What's new

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

But don't we need to cross-compile to run it on our routers? (How?)
it says: but it fails...
2) Use the old Makefile-XC. E.g. to build for ASUSWRT,
make -f Makefile-XC arm
 
it says: but it fails...
2) Use the old Makefile-XC. E.g. to build for ASUSWRT,
make -f Makefile-XC arm
You probably need toolchains etc.?

I'm afraid my skillset is limited when it comes to cross compiling (and compiling in general!)
 
Here's what the current result is from the latest pixelserv build widely available. 10 years, 1024 bit, etc. despite the supplied certificate being changed.

aZdVBcA.png
Thinking about this example posted above, with that being from pixelserv, are the only things which NEED to be changed:
a) Key length 1024 -> 2048 bits
b) Days - 3650 --> 825
c) Are the other fields ok as is to keep pixelserv functional and in compliance with Apples new rules? IDK, I'm asking?
 
Thinking about this example posted above, with that being from pixelserv, are the only things which NEED to be changed:
a) Key length 1024 -> 2048 bits
b) Days - 3650 --> 825
c) Are the other fields ok as is to keep pixelserv functional and in compliance with Apples new rules? IDK, I'm asking?
Without the proper testing which I have not done I can’t say definitively, but I assume the ExtendedKeyUsage extension will also need to be present. I hit a ton of snags trying to get a build environment going last night (Catalina breaks quite a bit of software).
 
Without the proper testing which I have not done I can’t say definitively, but I assume the ExtendedKeyUsage extension will also need to be present. I hit a ton of snags trying to get a build environment going last night (Catalina breaks quite a bit of software).
Looking at that default cert again, it already has an EKU+SAN with a single DNS entry (*.bing.com). This is the part I do not understand. Is that the default cert generated b/c of the pixelserv code and is that fine with the rules or would each setup we have (say the router name) need to be pulled in as part of the cert? I just do not know.

Login to your router, then do Administration > System > Installed Server Certificate. What do you see? I think I recall there being instructions on using pixelserv to gen this cert which I did so it's another example. And yes it defaulted to 10 years.

Something akin to this?
Issued to : 192.168.301.5
SAN : 192.168.301.5 router.asus.com 1212-30105-AC86 1212-30105-AC86.mydomain.com
Issued by : 192.168.301.5
Expires on : 2028/5/5
 
Last edited:
Looking at that default cert again, it already has an EKU+SAN with a single DNS entry (*.bing.com). This is the part I do not understand. Is that the default cert generated b/c of the pixelserv code and is that fine with the rules or would each setup we have (say the router name) need to be pulled in as part of the cert? I just do not know.

Login to your router, then do Administration > System > Installed Server Certificate. What do you see? I think I recall there being instructions on using pixelserv to gen this cert which I did so it's another example. And yes it defaulted to 10 years.

Something akin to this?
Issued to : 192.168.301.5
SAN : 192.168.301.5 router.asus.com 1212-30105-AC86 1212-30105-AC86.mydomain.com
Issued by : 192.168.301.5
Expires on : 2028/5/5
There's no eku for tls server auth which is a requirement from Apple
 
Looking at that default cert again, it already has an EKU+SAN with a single DNS entry (*.bing.com). This is the part I do not understand. Is that the default cert generated b/c of the pixelserv code and is that fine with the rules or would each setup we have (say the router name) need to be pulled in as part of the cert? I just do not know.
I'm not an expert on any of this. Some of the stuff I've dealt with enough to manipulate, some of it I have a working understanding, and some of it I've heard about for the first time this week.
Login to your router, then do Administration > System > Installed Server Certificate. What do you see? I think I recall there being instructions on using pixelserv to gen this cert which I did so it's another example. And yes it defaulted to 10 years.
Whatever that is, it has nothing to do with pixelserv or the new tighter iOS/macOS rules
 
There's no eku for tls server auth which is a requirement from Apple
Is it as simple as this:
Code:
Not Critical 
TLS WWW Server Authentication (OID.1.3.6.1.5.5.7.3.1) 
TLS WWW Client Authentication (OID.1.3.6.1.5.5.7.3.2)
In other words, just that OID indicating what the certificate is used for? I took this from Cloudflare's certificate for snbforums.com
 
Is it as simple as this:
Code:
Not Critical
TLS WWW Server Authentication (OID.1.3.6.1.5.5.7.3.1)
TLS WWW Client Authentication (OID.1.3.6.1.5.5.7.3.2)
In other words, just that OID indicating what the certificate is used for? I took this from Cloudflare's certificate for snbforums.com
Not sure client is needed, but in my forked pixelserv I add the server auth eku
 
Looking at that default cert again, it already has an EKU+SAN with a single DNS entry (*.bing.com). This is the part I do not understand. Is that the default cert generated b/c of the pixelserv code and is that fine with the rules or would each setup we have (say the router name) need to be pulled in as part of the cert? I just do not know.

Login to your router, then do Administration > System > Installed Server Certificate. What do you see? I think I recall there being instructions on using pixelserv to gen this cert which I did so it's another example. And yes it defaulted to 10 years.

Something akin to this?
Issued to : 192.168.301.5
SAN : 192.168.301.5 router.asus.com 1212-30105-AC86 1212-30105-AC86.mydomain.com
Issued by : 192.168.301.5
Expires on : 2028/5/5

This is how/where I think that originated.. not 100% now --> https://github.com/kvic-z/pixelserv-tls/wiki/[ASUSWRT]-Use-Pixelserv-CA-to-issue-a-certificate-for-WebGUI
I had forgotten about his github page with lots of help.. so this is the one to externally generate a self-signed key and import it outside of pixelserv's nice neat way to stay outta the whole cert nightmare and quicksand!! --> https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

So if we can get the input strings correct + OpenSSL, we can generate the certs and import them?

But the rub still is the code actually checks for 1024.. length so that needs to be changed or just removed completely and any other checks along similar lines?
 
Last edited:
@Jack Yaz or anyone smarter and better with compiling than me: I would like to be prepared for the iOS 13 release.
I would need the usual ARM, Mipsel and AARCH releases in zip format, just like @kvic usually does.
A new version number would help too.
I could then modify the ps beta install script and code it into Diversion/amtm.

Any volunteers?
 
Looks like 13 could indeed be a bad number....
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top