to expand...

This thread is dedicated to Pixelserv install on merlin firmware.
 
Last edited:
FIN said:
Can somebody write step by step how to install a pixelserv on the raspberry_pi with pi-hole or adguard home?
Very good feature , but I do not know where else can ask.
Click to expand...
I recommend not running them together unless you plan on using pihole solely for DHCP and Web UI features. Pixelserv-tls has no need for pihole. just as pihole has no need for pixelserv-tls, mixing the two is one big redundant mess.
 
Last edited:
@kvic - firstly thank you for the superb pixelserv-tls and your continuous development.

Just yesterday I upgraded from 2.21 to the latest available version 2.3.1
While checking some settings and details I came across few things that I need some clarification.

  • Any reason as to why pixelserv-tls still supports TLS1 - this is deprecated and no longer recommended at all
  • Can you please remove Obsolete: SEED + 128+256 Bit CBC cipher?
While most browsers these days support TLS1.3 - TLS downgrade attacks are still in the wild and could potentially cause some damage.

Details below:
upload_2019-12-25_13-11-47.png


upload_2019-12-25_13-12-5.png


upload_2019-12-25_13-12-17.png


Cheers,
Ivan
 
Last edited:
nixballs said:
While most browsers these days support TLS1.3 - TLS downgrade attacks are still in the wild and could potentially cause some damage
Click to expand...

Pixelserv-tls runs locally on your router and only works for the domains you have already blocked in your blocking file so there's literally nothing which leaves your local network thus TLS downgrade attacks are not possible nor they'll impact anything.
 
Last edited:
nixballs said:
Can you please remove Obsolete: SEED + 128+256 Bit CBC cipher?
Click to expand...
I get different results with 2.3.1 installed.
Testing protocols via sockets except SPDY+HTTP2

SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
SPDY/NPN not offered
HTTP2/ALPN not offered

Testing ~standard cipher categories

NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES encryption (w/o export) not offered (OK)
Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) not offered (OK)
Triple DES Ciphers (Medium) not offered (OK)
High encryption (AES+Camellia, no AEAD) offered (OK)
Strong encryption (AEAD ciphers) offered (OK)
Testing vulnerabilities

Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session tickets
Secure Renegotiation (CVE-2009-3555) VULNERABLE (NOT ok)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, TLS 1.2 is the only protocol (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
 
Yeah I think I'll wait to update to pixelserv 2.3.1 via amtm as well, unless someone has precise step by step instructions on how to do it without blowing anything up :p

I'm currently running Jack's 2.3.0 version and just updated Diversion to 4.1.7.
 
Not sure which version you are using, I use the latest from github.

But from memory you can also use nmap scripts to also confirm or cross check.

Centrifuge said:
I get different results with 2.3.1 installed.
Testing protocols via sockets except SPDY+HTTP2

SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
SPDY/NPN not offered
HTTP2/ALPN not offered

Testing ~standard cipher categories

NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES encryption (w/o export) not offered (OK)
Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) not offered (OK)
Triple DES Ciphers (Medium) not offered (OK)
High encryption (AES+Camellia, no AEAD) offered (OK)
Strong encryption (AEAD ciphers) offered (OK)
Testing vulnerabilities

Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session tickets
Secure Renegotiation (CVE-2009-3555) VULNERABLE (NOT ok)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, TLS 1.2 is the only protocol (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
Click to expand...
 
You must log in or register to reply here.

Similar threads

MegaMango
dnsmasq-surrogate for RT-BE88U: Ad Blocking & Security Enhancement
Replies
2
Views
582
MegaMango
MegaMango
L
pixelserv SOLVED - Is PixelServ WebGui script trustworthy at the moment? Redirects to strange website...
Replies
10
Views
4K
gspannu
gspannu
thelonelycoder
Diversion Need help with selecting new set of filter lists / block lists for Diversion 5.0
2
Replies
21
Views
4K
thelonelycoder
thelonelycoder
blacksheep
pixelserv Does "How to best run Pixelserv tls on asuswrt" still apply?
Replies
3
Views
3K
elorimer
E
garycnew
Entware [SOLUTION] Cross-Compile PixelServ-TLS 2.4 Entware Package via Debian Live DVD
Replies
13
Views
3K
garycnew
garycnew
Similar threads
Thread starter Title Forum Replies Date
C Diversion Pixelserv replacement Asuswrt-Merlin AddOns 2
L Is Diversion better than NextDNS, PiHole or AdGuard Home? Asuswrt-Merlin AddOns 10

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 752 (members: 26, guests: 726)
Top