What's new

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Apparently the iPhone device I have on my network isn't trusting the pixelserv certificate even though it's 2048 bit. What am I missing?
Pixelserv 2.3.1 to generate the domain certs properly to iOS new requirements.
 
Apparently the iPhone device I have on my network isn't trusting the pixelserv certificate even though it's 2048 bit. What am I missing?
If your CA is 2048 bit and SHA-2, you’re using pixelserv 2.3 or newer, and have manually trusted the certificate on the iPhone in settings, general, about then the only further idea I have is to purge your generated certificates in /opt/car/cache/pixelserv to ensure they’re generated with the current version/requirements
 
If your CA is 2048 bit and SHA-2, you’re using pixelserv 2.3 or newer, and have manually trusted the certificate on the iPhone in settings, general, about then the only further idea I have is to purge your generated certificates in /opt/car/cache/pixelserv to ensure they’re generated with the current version/requirements

I know it's 2048 as diversion reported that. How do I know whether it's SHA-2 or not?
 
I know it's 2048 as diversion reported that. How do I know whether it's SHA-2 or not?
Are you running the latest Diversion v4.1.8? If not, you'll have to update and carefully follow the instructions in the release notes for 4.1.8: https://diversion.ch/
 
I know it's 2048 as diversion reported that. How do I know whether it's SHA-2 or not?
Inspecting the certificate. It’s highly unlikely that you’re not using SHA-2 (probably SHA-256) because all methods of certificate generation around these parts use it. SHA-1 has been out of favor for many years due to insecurity.
 
I know it's 2048 as diversion reported that. How do I know whether it's SHA-2 or not?
from the command line:
Code:
openssl x509 -in /opt/var/cache/pixelserv/ca.crt -noout -text
Near the top of the output should be something similar to:
Code:
Signature Algorithm: sha256WithRSAEncryption
"Signature Algorithm:" should start with "sha224", "sha256", "sha384", or "sha512"; almost certainly yours will start with "sha256".
 
Diversion runs this:
Code:
openssl genrsa -out ca.key 2048
openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA" -config /tmp/diversion/div-openssl.cnf
 
Here you go guys, I've made simple one-liners to update your Pixelserv-tls version to v2.3.1 until Entware dont push the official update.

Simply paste these big one liners in terminal as per your router architecture ( if you're not sure about it run "uname -m" command in terminal.

For AARCH64 routers:

Code:
diversion disable && cd /opt/bin && wget -O Pixelserv.zip https://github.com/kvic-z/pixelserv-tls/releases/download/v2.3.1/pixelserv-tls.2.3.1.Entware-3.x.aarch64softfloat.zip && opkg install p7zip && 7za e Pixelserv.zip *.dynamic -r && rm pixelserv-tls && mv pixelserv-tls.armv8.ent.performance.dynamic pixelserv-tls && chmod +x pixelserv-tls && rm Pixelserv.zip && opkg remove p7zip && cd -- && diversion enable

For ARMv7 routers:

Code:
diversion disable && cd /opt/bin && wget -O Pixelserv.zip https://github.com/kvic-z/pixelserv-tls/releases/download/v2.3.1/pixelserv-tls.2.3.1.Entware-ng.armv7softfloat.zip && opkg install p7zip && 7za e Pixelserv.zip *.dynamic -r && rm pixelserv-tls && mv pixelserv-tls.arm.ent.performance.dynamic pixelserv-tls && chmod +x pixelserv-tls && rm Pixelserv.zip && opkg remove p7zip && cd -- && diversion enable

In case you are coming from Pixelserv-tls v2.2.1 or below then you'll need to purge your domain certificates by opening Diversion > ep > 3 > 1 > 1

P.s I've only tried this on aarch64 but basic algorithm remains same for both architectures so it should work.
 
Alright, I hear you all.
I've just pushed a Diversion update, no version change

What's new
- Option in ep, 6, 3 to update pixelserv-tls to v2.3.1 (@Jack Yaz version) for all router models.

Use u to update.
 
9D45B0F3-1B63-4942-9BD0-F921C446837A.jpeg

Woah. Something new on me.

Using an app and suddenly see this warning. Only occurs when using this specific app. Just upgraded to iOS 13.3.1, am on pixelserv-tls 2.3.1, ac86u, merlin’s 384.14_2. Only happens when using my router with pixelserv on it, mobile data is fine unless I VPN into my router, which leads me to think it’s pixelserv related.

Its a quasi-government app which makes me reach for my tin foil hat. But then again, considering the country I live in, a tin foil hat is a requirement.

Any ideas?
 
View attachment 21130

Woah. Something new on me.

Using an app and suddenly see this warning. Only occurs when using this specific app. Just upgraded to iOS 13.3.1, am on pixelserv-tls 2.3.1, ac86u, merlin’s 384.14_2. Only happens when using my router with pixelserv on it, mobile data is fine unless I VPN into my router, which leads me to think it’s pixelserv related.

Its a quasi-government app which makes me reach for my tin foil hat. But then again, considering the country I live in, a tin foil hat is a requirement.

Any ideas?
Did you already follow the CA import instructions here: https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate#iosandroid

If so, the app might have the expected certificate pinned and warns you if it doesn't match.
 
@^Tripper^, did you fully remove any old ca.crt certificates and only then import the latest pixelserv-tls v2.3.1 generated one on that iPhone?
 
@^Tripper^, did you fully remove any old ca.crt certificates and only then import the latest pixelserv-tls v2.3.1 generated one on that iPhone?

Yup, fully removed and only the latest cert imported.

Did you already follow the CA import instructions here: https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate#iosandroid

If so, the app might have the expected certificate pinned and warns you if it doesn't match.

Followed all instructions to the letter. I updated to 2.3.1 when kvic released it ( which was last month as I recall) and followed all the instructions exactly.

Only got this today with the update to iOS 13.3.1 which could possibly be related.

@dave14305 To clarify, you’re saying the app has maybe “recorded” the cert and is throwing up the error as the new cert doesn’t match what it’s expecting? Didn’t think of that, will try deleting the app and trying again, that may possibly sort this out.

Thank you for the input guys. :)))
 
@^Tripper^, just guessing now, but after you delete the app, can you clear out any cache on the phone before and after you reboot it?
 
Update; no dice. Deleted the app, rebooted the phone, reinstalled and still getting the error.

Hmmm... wonder what “checks” this app does.

If you're getting the cert error only on a single app then it's the apps issue. Some app developers hardcode the client certificate in the code and it matches the signature hashes with their server counterpart and in case of Pixelserv-tls, the generated certificates don't match the hardcoded app's signature hash thus the error. There's no way to fix it and you'll need to whitelist the blocked URL which is preventing the app to phone the home server.
 
Last edited:
@dave14305 To clarify, you’re saying the app has maybe “recorded” the cert and is throwing up the error as the new cert doesn’t match what it’s expecting? Didn’t think of that, will try deleting the app and trying again, that may possibly sort this out.
Not exactly. I'm speculating that the expected certificate signature is hard-coded in the app and the pixelserv-generated certificate signature doesn't match that. A way to prevent spoofing of certs, but it's hard to say with any certainty what they're doing inside.

EDIT: what @Asad Ali said. :)
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top