What's new
By:

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

XIII said:
But don't we need to cross-compile to run it on our routers? (How?)
Click to expand...
it says: but it fails...
2) Use the old Makefile-XC. E.g. to build for ASUSWRT,
make -f Makefile-XC arm
 
jrmwvu04 said:
Here's what the current result is from the latest pixelserv build widely available. 10 years, 1024 bit, etc. despite the supplied certificate being changed.

aZdVBcA.png
Click to expand...
Thinking about this example posted above, with that being from pixelserv, are the only things which NEED to be changed:
a) Key length 1024 -> 2048 bits
b) Days - 3650 --> 825
c) Are the other fields ok as is to keep pixelserv functional and in compliance with Apples new rules? IDK, I'm asking?
 
gattaca said:
Thinking about this example posted above, with that being from pixelserv, are the only things which NEED to be changed:
a) Key length 1024 -> 2048 bits
b) Days - 3650 --> 825
c) Are the other fields ok as is to keep pixelserv functional and in compliance with Apples new rules? IDK, I'm asking?
Click to expand...
Without the proper testing which I have not done I can’t say definitively, but I assume the ExtendedKeyUsage extension will also need to be present. I hit a ton of snags trying to get a build environment going last night (Catalina breaks quite a bit of software).
 
jrmwvu04 said:
Without the proper testing which I have not done I can’t say definitively, but I assume the ExtendedKeyUsage extension will also need to be present. I hit a ton of snags trying to get a build environment going last night (Catalina breaks quite a bit of software).
Click to expand...
Looking at that default cert again, it already has an EKU+SAN with a single DNS entry (*.bing.com). This is the part I do not understand. Is that the default cert generated b/c of the pixelserv code and is that fine with the rules or would each setup we have (say the router name) need to be pulled in as part of the cert? I just do not know.

Login to your router, then do Administration > System > Installed Server Certificate. What do you see? I think I recall there being instructions on using pixelserv to gen this cert which I did so it's another example. And yes it defaulted to 10 years.

Something akin to this?
Issued to : 192.168.301.5
SAN : 192.168.301.5 router.asus.com 1212-30105-AC86 1212-30105-AC86.mydomain.com
Issued by : 192.168.301.5
Expires on : 2028/5/5
 
Last edited:
gattaca said:
Looking at that default cert again, it already has an EKU+SAN with a single DNS entry (*.bing.com). This is the part I do not understand. Is that the default cert generated b/c of the pixelserv code and is that fine with the rules or would each setup we have (say the router name) need to be pulled in as part of the cert? I just do not know.

Login to your router, then do Administration > System > Installed Server Certificate. What do you see? I think I recall there being instructions on using pixelserv to gen this cert which I did so it's another example. And yes it defaulted to 10 years.

Something akin to this?
Issued to : 192.168.301.5
SAN : 192.168.301.5 router.asus.com 1212-30105-AC86 1212-30105-AC86.mydomain.com
Issued by : 192.168.301.5
Expires on : 2028/5/5
Click to expand...
There's no eku for tls server auth which is a requirement from Apple
 
gattaca said:
Looking at that default cert again, it already has an EKU+SAN with a single DNS entry (*.bing.com). This is the part I do not understand. Is that the default cert generated b/c of the pixelserv code and is that fine with the rules or would each setup we have (say the router name) need to be pulled in as part of the cert? I just do not know.
Click to expand...
I'm not an expert on any of this. Some of the stuff I've dealt with enough to manipulate, some of it I have a working understanding, and some of it I've heard about for the first time this week.
gattaca said:
Login to your router, then do Administration > System > Installed Server Certificate. What do you see? I think I recall there being instructions on using pixelserv to gen this cert which I did so it's another example. And yes it defaulted to 10 years.
Click to expand...
Whatever that is, it has nothing to do with pixelserv or the new tighter iOS/macOS rules
 
Jack Yaz said:
There's no eku for tls server auth which is a requirement from Apple
Click to expand...
Is it as simple as this:
Code: 
Not Critical 
TLS WWW Server Authentication (OID.1.3.6.1.5.5.7.3.1) 
TLS WWW Client Authentication (OID.1.3.6.1.5.5.7.3.2)
In other words, just that OID indicating what the certificate is used for? I took this from Cloudflare's certificate for snbforums.com
 
elorimer said:
Is it as simple as this:
Code: 
Not Critical
TLS WWW Server Authentication (OID.1.3.6.1.5.5.7.3.1)
TLS WWW Client Authentication (OID.1.3.6.1.5.5.7.3.2)
In other words, just that OID indicating what the certificate is used for? I took this from Cloudflare's certificate for snbforums.com
Click to expand...
Not sure client is needed, but in my forked pixelserv I add the server auth eku
 
gattaca said:
Looking at that default cert again, it already has an EKU+SAN with a single DNS entry (*.bing.com). This is the part I do not understand. Is that the default cert generated b/c of the pixelserv code and is that fine with the rules or would each setup we have (say the router name) need to be pulled in as part of the cert? I just do not know.

Login to your router, then do Administration > System > Installed Server Certificate. What do you see? I think I recall there being instructions on using pixelserv to gen this cert which I did so it's another example. And yes it defaulted to 10 years.

Something akin to this?
Issued to : 192.168.301.5
SAN : 192.168.301.5 router.asus.com 1212-30105-AC86 1212-30105-AC86.mydomain.com
Issued by : 192.168.301.5
Expires on : 2028/5/5
Click to expand...

This is how/where I think that originated.. not 100% now --> https://github.com/kvic-z/pixelserv-tls/wiki/[ASUSWRT]-Use-Pixelserv-CA-to-issue-a-certificate-for-WebGUI
I had forgotten about his github page with lots of help.. so this is the one to externally generate a self-signed key and import it outside of pixelserv's nice neat way to stay outta the whole cert nightmare and quicksand!! --> https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

So if we can get the input strings correct + OpenSSL, we can generate the certs and import them?

But the rub still is the code actually checks for 1024.. length so that needs to be changed or just removed completely and any other checks along similar lines?
 
Last edited:
@Jack Yaz or anyone smarter and better with compiling than me: I would like to be prepared for the iOS 13 release.
I would need the usual ARM, Mipsel and AARCH releases in zip format, just like @kvic usually does.
A new version number would help too.
I could then modify the ps beta install script and code it into Diversion/amtm.

Any volunteers?
 
Looks like 13 could indeed be a bad number....
 
You must log in or register to reply here.

Similar threads

MegaMango
dnsmasq-surrogate for RT-BE88U: Ad Blocking & Security Enhancement
Replies
2
Views
2K
MegaMango
MegaMango
L
pixelserv SOLVED - Is PixelServ WebGui script trustworthy at the moment? Redirects to strange website...
Replies
10
Views
4K
gspannu
gspannu
thelonelycoder
Diversion Need help with selecting new set of filter lists / block lists for Diversion 5.0
2
Replies
21
Views
12K
thelonelycoder
thelonelycoder
blacksheep
pixelserv Does "How to best run Pixelserv tls on asuswrt" still apply?
Replies
3
Views
4K
elorimer
E
garycnew
Entware [SOLUTION] Cross-Compile PixelServ-TLS 2.4 Entware Package via Debian Live DVD
Replies
13
Views
4K
garycnew
garycnew

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 4,115 (members: 14, guests: 4,101)
Back
Top