Yes, it has been discussed now for days, start with the link below, and read to here to get updated as to the issue and attempts to address it.
That is because that was the current time stamp on the machine when Jack compiled. It’s not a problem.
I followed these two links from kvic.
Thanks for the link, after quite a bit of read, this is very significant.
I'll be honest with you, if you are wanting to correct the problem as a matter of personal accomplishment or learning experience - those are the outdated instructions. You need to change the RSA from 1024 to 2048, change the 3650 days to something less than 825, and add the server auth EKU. Specifics are available earlier in this thread. If are wanting it just to work, my advice is to sit tight because @thelonelycoder , @Jack Yaz , @RMerlin and others have made/will make the changes that need to happen for everything to work right.
Upcoming new releases of all your favorite router software will offer push button solutions to the problem.
Personal accomplishment and learning experience is why. I used this to generate the new cert.
cd /opt/var/cache/pixelserv
openssl genrsa -out ca.key 2048
openssl req -key ca.key -new -x509 -days 720 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"yea so I followed the installation instructions for Jack-Yaz compiled patch, I have the new CA registered and everything, the only issue I am seeing is that the CA uses SHA-1 thumbprint I am under the impression from the read that the new iOS13 will need a SHA-2 thumbprint.
That’s correct, but something must be amiss - all of the certificate generating sources I’ve seen have long included sha256.
openssl req -new -x509 -key key.pem -sha256 -out cert.pem -days 730 -config /etc/openssl.configyes I followed your suggested code method when generating mine.
cat /etc/openssl.cnf > /jffs/openssl.cnf && sed -i "/\[ v3_ca \]/aextendedKeyUsage = serverAuth" /jffs/openssl.cnf && openssl genrsa -out ca.key 2048 && openssl req -key ca.key -new -x509 -days 825 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA" -config /jffs/openssl.cnf && rm /jffs/openssl.cnfHave you tested this out? At a glance I'm not sure you're satisfying this:
TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.
I may be wrong, but it is not needed to state alternative names since pixelserv issues them when generating certificates.
Agreed about only needed for Apple devices. Apple must be trying to raise the bar again. Also, the new Apple release is still in beta so a lot of this still needs to be tested for completeness and longevity.
They released the Golden Master last Tuesday after their media event and the final release will be out on Thursday (September 19).
Yeah I’m overthinking again - pixelserv will be fine as is. I was thinking ahead to using the using the certificate for other uses like gui, etc.
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
| C | Diversion Pixelserv replacement | Asuswrt-Merlin AddOns | 2 | |
| L | Is Diversion better than NextDNS, PiHole or AdGuard Home? | Asuswrt-Merlin AddOns | 10 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!
