What's new

pixelserv pixelserv - A Better One-pixel Webserver for Adblock

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


https://kazoo.ga/pixelserv-tls/

Release 2.3.1 (2019-12-13)
Changes
* NEW check and purge expired certs on-the-fly. Generate new ones to replace the expired automatically.
* NEW support the new TLS requirements on key size, cert valid period & etc from Debian 10 and Apple Inc.
Included findings & code contributed by emeidi and jackyaz.
* CHANGED fix compilation warnings with gcc-9/clang-9 (issue #33) contributed by KiloFoxtrotPapa.

Support the new TLS requirements from Debian & Apple Inc
Updated to meet Debian & Apple requirements on server certificates based on RSA with a minimum key size 2048 bits. Additionally reduced certificate valid duration from 10 years down to 825 days. Also newly generated certificates will add extension id-kp-serverAuth OID.

Your root CA certificate with key size 1024 bits (generated as per this wiki) should be fine. You're recommended to continue to use your existing root CA certificate. 1024 bit (in contrary to 2048 bit) helps to reduce workload on your router/server when doing automatic generation of server certificates.

However, if you're using intermediate CA certificate, you might run into issue with Apple software. I haven't verified personally but you may be required to upgrade to 2048 bit. Let me know below or through a github issue tracker if you have new findings.

Purge expired certificates & generate new ones to replace
This version comes with an enhancement to check certificates' expiry on-the-fly. Automatically generate new ones to replace the expired. As you could imagine a certificate valid period of 825 days as mandated by Apple is pretty short. This enhancement should eliminate any manual administration of the automatically generated certificates. They will simply keep working..automatically.

Installation for early adopters on Entware
Download the binary from Github. aarch64 for 64-bit ARM routers/servers. armv7 for 32-bit ARM routers/servers. Unzip the archive, locate & rename 'pixelserv-tls.<your architecture>.performance.dynamic' to 'pixelserv-tls'. Upload the file to your router/server and replace the one of the same name in '/opt/bin'.

Caution: If you're upgrading from v2.2.1-1 or earlier, remember to delete all certificate files except 'ca.crt' and 'ca.key' files in '/opt/var/cache/pixelserv' and then restart pixelserv-tls.

Caution: For users running the unofficial 'v2.3.0' patch to support Apple software, you're recommended to upgrade to v2.3.1 because I see a memory leakage in the patch that will de-stabilize your routers/servers.
 
Last edited:
I just did this update per the above instructions. I used Diversion to "Disable" pixelserv-tls first and purged certificates as a precaution. My main computer is Linux, so I used FileZilla to upload the never version, but it would not so I deleted the existing version first (after doing a full USB backup), then the new version upload worked. I checked permissions (755) and "Enabled" pixelserv-tls via Diversion.

Pixelserv-tls is running and seems fine, time will tell. Interesting the bit about the memory leak.
 
Now a technologically challenged person like me just needs it to be automatically updateable via amtm.

The Lonely Coder will assuredly get to this at some time, but coffee must first be had..........:D
This is no beta, Entware will have the updated packages with their next regular update.
 
Can somebody write step by step how to install a pixelserv on the raspberry_pi with pi-hole or adguard home?
Very good feature , but I do not know where else can ask.
 
Last edited:
Can somebody write step by step how to install a pixelserv on the raspberry_pi with pi-hole or adguard home?

This thread is dedicated to Pixelserv install on merlin firmware.
 
Last edited:
Can somebody write step by step how to install a pixelserv on the raspberry_pi with pi-hole or adguard home?
Very good feature , but I do not know where else can ask.
I recommend not running them together unless you plan on using pihole solely for DHCP and Web UI features. Pixelserv-tls has no need for pihole. just as pihole has no need for pixelserv-tls, mixing the two is one big redundant mess.
 
Last edited:
@kvic - firstly thank you for the superb pixelserv-tls and your continuous development.

Just yesterday I upgraded from 2.21 to the latest available version 2.3.1
While checking some settings and details I came across few things that I need some clarification.

  • Any reason as to why pixelserv-tls still supports TLS1 - this is deprecated and no longer recommended at all
  • Can you please remove Obsolete: SEED + 128+256 Bit CBC cipher?
While most browsers these days support TLS1.3 - TLS downgrade attacks are still in the wild and could potentially cause some damage.

Details below:
upload_2019-12-25_13-11-47.png


upload_2019-12-25_13-12-5.png


upload_2019-12-25_13-12-17.png


Cheers,
Ivan
 
Last edited:
While most browsers these days support TLS1.3 - TLS downgrade attacks are still in the wild and could potentially cause some damage

Pixelserv-tls runs locally on your router and only works for the domains you have already blocked in your blocking file so there's literally nothing which leaves your local network thus TLS downgrade attacks are not possible nor they'll impact anything.
 
Last edited:
Can you please remove Obsolete: SEED + 128+256 Bit CBC cipher?
I get different results with 2.3.1 installed.
Testing protocols via sockets except SPDY+HTTP2

SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
SPDY/NPN not offered
HTTP2/ALPN not offered

Testing ~standard cipher categories

NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES encryption (w/o export) not offered (OK)
Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) not offered (OK)
Triple DES Ciphers (Medium) not offered (OK)
High encryption (AES+Camellia, no AEAD) offered (OK)
Strong encryption (AEAD ciphers) offered (OK)
Testing vulnerabilities

Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session tickets
Secure Renegotiation (CVE-2009-3555) VULNERABLE (NOT ok)
Secure Client-Initiated Renegotiation not vulnerable (OK)

CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, TLS 1.2 is the only protocol (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
 
Yeah I think I'll wait to update to pixelserv 2.3.1 via amtm as well, unless someone has precise step by step instructions on how to do it without blowing anything up :p

I'm currently running Jack's 2.3.0 version and just updated Diversion to 4.1.7.
 
Not sure which version you are using, I use the latest from github.

But from memory you can also use nmap scripts to also confirm or cross check.

I get different results with 2.3.1 installed.
Testing protocols via sockets except SPDY+HTTP2

SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
SPDY/NPN not offered
HTTP2/ALPN not offered

Testing ~standard cipher categories

NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES encryption (w/o export) not offered (OK)
Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) not offered (OK)
Triple DES Ciphers (Medium) not offered (OK)
High encryption (AES+Camellia, no AEAD) offered (OK)
Strong encryption (AEAD ciphers) offered (OK)
Testing vulnerabilities

Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session tickets
Secure Renegotiation (CVE-2009-3555) VULNERABLE (NOT ok)
Secure Client-Initiated Renegotiation not vulnerable (OK)

CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, TLS 1.2 is the only protocol (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top