Menu
What's new
By:
Filters Better Search

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thank you Asad Ali.

Might the previously-generated pixelserv certs (for other domains) in /opt/var/cache/pixelserv/ be causing the issues people are seeing with dropped/rejected https requests, since they become invalid once you create a new CA?

They were giving me problems for other reasons so I went into Diversion and purged all the pixelserv certs before generating my new ones (it saves your existing CA and key if you already created new ones) and that helped me.
 
Ayitaka said:
Thank you Asad Ali.

Might the previously-generated pixelserv certs (for other domains) in /opt/var/cache/pixelserv/ be causing the issues people are seeing with dropped/rejected https requests, since they become invalid once you create a new CA?

They were giving me problems for other reasons so I went into Diversion and purged all the pixelserv certs before generating my new ones (it saves your existing CA and key if you already created new ones) and that helped me.
Click to expand...

That's the necessary step once you create a new Root CA, without that it's useless for any existing certificates and will cause issues.
 
I wonder if CAs are affected by this BTW. I can't imagine every CA having to renew their root certificate every two years. Imagine a smart phone that no longer gets OS updates, it would mean not a single SSL site would be working after two years without any updated CA bundle...
 
RMerlin said:
I wonder if CAs are affected by this BTW. I can't imagine every CA having to renew their root certificate every two years. Imagine a smart phone that no longer gets OS updates, it would mean not a single SSL site would be working after two years without any updated CA bundle...
Click to expand...

I believe these conditions are only for self signed certificates/CA's. Public CAs won't need to do that since they already have to do so many other things to establish the trust chain in advance.
 
elorimer said:
It occurs to me that 2 years will roll over pretty fast. Perhaps Diversion could keep a timer going and pop up or email a reminder when the certs need to be regenerated and the pixelserv certs purged, like the update popup.
Click to expand...

Agreed, those 730 days will fly right by...but the Apple requirement is every 8oo-some. perhaps reminders at 90 remaining days, 60, 30, 15, 7 and red alerts at 3, 2, 1 would be helpful? I like email alerts too...or we can just set reminders in our phones. ;-)
 
elorimer said:
It occurs to me that 2 years will roll over pretty fast. Perhaps Diversion could keep a timer going and pop up or email a reminder when the certs need to be regenerated and the pixelserv certs purged, like the update popup.
Click to expand...
I'm checking the expiry date:
Code: 
openssl x509 -text -noout -in /opt/var/cache/pixelserv/ca.crt | grep "Not After :" | sed 's/^.*: //'
Back to coding, see ya all when everything's ready and done.
 
RMerlin said:
I wonder if CAs are affected by this BTW. I can't imagine every CA having to renew their root certificate every two years. Imagine a smart phone that no longer gets OS updates, it would mean not a single SSL site would be working after two years without any updated CA bundle...
Click to expand...
That is how apple gets their money sooner.....
 
RMerlin said:
I wonder if CAs are affected by this BTW. I can't imagine every CA having to renew their root certificate every two years. Imagine a smart phone that no longer gets OS updates, it would mean not a single SSL site would be working after two years without any updated CA bundle...
Click to expand...
From my understanding, the verbiage “TLS server certificates and issuing CAs” is only used describing requirement for the 2048 bit rsa and sha-2 requirements. The other bullet points including the two year requirement are only for “TLS server certificates” so it seems those restrictions may not apply to CAs.
 
jrmwvu04 said:
From my understanding, the verbiage “TLS server certificates and issuing CAs” is only used describing requirement for the 2048 bit rsa and sha-2 requirements. The other bullet points including the two year requirement are only for “TLS server certificates” so it seems those restrictions may not apply to CAs.
Click to expand...
I'm still using the 3650 days for the CA, so this seems correct. Thanks for confirming and adding to the confusion :D
 
Alright guys good news, I've tested the Root CA WITH 10 years validity and WITHOUT any EKU flag and as long as your key is 2048 bits SHA-2 it'll work and accepted in new iOS 13 and Catalina standards, so that's a major relief since you no longer need to generate and reimport the certificate in all your devices every 2 years and we don't need any special commands/scripts to generate the Root CA as well.

The conditions of two years and EKU flag are still necessary for pixelserv-tls generated certificates so we do have to purge our generated certificates every two years but that's no hassle.
 
Asad Ali said:
Alright guys good news, I've tested the Root CA WITH 10 years validity and WITHOUT any EKU flag and as long as your key is 2048 bits SHA-2 it'll work and accepted in new iOS 13 and Catalina standards, so that's a major relief since you no longer need to generate and reimport the certificate in all your devices every 2 years and we don't need any special commands/scripts to generate the Root CA as well.

The conditions of two years and EKU flag are still necessary for pixelserv-tls generated certificates so we do have to purge our generated certificates every two years but that's no hassle.
Click to expand...
Good to know. The info on the upcoming Diversion update looks like this, with the differentiation of the CA cert and the generated certs.
Only the expiry date of the oldest domain cert is shown, giving you an idea when to purge the certs.

tZ1w1LU.png
 
thelonelycoder said:
Good to know. The info on the upcoming Diversion update looks like this, with the differentiation of the CA cert and the generated certs.
Only the expiry date of the oldest domain cert is shown, giving you an idea when to purge the certs.

tZ1w1LU.png
Click to expand...

Seems good but just a suggestion if it's not too much work. Add an automated purge for expired generated certs ( or even complete folder because mostly we reach equilibrium within days of purging the old certificates )
 
Asad Ali said:
Seems good but just a suggestion if it's not too much work. Add an automated purge for expired generated certs ( or even complete folder because mostly we reach equilibrium within days of purging the old certificates )
Click to expand...
That's a worry for two years from now. Plenty of time to code that part.
 
@thelonelycoder: Would I be correct that selecting #2 to recreate the CA certificate would also do #1?
 
I'm ready with my Diversion update for the iOS 11 compatibility requirements.
But first, I need some pillow time. And then cross fingers that my employer won't be needing my services tomorrow morning when I push the update.
 
You must log in or register to reply here.

Similar threads

L
pixelserv SOLVED - Is PixelServ WebGui script trustworthy at the moment? Redirects to strange website...
Replies
10
Views
3K
gspannu
gspannu
thelonelycoder
Diversion Need help with selecting new set of filter lists / block lists for Diversion 5.0
Replies
19
Views
2K
Gary_Dexter
Gary_Dexter
blacksheep
pixelserv Does "How to best run Pixelserv tls on asuswrt" still apply?
Replies
3
Views
3K
elorimer
E
garycnew
Entware [SOLUTION] Cross-Compile PixelServ-TLS 2.4 Entware Package via Debian Live DVD
Replies
13
Views
3K
garycnew
garycnew
Jack Yaz
YazFi YazFi v4.x - continued
4 5 6
Replies
107
Views
15K
Martinski
M
Similar threads
Thread starter Title Forum Replies Date
C Diversion Pixelserv replacement Asuswrt-Merlin AddOns 2
D amtm bus error, pixelserv-tls segmentation fault Asuswrt-Merlin AddOns 17
F pixelserv pixelserv-tls stats does not load Asuswrt-Merlin AddOns 1
black-raison-detre Idea for better web Addons Asuswrt-Merlin AddOns 13

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,086 (members: 38, guests: 1,048)
Top