pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[Ayitaka]

Thank you Asad Ali.

Might the previously-generated pixelserv certs (for other domains) in /opt/var/cache/pixelserv/ be causing the issues people are seeing with dropped/rejected https requests, since they become invalid once you create a new CA?

They were giving me problems for other reasons so I went into Diversion and purged all the pixelserv certs before generating my new ones (it saves your existing CA and key if you already created new ones) and that helped me.

 

[Asad Ali]

Thank you Asad Ali.

Might the previously-generated pixelserv certs (for other domains) in /opt/var/cache/pixelserv/ be causing the issues people are seeing with dropped/rejected https requests, since they become invalid once you create a new CA?

They were giving me problems for other reasons so I went into Diversion and purged all the pixelserv certs before generating my new ones (it saves your existing CA and key if you already created new ones) and that helped me.

That's the necessary step once you create a new Root CA, without that it's useless for any existing certificates and will cause issues.

 

[RMerlin]

I wonder if CAs are affected by this BTW. I can't imagine every CA having to renew their root certificate every two years. Imagine a smart phone that no longer gets OS updates, it would mean not a single SSL site would be working after two years without any updated CA bundle...

 

[Asad Ali]

I wonder if CAs are affected by this BTW. I can't imagine every CA having to renew their root certificate every two years. Imagine a smart phone that no longer gets OS updates, it would mean not a single SSL site would be working after two years without any updated CA bundle...

I believe these conditions are only for self signed certificates/CA's. Public CAs won't need to do that since they already have to do so many other things to establish the trust chain in advance.

 

[heysoundude]

It occurs to me that 2 years will roll over pretty fast. Perhaps Diversion could keep a timer going and pop up or email a reminder when the certs need to be regenerated and the pixelserv certs purged, like the update popup.

Agreed, those 730 days will fly right by...but the Apple requirement is every 8oo-some. perhaps reminders at 90 remaining days, 60, 30, 15, 7 and red alerts at 3, 2, 1 would be helpful? I like email alerts too...or we can just set reminders in our phones. ;-)

 

[thelonelycoder]

It occurs to me that 2 years will roll over pretty fast. Perhaps Diversion could keep a timer going and pop up or email a reminder when the certs need to be regenerated and the pixelserv certs purged, like the update popup.

I'm checking the expiry date:

openssl x509 -text -noout -in /opt/var/cache/pixelserv/ca.crt | grep "Not After :" | sed 's/^.*: //'

Back to coding, see ya all when everything's ready and done.

 

[SomeWhereOverTheRainBow]

I wonder if CAs are affected by this BTW. I can't imagine every CA having to renew their root certificate every two years. Imagine a smart phone that no longer gets OS updates, it would mean not a single SSL site would be working after two years without any updated CA bundle...

That is how apple gets their money sooner.....

 

[jrmwvu04]

I wonder if CAs are affected by this BTW. I can't imagine every CA having to renew their root certificate every two years. Imagine a smart phone that no longer gets OS updates, it would mean not a single SSL site would be working after two years without any updated CA bundle...

From my understanding, the verbiage “TLS server certificates and issuing CAs” is only used describing requirement for the 2048 bit rsa and sha-2 requirements. The other bullet points including the two year requirement are only for “TLS server certificates” so it seems those restrictions may not apply to CAs.

 

[thelonelycoder]

From my understanding, the verbiage “TLS server certificates and issuing CAs” is only used describing requirement for the 2048 bit rsa and sha-2 requirements. The other bullet points including the two year requirement are only for “TLS server certificates” so it seems those restrictions may not apply to CAs.

I'm still using the 3650 days for the CA, so this seems correct. Thanks for confirming and adding to the confusion

 

[Asad Ali]

I'm still using the 3650 days for the CA, so this seems correct. Thanks for confirming and adding to the confusion

You're on iOS 13 or macOS Catalina? Only those operating systems are effected by this for now.

 

[Asad Ali]

Alright guys good news, I've tested the Root CA WITH 10 years validity and WITHOUT any EKU flag and as long as your key is 2048 bits SHA-2 it'll work and accepted in new iOS 13 and Catalina standards, so that's a major relief since you no longer need to generate and reimport the certificate in all your devices every 2 years and we don't need any special commands/scripts to generate the Root CA as well.

The conditions of two years and EKU flag are still necessary for pixelserv-tls generated certificates so we do have to purge our generated certificates every two years but that's no hassle.

 

[thelonelycoder]

Alright guys good news, I've tested the Root CA WITH 10 years validity and WITHOUT any EKU flag and as long as your key is 2048 bits SHA-2 it'll work and accepted in new iOS 13 and Catalina standards, so that's a major relief since you no longer need to generate and reimport the certificate in all your devices every 2 years and we don't need any special commands/scripts to generate the Root CA as well.

The conditions of two years and EKU flag are still necessary for pixelserv-tls generated certificates so we do have to purge our generated certificates every two years but that's no hassle.

Good to know. The info on the upcoming Diversion update looks like this, with the differentiation of the CA cert and the generated certs.
Only the expiry date of the oldest domain cert is shown, giving you an idea when to purge the certs.

 

[Asad Ali]

Good to know. The info on the upcoming Diversion update looks like this, with the differentiation of the CA cert and the generated certs.
Only the expiry date of the oldest domain cert is shown, giving you an idea when to purge the certs.

Seems good but just a suggestion if it's not too much work. Add an automated purge for expired generated certs ( or even complete folder because mostly we reach equilibrium within days of purging the old certificates )

 

[thelonelycoder]

Seems good but just a suggestion if it's not too much work. Add an automated purge for expired generated certs ( or even complete folder because mostly we reach equilibrium within days of purging the old certificates )

That's a worry for two years from now. Plenty of time to code that part.

 

[Asad Ali]

That's a worry for two years from now. Plenty of time to code that part.

That's true!!

 

[elorimer]

@thelonelycoder: Would I be correct that selecting #2 to recreate the CA certificate would also do #1?

 

[thelonelycoder]

@thelonelycoder: Would I be correct that selecting #2 to recreate the CA certificate would also do #1?

It does, as you would expect it to do.

 

[thelonelycoder]

I'm ready with my Diversion update for the iOS 11 compatibility requirements.
But first, I need some pillow time. And then cross fingers that my employer won't be needing my services tomorrow morning when I push the update.

 

[Asad Ali]

iOS 11

Yep, you do need pillow time for sure because it's iOS 13 [emoji16][emoji16]

 

[QuikSilver]

Yep, you do need pillow time for sure because it's iOS 13 [emoji16][emoji16]

@thelonelycoder might need two years worth of sleep with all these changes.