pixelserv pixelserv - A Better One-pixel Webserver for Adblock

[DonnyJohnny]

2.2.0-rc.2 is available

We have support for a new and exciting feature in TLS 1.3. The impact to existing flow isn't small. Hence, would appreciate everyone's test on any regression bug.

For details, pls be sure to read release notes at https://kazoo.ga/pixelserv-tls/

Understandably now only I could test TLS 1.3, I'm actively thinking how I could enable more users to try TLS 1.3 earlier and without imposing a support burden on myself.

To test need OpenSSL 1.1.1 and pc?

 

[kvic]

To test need OpenSSL 1.1.1 and pc?

No, it's not required for TLS <= 1.2. It works on your good old routers.

I'm actively thinking how to enable people to try TLS 1.3 with OpenSSL 1.1.1 on existing routers. Not yet available.

 

[DonnyJohnny]

No, it's not required for TLS <= 1.2. It works on your good old routers.

I'm actively thinking how to enable people to try TLS 1.3 with OpenSSL 1.1.1 on existing routers. Not yet available.

What I mean was to test tls 1.3, u need OpenSSL 1.1.1 and a pc right?

I just up a request in entware to notice them about OpenSSL 1.1.1 update. Hope they pick up and update soon.

 

[kvic]

What I mean was to test tls 1.3, u need OpenSSL 1.1.1 and a pc right?

PC with a general Linux distribution, OpenSSL 1.1.1 should be available earlier.

For example, last time around, it took Arch Linux about 5 months (if I don't remember wrong) from the release date of OpenSSL 1.1.0 to complete the migration of all dependent packages. Test library package should be available earlier.

 

[DonnyJohnny]

PC with a general Linux distribution, OpenSSL 1.1.1 should be available earlier.

For example, last time around, it took Arch Linux about 5 months (if I don't remember wrong) from the release date of OpenSSL 1.1.0 to complete the migration of all dependent packages. Test library package should be available earlier.

Seems like openwrt are already on it... hope they will be able to compile them successfully.
https://github.com/openwrt/openwrt/pull/965

 

[kvic]

Seems like openwrt are already on it... hope they will be able to compile them successfully.
https://github.com/openwrt/openwrt/pull/965

Great news. I think you should go and add one comment or request. Ask OpenWRT to enable the flag...checkout #44 that I filed on Entware. Once it gets in OpenWRT. Naturally it'll trickle down

 

[M@rco]

Probably not much of challenge to you @kvic, but my padlock is broken I don't know what caused it, as I installed the latest release of pixelserv-tls today, updated Firefox to the latest stable version and updated my routers firmware to 384.7 beta 1, all today before I discovered it. Firefox no longer trusts access to https://router.asus.com:8443. It's throwing error MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT at me.
I removed the certificate in Firefox, re-added it after downloading it from the pixelserv IP, cleaned my cache, restarted Firefox, but to no avail. It keeps complaining about the certificate with the error mentioned before. Any suggestions what else I can try? I bypassed it making an exception, but that's not how it is supposed to work, is it? Any help would be appreciated.

 

[kvic]

Probably not much of challenge to you @kvic, but my padlock is broken I don't know what caused it, as I installed the latest release of pixelserv-tls today, updated Firefox to the latest stable version and updated my routers firmware to 384.7 beta 1, all today before I discovered it. Firefox no longer trusts access to https://router.asus.com:8443. It's throwing error MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT at me.
I removed the certificate in Firefox, re-added it after downloading it from the pixelserv IP, cleaned my cache, restarted Firefox, but to no avail. It keeps complaining about the certificate with the error mentioned before. Any suggestions what else I can try? I bypassed it making an exception, but that's not how it is supposed to work, is it? Any help would be appreciated.

It's a huge problem for me as I don't have latest firmware. I checked on 380.66. It's fine: https://i.imgur.com/u3NnVwN.png

I think you've done the necessary but just in case: 1) you haven't imported the server cert itself. If you did, pls remove it from FF. 2) you've imported the pixelserv CA (only this matters..)

 

[Makaveli]

I have the pixelserv CA imported but if I don't add the exception I still get the similar error as M@rco.

on FF 62 and 384.6

 

[kvic]

I have the pixelserv CA imported but if I don't add the exception I still get the same error as M@rco.

on FF 62 and 384.6

Phew..this one is easier.

You should access your WebUI with "xxx.ddns.net" (even you're on LAN) because you chose to generate a cert for that domain when you run config-webgui.sh so that it works on LAN and from WAN. If you only intend to access WebGUI from LAN (including through VPN server on router), you should pick "router.asus.com" instead.

So either you run the script again to generate a new cert or always access with xxx.ddns.net

 

[M@rco]

2) you've imported the pixelserv CA (only this matters..)

Been through it all, but no luck

@Makaveli, did you notice the change recently? Yesterday my padlock was still shiny green.

 

[Protik]

I think the rc2 improved the tav by a lot. I don't have the exact number, but I believe in rc1, my tav was around 28 ms. In rc2 this is down to 15 ms. It's only been 3 hours, but I will keep an eye on that.

 

[M@rco]

I was just re-reading the wiki to see if I missed something. Would re-running config-webui.sh solve the issue? I haven't done a factory reset though.

 

[kvic]

Phew..this one is easier.

You should access your WebUI with "xxx.ddns.net" (even you're on LAN) because you chose to generate a cert for that domain when you run config-webgui.sh so that it works on LAN and from WAN. If you only intend to access WebGUI from LAN (including through VPN server on router), you should pick "router.asus.com" instead.

So either you run the script again to generate a new cert or always access with xxx.ddns.net

btw...the certificate expired already on August 12, 2018 in your screenshot. That's a bit weird since any cert generated from config-webgui.sh will be valid for 10 yrs.

I suspect something changed on FW side. Perhaps try to run config-webgui.sh to generate a new server cert. Bounce httpd or reboot router. And see if it just works.

 

[kvic]

I was just re-reading the wiki to see if I missed something. Would re-running config-webui.sh solve the issue? I haven't done a factory reset though.

Worth simply re-generate the certificate but no need to re-import anything..

 

[Makaveli]

Been through it all, but no luck

@Makaveli, did you notice the change recently? Yesterday my padlock was still shiny green.

I made alot of changes last night to fix the diversion pixelserv issue but I'm pretty sure it was fine on the previous version of FF.

But then again after reading Kvic's post when I go into the router on the DDNS tab i'm noticing the Server cert does show 2018/08/12 so that date is old.

 

[kvic]

I think the rc2 improved the tav by a lot. I don't have the exact number, but I believe in rc1, my tav was around 28 ms. In rc2 this is down to 15 ms. It's only been 3 hours, but I will keep an eye on that.

I notice that too. However, if we're on TLS 1.2, everything should be same as before. So I'm busy looking for an explanation at the same time..

EDIT:

Note that the logging is MUCH faster in rc.2. So unless you have lots of messages even on LEVEL 2..then tav now will be smaller.

 

[Protik]

I notice that too. However, if we're on TLS 1.2, everything should be same as before. So I'm busy looking for an explanation at the same time..

EDIT:

Note that the logging is MUCH faster in rc.2. So unless you have lots of messages even on LEVEL 2..then tav now will be smaller.

I see. will be looking forward for an explanation.

 

[Makaveli]

Actually I just saw the wiki going to run that now.

 

[M@rco]

Worth simply re-generate the certificate but no need to re-import anything..

Bingo! Running config-webui.sh fixed my issue, without the need to re-import the certificate. Not sure what happened, but glad it's fixed. Padlock is shiny green again