jrmwvu04
Very Senior Member
No, that’s what I was getting at earlier. Even if the tls handshake is failing, dropped pixelserv connections are preferable to other solutions.
pixelserv pixelserv - A Better One-pixel Webserver for Adblock
- Thread starter kvic
- Start date
Jack Yaz
Part of the Furniture
I'm taking a stab at patching this
EDIT: For anyone with a Linux box and is comfortable building software: https://github.com/jackyaz/pixelserv-tls
Last edited:
How? I clone the git, enter the folder, what next?
the steps are described within the repo readme under build from source.
XIII
Very Senior Member
But don't we need to cross-compile to run it on our routers? (How?)
it says: but it fails...
2) Use the old Makefile-XC. E.g. to build for ASUSWRT,
make -f Makefile-XC arm
jrmwvu04
Very Senior Member
Looks good, thanks. Comment should change to 2 years.
Code:
(x509), 63072000L); // cert valid for 10yrsIf anyone builds a binary for armv7, feel free to share.
Jack Yaz
Part of the Furniture
You probably need toolchains etc.?
I'm afraid my skillset is limited when it comes to cross compiling (and compiling in general!)
Thinking about this example posted above, with that being from pixelserv, are the only things which NEED to be changed:Here's what the current result is from the latest pixelserv build widely available. 10 years, 1024 bit, etc. despite the supplied certificate being changed.
a) Key length 1024 -> 2048 bits
b) Days - 3650 --> 825
c) Are the other fields ok as is to keep pixelserv functional and in compliance with Apples new rules? IDK, I'm asking?
jrmwvu04
Very Senior Member
Without the proper testing which I have not done I can’t say definitively, but I assume the ExtendedKeyUsage extension will also need to be present. I hit a ton of snags trying to get a build environment going last night (Catalina breaks quite a bit of software).
Jack Yaz
Part of the Furniture
if my version works, it should do this
Looking at that default cert again, it already has an EKU+SAN with a single DNS entry (*.bing.com). This is the part I do not understand. Is that the default cert generated b/c of the pixelserv code and is that fine with the rules or would each setup we have (say the router name) need to be pulled in as part of the cert? I just do not know.
Login to your router, then do Administration > System > Installed Server Certificate. What do you see? I think I recall there being instructions on using pixelserv to gen this cert which I did so it's another example. And yes it defaulted to 10 years.
Something akin to this?
Issued to : 192.168.301.5
SAN : 192.168.301.5 router.asus.com 1212-30105-AC86 1212-30105-AC86.mydomain.com
Issued by : 192.168.301.5
Expires on : 2028/5/5
Last edited:
Jack Yaz
Part of the Furniture
There's no eku for tls server auth which is a requirement from Apple
jrmwvu04
Very Senior Member
I'm not an expert on any of this. Some of the stuff I've dealt with enough to manipulate, some of it I have a working understanding, and some of it I've heard about for the first time this week.
Whatever that is, it has nothing to do with pixelserv or the new tighter iOS/macOS rules
Ah ok. Not sure I understand EKU+SAN.
I was talking about the default cert showing the Extension+ SAN + "DNS Name" in this earlier posting https://www.snbforums.com/threads/p...server-for-adblock.26114/page-148#post-511588
Is it as simple as this:
Code:
Not Critical
TLS WWW Server Authentication (OID.1.3.6.1.5.5.7.3.1)
TLS WWW Client Authentication (OID.1.3.6.1.5.5.7.3.2)Jack Yaz
Part of the Furniture
Not sure client is needed, but in my forked pixelserv I add the server auth eku
This is how/where I think that originated.. not 100% now --> https://github.com/kvic-z/pixelserv-tls/wiki/[ASUSWRT]-Use-Pixelserv-CA-to-issue-a-certificate-for-WebGUI
I had forgotten about his github page with lots of help.. so this is the one to externally generate a self-signed key and import it outside of pixelserv's nice neat way to stay outta the whole cert nightmare and quicksand!! --> https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate
So if we can get the input strings correct + OpenSSL, we can generate the certs and import them?
But the rub still is the code actually checks for 1024.. length so that needs to be changed or just removed completely and any other checks along similar lines?
Last edited:
thelonelycoder
Part of the Furniture
@Jack Yaz or anyone smarter and better with compiling than me: I would like to be prepared for the iOS 13 release.
I would need the usual ARM, Mipsel and AARCH releases in zip format, just like @kvic usually does.
A new version number would help too.
I could then modify the ps beta install script and code it into Diversion/amtm.
Any volunteers?
I would need the usual ARM, Mipsel and AARCH releases in zip format, just like @kvic usually does.
A new version number would help too.
I could then modify the ps beta install script and code it into Diversion/amtm.
Any volunteers?
thelonelycoder
Part of the Furniture
Looks like 13 could indeed be a bad number....
Similar threads
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
| C | Diversion Pixelserv replacement | Asuswrt-Merlin AddOns | 2 | |
| L | Is Diversion better than NextDNS, PiHole or AdGuard Home? | Asuswrt-Merlin AddOns | 10 |
Similar threads
-
-
Is Diversion better than NextDNS, PiHole or AdGuard Home?
- Started by Logi
- Replies: 10
Latest threads
-
ROG 98 Pro: Fire Stick 4K Max won’t connect to WiFi 6E???
- Started by Poseidon
- Replies: 2
-
-
Help with RT-ac88u network switch issues - causing reboot
- Started by rkalinka
- Replies: 0
-
TP-Link routers are being taken over by botnet
- Started by TheLostSwede
- Replies: 3
-
RT-AX86U Pro - Merlin: can't get p2p cameras available to wan.
- Started by mightyoakbob
- Replies: 3
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!