Menu
What's new
By:
Filters Better Search

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Protik said:
Apparently the iPhone device I have on my network isn't trusting the pixelserv certificate even though it's 2048 bit. What am I missing?
Click to expand...
Pixelserv 2.3.1 to generate the domain certs properly to iOS new requirements.
 
Protik said:
Apparently the iPhone device I have on my network isn't trusting the pixelserv certificate even though it's 2048 bit. What am I missing?
Click to expand...
If your CA is 2048 bit and SHA-2, you’re using pixelserv 2.3 or newer, and have manually trusted the certificate on the iPhone in settings, general, about then the only further idea I have is to purge your generated certificates in /opt/car/cache/pixelserv to ensure they’re generated with the current version/requirements
 
jrmwvu04 said:
If your CA is 2048 bit and SHA-2, you’re using pixelserv 2.3 or newer, and have manually trusted the certificate on the iPhone in settings, general, about then the only further idea I have is to purge your generated certificates in /opt/car/cache/pixelserv to ensure they’re generated with the current version/requirements
Click to expand...

I know it's 2048 as diversion reported that. How do I know whether it's SHA-2 or not?
 
Protik said:
I know it's 2048 as diversion reported that. How do I know whether it's SHA-2 or not?
Click to expand...
Are you running the latest Diversion v4.1.8? If not, you'll have to update and carefully follow the instructions in the release notes for 4.1.8: https://diversion.ch/
 
Protik said:
I know it's 2048 as diversion reported that. How do I know whether it's SHA-2 or not?
Click to expand...
Inspecting the certificate. It’s highly unlikely that you’re not using SHA-2 (probably SHA-256) because all methods of certificate generation around these parts use it. SHA-1 has been out of favor for many years due to insecurity.
 
Protik said:
I know it's 2048 as diversion reported that. How do I know whether it's SHA-2 or not?
Click to expand...
from the command line:
Code: 
openssl x509 -in /opt/var/cache/pixelserv/ca.crt -noout -text
Near the top of the output should be something similar to:
Code: 
Signature Algorithm: sha256WithRSAEncryption
"Signature Algorithm:" should start with "sha224", "sha256", "sha384", or "sha512"; almost certainly yours will start with "sha256".
 
Diversion runs this:
Code: 
openssl genrsa -out ca.key 2048
openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA" -config /tmp/diversion/div-openssl.cnf
 
Here you go guys, I've made simple one-liners to update your Pixelserv-tls version to v2.3.1 until Entware dont push the official update.

Simply paste these big one liners in terminal as per your router architecture ( if you're not sure about it run "uname -m" command in terminal.

For AARCH64 routers:

Code: 
diversion disable && cd /opt/bin && wget -O Pixelserv.zip https://github.com/kvic-z/pixelserv-tls/releases/download/v2.3.1/pixelserv-tls.2.3.1.Entware-3.x.aarch64softfloat.zip && opkg install p7zip && 7za e Pixelserv.zip *.dynamic -r && rm pixelserv-tls && mv pixelserv-tls.armv8.ent.performance.dynamic pixelserv-tls && chmod +x pixelserv-tls && rm Pixelserv.zip && opkg remove p7zip && cd -- && diversion enable

For ARMv7 routers:

Code: 
diversion disable && cd /opt/bin && wget -O Pixelserv.zip https://github.com/kvic-z/pixelserv-tls/releases/download/v2.3.1/pixelserv-tls.2.3.1.Entware-ng.armv7softfloat.zip && opkg install p7zip && 7za e Pixelserv.zip *.dynamic -r && rm pixelserv-tls && mv pixelserv-tls.arm.ent.performance.dynamic pixelserv-tls && chmod +x pixelserv-tls && rm Pixelserv.zip && opkg remove p7zip && cd -- && diversion enable

In case you are coming from Pixelserv-tls v2.2.1 or below then you'll need to purge your domain certificates by opening Diversion > ep > 3 > 1 > 1

P.s I've only tried this on aarch64 but basic algorithm remains same for both architectures so it should work.
 
Alright, I hear you all.
I've just pushed a Diversion update, no version change

What's new
- Option in ep, 6, 3 to update pixelserv-tls to v2.3.1 (@Jack Yaz version) for all router models.

Use u to update.
 
9D45B0F3-1B63-4942-9BD0-F921C446837A.jpeg

Woah. Something new on me.

Using an app and suddenly see this warning. Only occurs when using this specific app. Just upgraded to iOS 13.3.1, am on pixelserv-tls 2.3.1, ac86u, merlin’s 384.14_2. Only happens when using my router with pixelserv on it, mobile data is fine unless I VPN into my router, which leads me to think it’s pixelserv related.

Its a quasi-government app which makes me reach for my tin foil hat. But then again, considering the country I live in, a tin foil hat is a requirement.

Any ideas?
 
^Tripper^ said:
View attachment 21130

Woah. Something new on me.

Using an app and suddenly see this warning. Only occurs when using this specific app. Just upgraded to iOS 13.3.1, am on pixelserv-tls 2.3.1, ac86u, merlin’s 384.14_2. Only happens when using my router with pixelserv on it, mobile data is fine unless I VPN into my router, which leads me to think it’s pixelserv related.

Its a quasi-government app which makes me reach for my tin foil hat. But then again, considering the country I live in, a tin foil hat is a requirement.

Any ideas?
Click to expand...
Did you already follow the CA import instructions here: https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate#iosandroid

If so, the app might have the expected certificate pinned and warns you if it doesn't match.
 
@^Tripper^, did you fully remove any old ca.crt certificates and only then import the latest pixelserv-tls v2.3.1 generated one on that iPhone?
 
L&LD said:
@^Tripper^, did you fully remove any old ca.crt certificates and only then import the latest pixelserv-tls v2.3.1 generated one on that iPhone?
Click to expand...

Yup, fully removed and only the latest cert imported.

dave14305 said:
Did you already follow the CA import instructions here: https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate#iosandroid

If so, the app might have the expected certificate pinned and warns you if it doesn't match.
Click to expand...

Followed all instructions to the letter. I updated to 2.3.1 when kvic released it ( which was last month as I recall) and followed all the instructions exactly.

Only got this today with the update to iOS 13.3.1 which could possibly be related.

@dave14305 To clarify, you’re saying the app has maybe “recorded” the cert and is throwing up the error as the new cert doesn’t match what it’s expecting? Didn’t think of that, will try deleting the app and trying again, that may possibly sort this out.

Thank you for the input guys. :)))
 
@^Tripper^, just guessing now, but after you delete the app, can you clear out any cache on the phone before and after you reboot it?
 
^Tripper^ said:
Update; no dice. Deleted the app, rebooted the phone, reinstalled and still getting the error.

Hmmm... wonder what “checks” this app does.
Click to expand...

If you're getting the cert error only on a single app then it's the apps issue. Some app developers hardcode the client certificate in the code and it matches the signature hashes with their server counterpart and in case of Pixelserv-tls, the generated certificates don't match the hardcoded app's signature hash thus the error. There's no way to fix it and you'll need to whitelist the blocked URL which is preventing the app to phone the home server.
 
Last edited:
^Tripper^ said:
@dave14305 To clarify, you’re saying the app has maybe “recorded” the cert and is throwing up the error as the new cert doesn’t match what it’s expecting? Didn’t think of that, will try deleting the app and trying again, that may possibly sort this out.
Click to expand...
Not exactly. I'm speculating that the expected certificate signature is hard-coded in the app and the pixelserv-generated certificate signature doesn't match that. A way to prevent spoofing of certs, but it's hard to say with any certainty what they're doing inside.

EDIT: what @Asad Ali said. :)
 
You must log in or register to reply here.

Similar threads

MegaMango
dnsmasq-surrogate for RT-BE88U: Ad Blocking & Security Enhancement
Replies
2
Views
489
MegaMango
MegaMango
L
pixelserv SOLVED - Is PixelServ WebGui script trustworthy at the moment? Redirects to strange website...
Replies
10
Views
4K
gspannu
gspannu
thelonelycoder
Diversion Need help with selecting new set of filter lists / block lists for Diversion 5.0
2
Replies
21
Views
4K
thelonelycoder
thelonelycoder
blacksheep
pixelserv Does "How to best run Pixelserv tls on asuswrt" still apply?
Replies
3
Views
3K
elorimer
E
garycnew
Entware [SOLUTION] Cross-Compile PixelServ-TLS 2.4 Entware Package via Debian Live DVD
Replies
13
Views
3K
garycnew
garycnew
Similar threads
Thread starter Title Forum Replies Date
C Diversion Pixelserv replacement Asuswrt-Merlin AddOns 2
L Is Diversion better than NextDNS, PiHole or AdGuard Home? Asuswrt-Merlin AddOns 10

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 908 (members: 35, guests: 873)
Top