pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[dave14305]

Apparently the iPhone device I have on my network isn't trusting the pixelserv certificate even though it's 2048 bit. What am I missing?

Pixelserv 2.3.1 to generate the domain certs properly to iOS new requirements.

 

[jrmwvu04]

Apparently the iPhone device I have on my network isn't trusting the pixelserv certificate even though it's 2048 bit. What am I missing?

If your CA is 2048 bit and SHA-2, you’re using pixelserv 2.3 or newer, and have manually trusted the certificate on the iPhone in settings, general, about then the only further idea I have is to purge your generated certificates in /opt/car/cache/pixelserv to ensure they’re generated with the current version/requirements

 

[Protik]

If your CA is 2048 bit and SHA-2, you’re using pixelserv 2.3 or newer, and have manually trusted the certificate on the iPhone in settings, general, about then the only further idea I have is to purge your generated certificates in /opt/car/cache/pixelserv to ensure they’re generated with the current version/requirements

I know it's 2048 as diversion reported that. How do I know whether it's SHA-2 or not?

 

[thelonelycoder]

I know it's 2048 as diversion reported that. How do I know whether it's SHA-2 or not?

Are you running the latest Diversion v4.1.8? If not, you'll have to update and carefully follow the instructions in the release notes for 4.1.8: https://diversion.ch/

 

[jrmwvu04]

I know it's 2048 as diversion reported that. How do I know whether it's SHA-2 or not?

Inspecting the certificate. It’s highly unlikely that you’re not using SHA-2 (probably SHA-256) because all methods of certificate generation around these parts use it. SHA-1 has been out of favor for many years due to insecurity.

 

[cmkelley]

I know it's 2048 as diversion reported that. How do I know whether it's SHA-2 or not?

from the command line:

openssl x509 -in /opt/var/cache/pixelserv/ca.crt -noout -text

Near the top of the output should be something similar to:

Signature Algorithm: sha256WithRSAEncryption

"Signature Algorithm:" should start with "sha224", "sha256", "sha384", or "sha512"; almost certainly yours will start with "sha256".

 

[thelonelycoder]

Diversion runs this:

openssl genrsa -out ca.key 2048
openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA" -config /tmp/diversion/div-openssl.cnf

 

[Asad Ali]

Here you go guys, I've made simple one-liners to update your Pixelserv-tls version to v2.3.1 until Entware dont push the official update.

Simply paste these big one liners in terminal as per your router architecture ( if you're not sure about it run "uname -m" command in terminal.

For AARCH64 routers:

diversion disable && cd /opt/bin && wget -O Pixelserv.zip https://github.com/kvic-z/pixelserv-tls/releases/download/v2.3.1/pixelserv-tls.2.3.1.Entware-3.x.aarch64softfloat.zip && opkg install p7zip && 7za e Pixelserv.zip *.dynamic -r && rm pixelserv-tls && mv pixelserv-tls.armv8.ent.performance.dynamic pixelserv-tls && chmod +x pixelserv-tls && rm Pixelserv.zip && opkg remove p7zip && cd -- && diversion enable

For ARMv7 routers:

diversion disable && cd /opt/bin && wget -O Pixelserv.zip https://github.com/kvic-z/pixelserv-tls/releases/download/v2.3.1/pixelserv-tls.2.3.1.Entware-ng.armv7softfloat.zip && opkg install p7zip && 7za e Pixelserv.zip *.dynamic -r && rm pixelserv-tls && mv pixelserv-tls.arm.ent.performance.dynamic pixelserv-tls && chmod +x pixelserv-tls && rm Pixelserv.zip && opkg remove p7zip && cd -- && diversion enable

In case you are coming from Pixelserv-tls v2.2.1 or below then you'll need to purge your domain certificates by opening Diversion > ep > 3 > 1 > 1

P.s I've only tried this on aarch64 but basic algorithm remains same for both architectures so it should work.

 

[thelonelycoder]

Alright, I hear you all.
I've just pushed a Diversion update, no version change

What's new
- Option in ep, 6, 3 to update pixelserv-tls to v2.3.1 (@Jack Yaz version) for all router models.

Use u to update.

 

[Treadler]

Alright, I hear you all.
I've just pushed a Diversion update, no version change

What's new
- Option in ep, 6, 3 to update pixelserv-tls to v2.3.1 (@Jack Yaz version) for all router models.

Use u to update.

Very cool!
So I should have just waited one more day.
Gotta love this forum.

 

[Butterfly Bones]

Very cool!
So I should have just waited one more day.
Gotta love this forum.

Naw, you learned something new!

 

[Treadler]

Naw, you learned something new!

Indeed I did!
A very good thing.

 

[^Tripper^]

Woah. Something new on me.

Using an app and suddenly see this warning. Only occurs when using this specific app. Just upgraded to iOS 13.3.1, am on pixelserv-tls 2.3.1, ac86u, merlin’s 384.14_2. Only happens when using my router with pixelserv on it, mobile data is fine unless I VPN into my router, which leads me to think it’s pixelserv related.

Its a quasi-government app which makes me reach for my tin foil hat. But then again, considering the country I live in, a tin foil hat is a requirement.

Any ideas?

 

[dave14305]

View attachment 21130

Woah. Something new on me.

Using an app and suddenly see this warning. Only occurs when using this specific app. Just upgraded to iOS 13.3.1, am on pixelserv-tls 2.3.1, ac86u, merlin’s 384.14_2. Only happens when using my router with pixelserv on it, mobile data is fine unless I VPN into my router, which leads me to think it’s pixelserv related.

Its a quasi-government app which makes me reach for my tin foil hat. But then again, considering the country I live in, a tin foil hat is a requirement.

Any ideas?

Did you already follow the CA import instructions here: https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate#iosandroid

If so, the app might have the expected certificate pinned and warns you if it doesn't match.

 

[L&LD]

@^Tripper^, did you fully remove any old ca.crt certificates and only then import the latest pixelserv-tls v2.3.1 generated one on that iPhone?

 

[^Tripper^]

@^Tripper^, did you fully remove any old ca.crt certificates and only then import the latest pixelserv-tls v2.3.1 generated one on that iPhone?

Yup, fully removed and only the latest cert imported.

Did you already follow the CA import instructions here: https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate#iosandroid

If so, the app might have the expected certificate pinned and warns you if it doesn't match.

Followed all instructions to the letter. I updated to 2.3.1 when kvic released it ( which was last month as I recall) and followed all the instructions exactly.

Only got this today with the update to iOS 13.3.1 which could possibly be related.

@dave14305 To clarify, you’re saying the app has maybe “recorded” the cert and is throwing up the error as the new cert doesn’t match what it’s expecting? Didn’t think of that, will try deleting the app and trying again, that may possibly sort this out.

Thank you for the input guys. ))

 

[^Tripper^]

Update; no dice. Deleted the app, rebooted the phone, reinstalled and still getting the error.

Hmmm... wonder what “checks” this app does.

 

[L&LD]

@^Tripper^, just guessing now, but after you delete the app, can you clear out any cache on the phone before and after you reboot it?

 

[Asad Ali]

Update; no dice. Deleted the app, rebooted the phone, reinstalled and still getting the error.

Hmmm... wonder what “checks” this app does.

If you're getting the cert error only on a single app then it's the apps issue. Some app developers hardcode the client certificate in the code and it matches the signature hashes with their server counterpart and in case of Pixelserv-tls, the generated certificates don't match the hardcoded app's signature hash thus the error. There's no way to fix it and you'll need to whitelist the blocked URL which is preventing the app to phone the home server.

 

[dave14305]

@dave14305 To clarify, you’re saying the app has maybe “recorded” the cert and is throwing up the error as the new cert doesn’t match what it’s expecting? Didn’t think of that, will try deleting the app and trying again, that may possibly sort this out.

Not exactly. I'm speculating that the expected certificate signature is hard-coded in the app and the pixelserv-generated certificate signature doesn't match that. A way to prevent spoofing of certs, but it's hard to say with any certainty what they're doing inside.

EDIT: what @Asad Ali said.