AdGuardHome Pixelserv-tls Your AdGuardHome

[SomeWhereOverTheRainBow]

I suspect I could not trust the certificate in my iphone. I try to change the day from 3650 to 365 but still see TLS handshake errors.

slu

22

# of dropped HTTPS requests (other TLS handshake errors)

About upcoming limits on trusted certificates - Apple Support

In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates.

support.apple.com

Requirements for trusted certificates in iOS 13 and macOS 10.15 - Apple Support

Learn about new security requirements for TLS server certificates in iOS 13 and macOS 10.15.

support.apple.com

Referring to https://github.com/kvic-z/pixelserv...ificate#import-pixelserv-ca-on-client-devices, I do not have the option to turn on trust for Pixelserv CA.

Some highlighted facts:
"This change will not affect certificates issued from user-added or administrator-added Root CAs."

Also the slu errors could be coming from any device without a properly configured certificate as it is an indication of a connection refusal. Pixelserv tls will still behave in the same manner as 0.0.0.0 for these types of connection shuts.

 

[SomeWhereOverTheRainBow]

From my testing, it appears I do get more ads blocked on mobile devices with the inclusion of pixelserv-tls. I havent had a chance yet to play with my apple mobile products, but for my Android it appears better.

 

[chongnt]

Some highlighted facts:
"This change will not affect certificates issued from user-added or administrator-added Root CAs."

Also the slu errors could be coming from any device without a properly configured certificate as it is an indication of a connection refusal. Pixelserv tls will still behave in the same manner as 0.0.0.0 for these types of connection shuts.

I see. Probably it is working. I don't see the difference, not sure what to expect.

 

[SomeWhereOverTheRainBow]

I see. Probably it is working. I don't see the difference, not sure what to expect.

Well for me, on Android, I don't see ads being served on some of the apps that I normally do on just regular adguardhome. I don't know if it is because they have access to using the devices certificate store. Maybe. The only other difference I noticed is some of the query response times for AA which goes to pixelserv tls were noticeable (negligible) quicker. The overall question of added value would be, does it benefit the user to take on this approach.

 

[rlw6534]

Playing around with this today. Is it best to trust the certificate on clients (for best performance) or does it not matter at all?

 

[SomeWhereOverTheRainBow]

Playing around with this today. Is it best to trust the certificate on clients (for best performance) or does it not matter at all?

For the best performance benefits the answer to your question is yes, otherwise it will behave similar to the default 0.0.0.0 response. The overall intentions being that if a certificate is stored for a domain previously blocked, then the ad will be served quicker than just a 0.0.0.0 response.

 

[rlw6534]

For the best performance benefits the answer to your question is yes, otherwise it will behave similar to the default 0.0.0.0 response. The overall intentions being that if a certificate is stored for a domain previously blocked, then the ad will be served quicker than just a 0.0.0.0 response.

Thanks! I have not seen any certificate/trust errors while browsing (as with Diversion), so I was a bit confused. Actually, I still am TBH... Easy enough to trust the cert, though...

 

[SomeWhereOverTheRainBow]

F

Playing around with this today. Is it best to trust the certificate on clients (for best performance) or does it not matter at all?

From a performance stand point, one of the biggest user complaints I have seen about incorporation of pixelserv-tls is that it may actually block too much. This could be benefitial if users realize there are certain sites or ads not being blocked by adguardhome, but I am not sure all of it requires testing and verification.

 

[rlw6534]

I'm not sure Pixelserv-tls is working correctly for me. I have imported and trusted the cert and even rebooted the router and my MacBook. With Diversion "slh" normally increments with browsing. Are you seeing the same?

slh	0	# of accepted HTTPS requests
slm	6	# of rejected HTTPS requests (missing certificate)
sle	0	# of rejected HTTPS requests (certificate available but not usable)
slc	0	# of dropped HTTPS requests (client disconnect without sending any request)
slu	250	# of dropped HTTPS requests (other TLS handshake errors)

 

[SomeWhereOverTheRainBow]

I'm not sure Pixelserv-tls is working correctly for me. I have imported and trusted the cert and even rebooted the router and my MacBook. With Diversion "slh" normally increments with browsing. Are you seeing the same?

slh	0	# of accepted HTTPS requests
slm	6	# of rejected HTTPS requests (missing certificate)
sle	0	# of rejected HTTPS requests (certificate available but not usable)
slc	0	# of dropped HTTPS requests (client disconnect without sending any request)
slu	250	# of dropped HTTPS requests (other TLS handshake errors)

I will have to take a look at my stats serv when I get home. There may be some quirks that have to be remedied for Apple devices.

 

[rlw6534]

I will have to take a look at my stats serv when I get home. There may be some quirks that have to be remedied for Apple devices.

OK. The only glitch I had was the cert creation. I had to use the alternate method you provided.

 

[SomeWhereOverTheRainBow]

OK. The only glitch I had was the cert creation. I had to use the alternate method you provided.

It could even be an issue with that method. I may have to investigate alitte more.

 

[SomeWhereOverTheRainBow]

OK. The only glitch I had was the cert creation. I had to use the alternate method you provided.

Alternatively, users can install diversion which may make the cert differently, which I have not yet confirmed or denied. Pointing adguardhome at pixelservtls would be done the same way.

 

[rlw6534]

Alternatively, users can install diversion which may make the cert differently, which I have not yet confirmed or denied. Pointing adguardhome at pixelservtls would be done the same way.

Yes, it seems to work if I install Diversion and copy the certs, uninstall Diversion, reinstall pixelserv-tls and restore the certs generated by Diversion.

 

[SomeWhereOverTheRainBow]

Yes, it seems to work if I install Diversion and copy the certs, uninstall Diversion, reinstall pixelserv-tls and restore the certs generated by Diversion.

I figured it out, you have to use entwares openssl to generate the key. You remember that error, it is created from using the router stock openssl.

 

[rlw6534]

I figured it out, you have to use entwares openssl to generate the key. You remember that error, it is created from using the router stock openssl.

When I installed pixelserv-tls it also installed libopenssl and zlib. Shouldn't that have taken care of that?

 

[SomeWhereOverTheRainBow]

When I installed pixelserv-tls it also installed libopenssl and zlib. Shouldn't that have taken care of that?

no you need openssl-utils, I updated the installation instructions.

 

[SomeWhereOverTheRainBow]

I suspect I could not trust the certificate in my iphone. I try to change the day from 3650 to 365 but still see TLS handshake errors.

slu

22

# of dropped HTTPS requests (other TLS handshake errors)

About upcoming limits on trusted certificates - Apple Support

In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates.

support.apple.com

Requirements for trusted certificates in iOS 13 and macOS 10.15 - Apple Support

Learn about new security requirements for TLS server certificates in iOS 13 and macOS 10.15.

support.apple.com

Referring to https://github.com/kvic-z/pixelserv...ificate#import-pixelserv-ca-on-client-devices, I do not have the option to turn on trust for Pixelserv CA.

I had to update the installation instructions if you redo the procedures for generating the certificate, it may fix this issue.

But first do

opkg install openssl-util

 

[unknownz]

I had to update the installation instructions if you redo the procedures for generating the certificate, it may fix this issue.

But first do

opkg install openssl-util

IIRC, when ca.crt is re-generated, the existing generated files in cache/pixelserv needs to be removed as well. So that would mean for a redo,
1. stop pixelserv
2. remove all files in cache/pixelserv
3. re-generate ca.crt
4. start pixelserv

 

[unknownz]

F
From a performance stand point, one of the biggest user complaints I have seen about incorporation of pixelserv-tls is that it may actually block too much. This could be benefitial if users realize there are certain sites or ads not being blocked by adguardhome, but I am not sure all of it requires testing and verification.

What I am doing so far is not to install ca.crt to any of the devices; it was something that I sort of "dreaded" in having to repeat for all the devices. Some devices, especially smart TV does not support installation of the certificate anyway.

In terms of browsing experience, have not noticed any significant differences. As for performance, this would be hard to quantify as it requires extensive testing and monitoring to a certain extent.

As an alternative, I'm just checking on the "Average processing time" stats in AGH and also "tav" and "tmx" in pixelserv servstats. This would likely be not 100% accurate