kvic-z / pixelserv-tls Goto Github PK

It doesn't make much sense and is kind of confusing

at the moment pixelserv-tls requires old openssl API, will be it updated sometime?

for example: SSL_library_init, CRYPTO_THREADID etc.

Hey ,

awersome software I did use it on my Tomato Router know I want to setup this an my Raspberry Pi Zero v1.3
uname -a = Linux raspberrypi 5.15.32+ #1538 Thu Mar 31 19:37:58 BST 2022 armv6l GNU/Linux

What I did so far:

On my Raspberry PI Zero V1.3 I did the setup for Pixelserv-tls 2.4
sudo -i
cd /tmp
curl -O https://raw.githubusercontent.com/jumpsmm7/pixelserv-tls_2.4_armhf.deb/master/pixelserv-tls_2.4_armhf.deb
dpkg -i pixelserv-tls_2.4_armhf.deb

I did setup the certs with this tutorial:
https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

I did change my Pi-hole to port 8080

I did set the DAEMON_ARGS="xxx.xxx.xxx.xxx. -z /var/cache/pixelserv" in /etc/default/pixelserv-tls

sudo systemctl enable pixelserv-tls
sudo service pixelserv-tls restart
systemctl status pixelserv-tls

pixelserv-tls.service - LSB: pixelserv-tls webserver for adblock
Loaded: loaded (/etc/init.d/pixelserv-tls; generated)
Active: active (exited) since Sun 2022-05-29 18:26:01 CEST; 40min ago
Docs: man:systemd-sysv-generator(8)
Process: 2487 ExecStart=/etc/init.d/pixelserv-tls start (code=exited, status=0/SUCCESS)
CPU: 116ms
May 29 18:26:01 raspberrypi systemd[1]: Starting LSB: pixelserv-tls webserver for adblock...
May 29 18:26:01 raspberrypi pixelserv-tls[2487]: Segmentation fault
May 29 18:26:01 raspberrypi systemd[1]: Started LSB: pixelserv-tls webserver for adblock.

https://xxx.xxx.xxx.xxx and http://xxx.xxx.xxx.xxx Connection refused

Pixelserv-tls 2.4 ist not running :-(
pixelserv-tls -h Segmentation fault

Do I need a different build or is this a bug?

Error message when compiling:

configure:3567: gcc -o conftest -g -O2   conftest.c -lssl  -lcrypto  >&5
/tmp/cccBprK6.o: In function `main':
/usr/local/apps/pixelserv/src-new/conftest.c:23: undefined reference to `SSL_library_init'
collect2: error: ld returned 1 exit status

Adjust configure.ac — replace "SSL_library_init" with "SSL_CTX_new":

...
 8 AC_CHECK_LIB([ssl], [SSL_CTX_new], [],
 9         AC_MSG_FAILURE([can't find openssl ssl lib]))
...

As described here:

allinurl/goaccess#591
allinurl/goaccess#771
allinurl/goaccess@4152916

I have the follwing setup.

I have pixelcerv-tls with pihole without web interface and pivpn installed on debian stretch 9. with all the clients connecting through vpn.

despite pixelserv-tls listening on port 80 and 443 with cert installed on windows and android device and pihole sending requests to 0.0.0.0 , pixelserv-tls is not intercepting, resulting in page not found for ads. does it has something to do with vpn settings or any other issue ?

xxxx@xxxx:~$ sudo su
xxxx@xxxx:/home/xxxx# netstat -ltnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      2223/pihole-FTL     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2745/pixelserv-tls  
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      2223/pihole-FTL     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      862/sshd            
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      2745/pixelserv-tls  
tcp        0      0 0.0.0.0:444             0.0.0.0:*               LISTEN      604/openvpn         
tcp6       0      0 ::1:4711                :::*                    LISTEN      2223/pihole-FTL     
tcp6       0      0 :::53                   :::*                    LISTEN      2223/pihole-FTL     
tcp6       0      0 :::22                   :::*                    LISTEN      862/sshd 

setting in setupVars.conf

PIHOLE_INTERFACE=eth0
PIHOLE_INTERFACE=tun0
PIHOLE_INTERFACE=tun1
IPV4_ADDRESS=0.0.0.0
IPV6_ADDRESS=0.0.0.0
PIHOLE_DNS_1=10.128.0.1
#PIHOLE_DNS_2=8.8.4.4
QUERY_LOGGING=true
INSTALL_WEB_SERVER=false
INSTALL_WEB_INTERFACE=false
LIGHTTPD_ENABLED=false
BLOCKING_ENABLED=true
DNSMASQ_LISTENING=all

follwing is settings in pihole-FTL.conf

PRIVACYLEVEL=0
BLOCKINGMODE=IP-NODATA-AAAA

sample output from pihole -t

dnsmasq[2223]: query[A] ssl.google-analytics.com from 10.8.0.3
dnsmasq[2223]: /etc/pihole/gravity.list ssl.google-analytics.com is 0.0.0.0

follwing is the screeshot of servstats

Thank you very much for your help

Hello,

Env : Ubuntu 16.04.4 x86_64 with additional i386 standard libraries.

I'm trying to build a x86 static build, but the configure command fail on the static part.

I can compile correctly with one of those commands followed by a make

x64 : ./configure
x86 : ./configure CFLAGS="-m32" CXXFLAGS="-m32" LDFLAGS="-m32"

But if I try a static link :
./configure CFLAGS="-m32" CXXFLAGS="-m32" LDFLAGS="-m32 -static"
(also tried with LDFLAGS="-m32 -ldl -static", same thing)

I'm getting this error :
(warning, it's really the 2.1.0 version used despite confdefs stating it's the 2.0.0 )

configure:3308: checking for style of include used by make
configure:3336: result: GNU
configure:3362: checking dependency style of gcc
configure:3473: result: gcc3
configure:3492: checking for EVP_EncryptInit in -lcrypto
configure:3517: gcc -o conftest -m32  -m32 -ldl -static conftest.c -lcrypto   >&5
/usr/lib/gcc/x86_64-linux-gnu/5/../../../i386-linux-gnu/libcrypto.a(dso_dlfcn.o): In function `dlfcn_globallookup':
(.text+0xa): undefined reference to `dlopen'
/usr/lib/gcc/x86_64-linux-gnu/5/../../../i386-linux-gnu/libcrypto.a(dso_dlfcn.o): In function `dlfcn_globallookup':
(.text+0x20): undefined reference to `dlsym'
/usr/lib/gcc/x86_64-linux-gnu/5/../../../i386-linux-gnu/libcrypto.a(dso_dlfcn.o): In function `dlfcn_globallookup':
(.text+0x2a): undefined reference to `dlclose'
/usr/lib/gcc/x86_64-linux-gnu/5/../../../i386-linux-gnu/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func':
(.text+0x32d): undefined reference to `dlsym'
/usr/lib/gcc/x86_64-linux-gnu/5/../../../i386-linux-gnu/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func':
(.text+0x3ad): undefined reference to `dlerror'
/usr/lib/gcc/x86_64-linux-gnu/5/../../../i386-linux-gnu/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var':
(.text+0x42d): undefined reference to `dlsym'
/usr/lib/gcc/x86_64-linux-gnu/5/../../../i386-linux-gnu/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var':
(.text+0x4ad): undefined reference to `dlerror'
/usr/lib/gcc/x86_64-linux-gnu/5/../../../i386-linux-gnu/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load':
(.text+0x518): undefined reference to `dlopen'
/usr/lib/gcc/x86_64-linux-gnu/5/../../../i386-linux-gnu/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load':
(.text+0x575): undefined reference to `dlclose'
/usr/lib/gcc/x86_64-linux-gnu/5/../../../i386-linux-gnu/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load':
(.text+0x5ae): undefined reference to `dlerror'
/usr/lib/gcc/x86_64-linux-gnu/5/../../../i386-linux-gnu/libcrypto.a(dso_dlfcn.o): In function `dlfcn_pathbyaddr':
(.text+0x641): undefined reference to `dladdr'
/usr/lib/gcc/x86_64-linux-gnu/5/../../../i386-linux-gnu/libcrypto.a(dso_dlfcn.o): In function `dlfcn_pathbyaddr':
(.text+0x6a1): undefined reference to `dlerror'
/usr/lib/gcc/x86_64-linux-gnu/5/../../../i386-linux-gnu/libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload':
(.text+0x70b): undefined reference to `dlclose'
collect2: error: ld returned 1 exit status
configure:3517: $? = 1
configure: failed program was:
| /* confdefs.h */
| #define PACKAGE_NAME "pixelserv-tls"
| #define PACKAGE_TARNAME "pixelserv-tls"
| #define PACKAGE_VERSION "2.0.0"
| #define PACKAGE_STRING "pixelserv-tls 2.0.0"
| #define PACKAGE_BUGREPORT ""
| #define PACKAGE_URL ""
| #define PACKAGE "pixelserv-tls"
| #define VERSION "2.0.0"
| /* end confdefs.h.  */

When cleaning everything and using the XC makefile, the first binary also fail (dynamic + debug on), be it on x86 or amd64 flavor :

 make -f Makefile-XC x86
 make -f Makefile-XC amd64

Same error than with the static build.
The 2.0.1 version was building fine using the Makefile-XC. I've just tried it again and it worked fine.

For the record :

$ ll openssl/amd64/
total 12
./
../
.gitignore
libcrypto.a -> /usr/lib/x86_64-linux-gnu/libcrypto.a
libssl.a -> /usr/lib/x86_64-linux-gnu/libssl.a

$ ll openssl/i386/
total 12
./
../
.gitignore
libcrypto.a -> /usr/lib/i386-linux-gnu/libcrypto.a
libssl.a -> /usr/lib/i386-linux-gnu/libssl.a

Tried to add a libdl.a symlink into both, same.

hey @kvic-z

is it possible to add a json interface to pull stats instead of the webpage that increments every time i visit it would love this for pulling metrics without adding to the stats

I recently upgraded to Debian 10 "Buster" and pixelserv-tls wouldn't work anymore.

The cryptic error messages in the log (debug level 4) read:

create_child_sslctx: cannot find or use $CERTDIR/_.google-analytics.com
tls_clienthello_cb: fail to create sslctx or cache _.google-analytics.com

After hacking around in cert.c and making the real SSL error messages appear if SSL_CTX_use_certificate_file or SSL_CTX_use_PrivateKey_file failed ...

...
    if(!SSL_CTX_use_certificate_file(sslctx, full_pem_path, SSL_FILETYPE_PEM)) {
        log_msg(LGG_ERR, "%s: SSL_CTX_use_certificate_file error for file %s with error %s\n", __FUNCTION__, full_pem_path, ERR_error_string( ERR_get_error(), NULL ));
    }
    if(!SSL_CTX_use_PrivateKey_file(sslctx, full_pem_path, SSL_FILETYPE_PEM)) {
        log_msg(LGG_ERR, "%s: SSL_CTX_use_PrivateKey_file error for file %s with error %s\n", __FUNCTION__, full_pem_path, ERR_error_string( ERR_get_error(), NULL ));
    }
...

I received the following error:

routines:SSL_CTX_use_certificate:ee key too small

which lead me to improve my ca.key generation line in my setup script to

openssl genrsa -out $CERTDIR/ca.key 2048

Unfortunately, the error wouldn't go away. I then realized that the key length is also hardcoded in cert.c:

...
if (RSA_generate_key_ex(rsa, 1024, e, NULL) < 0)
...

Once I changed this to 2048, everything is working fine again.

Thanks for patching

While http part of the pixelserv is working perfectly, trying to connect to https port raises an error SSL_ERROR_NO_CYPHER_OVERLAP in Firefox 51. Does pixelserv support modern ciphers?

If I run pixelserv-tls with following command sudo -u root pixelserv-tls -z /var/cache/pixelserv -l 5 -f it crashes on request to https://localhost with following message:

pixelserv-tls[7413]: pixelserv-tls: v2.0.1 compiled: Jan 20 2018 00:17:28 options: -z /var/cache/pixelserv -l 5 -f
pixelserv-tls[7413]: Listening on :*:80
pixelserv-tls[7413]: Listening on :*:443
zsh: segmentation fault  sudo -u root pixelserv-tls -z /var/cache/pixelserv -l 5 -f

Today I moved my pixelserv-tls instance 2.2.1 from a Debian server to another Debian server running (Linux MYSERVER 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux). Shortly after the switch syslog started to fill with segfaults like the one below, occuring every few minutes:

[ 8314.171749] pixelserv-tls[30124]: segfault at 18 ip 00007fb9b65840a0 sp 00007fb9b691be28 error 4 in libpthread-2.30.so[7fb9b657d000+f000]
[ 8314.171757] Code: 87 28 fe ff ff 4c 89 e0 48 d3 e0 a9 81 08 00 00 0f 84 17 fe ff ff e9 61 ff ff ff 8b 07 83 c8 02 83 f8 03 74 f6 e9 87 fd ff ff <8b> 57 18 64 8b 04 25 d0 02 00 00 39 c2 0f 84 7d 00 00 00 41 57 41

I first updated to 2.3.1 to make sure this bug wasn't already fixed in a newer version. But the crashes continued to happen.

I use monit to detect pixelserv-tls crashing, so it got restarted automatically everytime this happened. I set this up as a precaution because less mature versions of pixelserv-tls used to crash a lot, or even though the process was running, no requests were served anymore.

I then used strace to debug a running process right before the crash:

# strace -p 2566
strace: Process 2566 attached
select(8, [4 6 7], NULL, NULL, NULL)    = 1 (in [6])
accept(6, {sa_family=AF_INET, sin_port=htons(48042), sin_addr=inet_addr("10.1.2.3")}, [128->16]) = 9
fcntl(9, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(9, F_SETFL, O_RDWR)               = 0
setsockopt(9, SOL_TCP, TCP_NODELAY, [1], 4) = 0
setsockopt(9, SOL_SOCKET, SO_RCVTIMEO, "\0\0\0\0\0\0\0\0\360I\2\0\0\0\0\0", 16) = 0
getsockname(9, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("10.1.2.3")}, [128->16]) = 0
brk(0x55f90db97000)                     = 0x55f90db97000
read(9, "\26\3\1\1t", 5)                = 5
read(9, "\1\0\1p\3\3\4\374:\312\221D\0370F\300\3011\212\273\323\266=S\217\372g2\251\20gx"..., 372) = 372
stat("/usr/local/bin/pixelserv/certs/10.1.2.3", 0x7ffd3176c350) = -1 ENOENT (No such file or directory)
getpid()                                = 2566
sendto(3, "<28>Apr 12 15:34:28 pixelserv-tl"..., 68, MSG_NOSIGNAL, NULL, 0) = 68
openat(AT_FDCWD, "/tmp/pixelcerts", O_WRONLY) = 10
write(10, "10.1.2.3:", 10)             = 10
close(10)                               = 0
write(9, "\25\3\3\0\2\2P", 7)           = 7
getpid()                                = 2566
sendto(3, "<28>Apr 12 15:34:28 pixelserv-tl"..., 129, MSG_NOSIGNAL, NULL, 0) = 129
shutdown(9, SHUT_RDWR)                  = 0
close(9)                                = 0
select(8, [4 6 7], NULL, NULL, NULL)    = ? ERESTARTNOHAND (To be restarted if no handler)
--- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=2614, si_uid=0} ---
rt_sigaction(SIGTERM, {sa_handler=SIG_IGN, sa_mask=[TERM], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f8396faa7e0}, {sa_handler=0x55f90d07c9b0, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f8397156110}, 8) = 0
madvise(0x55f90db77000, 77824, MADV_DONTNEED) = 0
brk(0x55f90db8d000)                     = 0x55f90db8d000
getpid()                                = 2566
sendto(3, "<26>Apr 12 15:34:28 pixelserv-tl"..., 401, MSG_NOSIGNAL, NULL, 0) = 401
openat(AT_FDCWD, "/usr/local/bin/pixelserv/certs/prefetch", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 9
fstat(9, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
write(9, "_.adnxs.com\t0\n_.appsflyer.com\t0\n"..., 322) = 322
close(9)                                = 0
+++ killed by SIGSEGV +++

I also increased the debug level to 5:

Apr 12 15:41:30 ELK pixelserv-tls[3075]: 10.1.2.3 10.1.2.3 missing
Apr 12 15:41:30 ELK pixelserv-tls[3075]: handshake failed: client 10.1.2.3:49404 server 10.1.2.3. Lib(20) Func(521) Reason(234)

Why is pixelserv-tls receiving requests from the same host? This is when it dawned to me that my monit HTTPS check running on he same machine actually might cause the issue:

check host pixelserv-tls with address 10.1.2.3
    start program = "/usr/local/bin/pixelserv/start.sh"
    stop program = "/usr/bin/killall pixelserv-tls"
    alert [email protected] on {timeout,connection}
    if failed port 443 protocol https status 200 for 3 cycles then restart

(I am running monit 1:5.26.0-4).

Preliminary conclusion: The way monit's HTTPS requests are formed makes pixelserv-tls segfaulting.

I have now changed the monit configuration to the following, and no segfaults have happened so far:

check host pixelserv-tls with address 10.1.2.3
    start program = "/usr/local/bin/pixelserv/start.sh"
    stop program = "/usr/bin/killall pixelserv-tls"
    alert [email protected] on {timeout,connection}
    if failed port 80 protocol http request "/servstats" with content == 'unknown reason' for 3 cycles then restart
    if failed port 443 protocol https with http headers [Host: www.any-known-sinkholed-domain.tld] status 200 for 3 cycles then restart

Some problems I've come across, and a brief mention on how I've worked around so far. The result is a running, but incorrectly, binary. pixelserv-tls will run and the web UI is responsive, but crashes upon any external connection with abort trap: 6 (SIGABRT as I understand it).

ISSUE 1
Error: <linux/version.h> in pixelserv.c and util.h
(Removed with no replacement.)

ISSUE 2
Error: <malloc.h> in pixelserv.c and certs.c
(Changed to <malloc/malloc.h> - seems to be just a minor change to fix.)

ISSUE 3
Error: Incompatible SOL_TCP in pixelserv.c
(Change to IPPROTO_TCP)

ISSUE 4
Error: Incompatible KERNEL_VERSION() in pixelserv.c and util.h
(Removed with no replacement)

ISSUE 5
Error: Incompatible SO_BINDTODEVICE in pixelserv.c
(Change to IP_RECVIF)

ISSUE 6
Error: Incompatible MSG_NOSIGNAL in socket_handler.c
(Change to 0)

ISSUE 7
Error: Incompatible --gc-sections in Makefile.in
(Change to -dead_strip)

When I installed Diversion and enabled Pixeserv-TLS to run along it, I was able to view the /servstats page. But after a few days this page stop working for me.
Can't load any page /servstats or /servstats.txt.

Also, would be nice to have some web GUI like PiHole does, with a few infos about the "performance" of the Blocker and some basic configuration.

Run into this issue if people attempt to build pixelserv-tls on unix-like systems other than Linux e.g. Homebrew.

I just double checked my log and I see a lot of message like:

handshake failed: client XXX.XXX.XXX.XXX:51408 server tt.onthe.io. Lib(20) Func(316) Reason(397)

and other servers. What does this really mean - is there an issue I could fix?

Hello,

Did you lost your domain name ? Or hacked.
When we click on https://kazoo.ga/pixelserv-tls/
It redirects to https://katie.v4.omgtnc.com/api/user/013bd8d4113fb2433f7ff4caf8d8584fe0d222c0e5.r?tk=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwdWIiOiI1MDVjNmI4MTcxMzIwNDAyNTc1YjFkNmUiLCJ0cyI6IjEwMjIwNzQ4IiwiZCI6Imthem9vLmdhIn0.l4_ggFeGXyrYTNFNPqKRsmD1NG2sP2tDx87Z7gHWKUU

Hi!

Is it possible to add a switch which disable the entire logging and statistic website?

pixelserv-tls won't bind to an IPv6 socket. If started with default options, netstat reveals that it's only listening for IPv4 connections. The same behavior occurs if started with the hostname of the device running pixelserv-tls, which has a valid IPv6 address and connectivity. The same also happens if told to listen on an interface that has both IPv4 and IPv6 addresses. If passed an IPv6 address, it exits with "getaddrinfo: Address family for hostname not supported".

I'm running on a router running DD-WRT. Otherwise pixelserv is working great, but since my network is dual IPv4/IPv6, any domains that resolve to an IPv6 address aren't getting processed by pixelserv. IPv6 configuration seems to be correct, all other services are running fine, and pinging IPv6 addresses from the router works fine.

I'm running the App on Ubuntu x64 Server and for some unknown reason it crash after a few minutes. Is there a way to create debug or crash files and send them to you?
You can also contact me by mail if you are interested.

Hi there,

I have an Active Directory infrastructure with an AD Certificate Services running. Is it possible to make pixelserv-tls issue certificates for the client machines based on my own Root CA, so all generated client certificates would be automatically trusted?

I'm using pixelserv-tls on docker. If i take my root ca and key and use them on pixelserv-tls docker volume, and start the docker container using host network, it "kinda" works. But if i use docker port forwarding it doesn't work because the IP Address on the container is different from my network range.

P.S: I've created my root CA with SAN specifying my private network range and local domain.

So, is it possible to generate client certificates from a root CA while specifying SAN subjects?

For example, my RequestPolicy.inf which i use to generate my Root CA has:

2.5.29.17 = "{text}"
continue = "dns=*.mydomain.local&"
continue = "url=https://pihole.mydomain-slz.local&"
continue = "ipaddress=172.0.0.0&"
continue = "guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39&"

which is the same as using this in an openssl.cnf file:
alt_names]
DNS.1 = *.mydomain.local
URL.1 = https://pihole.mydomain-slz.local
IP.2 = 172.0.0.0/8

hi, can you provide me with the ipks so I can add to my fork as a short-term fix for asuswrt users to auto update please?

The Entware package manager understandably does not see v2.0.1 as a newer version than v35.HZ12.Kk.
Hence, opkg will not update it to the latest version.

please provide downloadable android binary.

android support ads blocking, and figured out that pixelserv-tls low in cpu and memory footprints.

The Certificate creation for "double name" TLD's is not working at all.
Test it with bad-address.co.uk or bad-address.co.za

All this "double name" TLD's are not able to generate a valid certificate. The Cert issuer is either '*.co.uk' or '*.co.za' which will rejected as valid from the browser.

I already send a mail with screenshots to Steven.

This one happens only on Ubuntu 18.04, with pixelserv-tls from v2.1.2 to v2.2.0 when building a static linked binary.
No errors with p-tls 2.1.0.

This set of commands will result in the undefined reference to pthread... compilation error, and only on Ubuntu 18.04

./configure --enable-static
make

The error log :

/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function `CRYPTO_THREAD_lock_new':
(.text+0x25): undefined reference to `pthread_rwlock_init'
/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function `CRYPTO_THREAD_read_lock':
(.text+0x55): undefined reference to `pthread_rwlock_rdlock'
/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function `CRYPTO_THREAD_write_lock':
(.text+0x75): undefined reference to `pthread_rwlock_wrlock'
/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function `CRYPTO_THREAD_unlock':
(.text+0x95): undefined reference to `pthread_rwlock_unlock'
/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/libcrypto.a(threads_pthread.o): In function `CRYPTO_THREAD_lock_free':
(.text+0xba): undefined reference to `pthread_rwlock_destroy'
collect2: error: ld returned 1 exit status
Makefile:412: recipe for target 'pixelserv-tls' failed
make[1]: *** [pixelserv-tls] Error 1

When using the -lpthread setting in the configure command, the binary will be built without problem :

./configure --enable-static LIBS="-lpthread"
make

(or ./configure --enable-static LIBS="-lpthread" CFLAGS="-m32" CXXFLAGS="-m32" LDFLAGS="-m32" for the x86 binary build)

Strange one, as this error doesn't happen on Ubuntu 16.04.

For some reasons it's not possible to run it on Ubunut 18.
I can compile it but it won't run.

Anyone else with this problem???

Hello,

It would be nice to be able to enable a block page, as opposed to only one pixel blank page (like in the AdAway Android app).

Thank you in advance

I would like to add a certificate chain (chain.pem) to each server certificate.
Example:
Parameter "-c /path/to/chain.pem" will add a certificate chain for each issued certificate.

Thanks a lot in advance.

$ pixelserv-tls 127.0.0.2 -fl -z /var/cache/pixelserv
pixelserv-tls[11028]: pixelserv-tls 2.1.2 (compiled: Sep  7 2018 01:47:55 flags: tfo) options: 127.0.0.2 -fl -z /var/cache/pixelserv
pixelserv-tls[11028]: chown failed to set owner of /tmp/pixelcerts to nobody

$ ls /tmp/pixelcerts
prw------- 1 user user 0 Sep  7 11:12 /tmp/pixelcerts

Manually changing file ownership doesn't help. I'm using archlinuxarm.

what do i have to change to get it to compile on ubuntu 16?
currently i'm using nginx serving a 1px gif, but it doesn't work for tls connections.

Is ssl caching anything like tls session ticketing in pixelserv-tls? What is the difference? Enabling session tickets we effectively lose forward secrecy; an integral part of securing TLS. If the router is compromised, can this cache can be used to decipher users encrypted sessions? If so this could potentially make routers using pixelsrv-tls targets for ransom. These are issues that should be emphasized if they are offered these features, and it would be useful to have options to disable tls session tickets, allow storage only in volatile memory, as well as purge rotation periods. Many users including myself prefer security over speed.

#1 ssllabs/ssllabs-scan#367

As explained in the second link below,

"To support session resumption via session IDs the server must maintain a cache that maps past session IDs to those sessions’ secret states. The cache itself is the main weak spot, stealing the cache contents allows to decrypt all sessions whose session IDs are contained in it."

"The forward secrecy of a connection is thus bounded by how long the session information is retained on the server. Ideally, your server would use a medium-sized cache that is purged daily. Purging your cache might however not help if the cache itself lives on a persistent storage as it might be feasible to restore deleted data from it. An in-memory storage should be more resistant to these kind of attacks if it turns over about once a day and ensures old data is overridden properly."

#2 https://timtaubert.de/blog/2014/11/...-side-tls-session-resumption-implementations/

Is it possible to disable ssl cache & tls session ticketing in pixelsrv-tls?

and

Is it possible to implement a feature in pixelsrv-tls to disable tls-session tickets globally; that would benefit an entire network enforcing strict forward secrecy globally? I'm searching for a solution for chrome but I cannot find any means of disabling them; as https://www.ssllabs.com/ssltest/viewMyClient.html demonstrates.

See the timestamps here below:

Sep 20 16:49:40 nl5212bw23 kern.warn kernel: DROP IN=vlan2 OUT= .......
Sep 20 14:50:08 nl5212bw23 daemon.debug pixelserv-tls[19191]: read_tls_early_data error: 5 count: 0
Sep 20 14:50:08 nl5212bw23 daemon.warn pixelserv-tls[19191]: handshake failed: shutdown after ServerHello. .......
Sep 20 16:50:36 nl5212bw23 kern.warn kernel: DROP IN=vlan2 OUT= .......

It appears like pixelserv assumes to always be in GMT where in the case above it's UTC+2.
Looks like a little bug to me.

Thanks

Client

Unsure but with User-Agent known as 'Avira'.

Symptom

pixelserv-tls v2.0.1-rc2 crashes when the client tries to POST contents.

The request that caused crash

'POST /engage/ HTTP/1.1
Host: api.mixpanel.com
User-Agent: Avira
Accept: */*
Content-Length:2130
Content-Type: application/x-www-form-urlencoded
Expect: 100-continue

'
socket:22 host:api.mixpanel.com
method: 'POST'
Segmentation fault

TEMP_FAILURE_RETRY is glibc only, so it failed to build on openwrt-lede, where musl is now the default library, maybe you can add the workaround at:

flatpak/flatpak#618

Pixelserve is not serving ca.crt ( screenshot attached)

I am using pixelserv in a docker container on ubuntu on google cloud instance , followed all the steps, its is serving servstats though.

I have pixelserv-tls installed along with AB-Solution on my Asus router. For some unknown reason going to http://<pixelserv ip>/ca.crt returns an empty page with 0 bytes. I was expecting it to start downloading the certificate.
Requesting servstats or servstats.txt works with no issue.

I've checked the startup script and it doesn't change the certificate directory (no -z used).

The version of pixelserv is pixelserv-tls: v2.0.1 compiled: Jan 15 2018 17:39:33.

What could be the issue?

Did someone know how to install pixelserv on Debian 9/10? I didn't find anywhere instructions for this. Also, I'm interest if there is option to make whitelist/blacklist and add custom ads list's to pixelserv? And how to make it work if I'm already have pi-hole/adguard? Is that possible to make pixelserv work on 53 port?

After many successful uses of your great script, the last couple have resulted in an error of:

-sh: $: not found

I'm still able to establish a secure connection to router.asus.com, however, but still wonder why tho?

Thanks!

Failed to restart pixelserv-tls.service: Unit pixelserv-tls.service not found.

root@raspberrypi:~# git clone https://github.com/kvic-z/pixelserv-tls Cloning into 'pixelserv-tls'... remote: Enumerating objects: 1097, done. remote: Total 1097 (delta 0), reused 0 (delta 0), pack-reused 1097 Receiving objects: 100% (1097/1097), 505.03 KiB | 3.53 MiB/s, done. Resolving deltas: 100% (744/744), done. root@raspberrypi:~# cd pixelserv-tls root@raspberrypi:~/pixelserv-tls# autoreconf -i configure.ac:4: installing './compile' configure.ac:3: installing './config.guess' configure.ac:3: installing './config.sub' configure.ac:2: installing './install-sh' configure.ac:2: installing './missing' Makefile.am: installing './depcomp' root@raspberrypi:~/pixelserv-tls# ./configure checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking build system type... armv7l-unknown-linux-gnueabihf checking host system type... armv7l-unknown-linux-gnueabihf checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking whether gcc understands -c and -o together... yes checking whether make supports the include directive... yes (GNU style) checking dependency style of gcc... gcc3 checking for dlopen in -ldl... yes checking for clock_gettime in -lrt... yes checking for main in -lpthread... yes checking for EVP_EncryptInit in -lcrypto... yes checking for SSL_CTX_new in -lssl... yes checking that generated files are newer than configure... done configure: creating ./config.status config.status: creating Makefile config.status: creating config.h config.status: executing depfiles commands root@raspberrypi:~/pixelserv-tls# make make all-am make[1]: Entering directory '/root/pixelserv-tls' gcc -DHAVE_CONFIG_H -I. -DDROP_ROOT -DIF_MODE -DDEFAULT_PEM_PATH=\"/var/cache/pixelserv\" -O3 -Wall -ffunction-sections -fdata-sections -fno-strict-aliasing -g -O2 -MT pixelserv_tls-pixelserv.o -MD -MP -MF .deps/pixelserv_tls-pixelserv.Tpo -c -o pixelserv_tls-pixelserv.o test -f 'pixelserv.c' || echo './'pixelserv.c mv -f .deps/pixelserv_tls-pixelserv.Tpo .deps/pixelserv_tls-pixelserv.Po gcc -DHAVE_CONFIG_H -I. -DDROP_ROOT -DIF_MODE -DDEFAULT_PEM_PATH=\"/var/cache/pixelserv\" -O3 -Wall -ffunction-sections -fdata-sections -fno-strict-aliasing -g -O2 -MT pixelserv_tls-socket_handler.o -MD -MP -MF .deps/pixelserv_tls-socket_handler.Tpo -c -o pixelserv_tls-socket_handler.o test -f 'socket_handler.c' || echo './'socket_handler.c mv -f .deps/pixelserv_tls-socket_handler.Tpo .deps/pixelserv_tls-socket_handler.Po gcc -DHAVE_CONFIG_H -I. -DDROP_ROOT -DIF_MODE -DDEFAULT_PEM_PATH=\"/var/cache/pixelserv\" -O3 -Wall -ffunction-sections -fdata-sections -fno-strict-aliasing -g -O2 -MT pixelserv_tls-certs.o -MD -MP -MF .deps/pixelserv_tls-certs.Tpo -c -o pixelserv_tls-certs.o test -f 'certs.c' || echo './'certs.c mv -f .deps/pixelserv_tls-certs.Tpo .deps/pixelserv_tls-certs.Po gcc -DHAVE_CONFIG_H -I. -DDROP_ROOT -DIF_MODE -DDEFAULT_PEM_PATH=\"/var/cache/pixelserv\" -O3 -Wall -ffunction-sections -fdata-sections -fno-strict-aliasing -g -O2 -MT pixelserv_tls-util.o -MD -MP -MF .deps/pixelserv_tls-util.Tpo -c -o pixelserv_tls-util.o test -f 'util.c' || echo './'util.c mv -f .deps/pixelserv_tls-util.Tpo .deps/pixelserv_tls-util.Po gcc -DHAVE_CONFIG_H -I. -DDROP_ROOT -DIF_MODE -DDEFAULT_PEM_PATH=\"/var/cache/pixelserv\" -O3 -Wall -ffunction-sections -fdata-sections -fno-strict-aliasing -g -O2 -MT pixelserv_tls-logger.o -MD -MP -MF .deps/pixelserv_tls-logger.Tpo -c -o pixelserv_tls-logger.o test -f 'logger.c' || echo './'`logger.c
mv -f .deps/pixelserv_tls-logger.Tpo .deps/pixelserv_tls-logger.Po
gcc -DDROP_ROOT -DIF_MODE -DDEFAULT_PEM_PATH="/var/cache/pixelserv" -O3 -Wall -ffunction-sections -fdata-sections -fno-strict-aliasing -g -O2 -Wl,--gc-sections -s -o pixelserv-tls pixelserv_tls-pixelserv.o pixelserv_tls-socket_handler.o pixelserv_tls-certs.o pixelserv_tls-util.o pixelserv_tls-logger.o -lssl -lcrypto -lpthread -lrt -ldl
make[1]: Leaving directory '/root/pixelserv-tls'
root@raspberrypi:/pixelserv-tls# make install
make[1]: Entering directory '/root/pixelserv-tls'
/bin/mkdir -p '/usr/local/bin'
/usr/bin/install -c pixelserv-tls '/usr/local/bin'
/bin/mkdir -p '/usr/local/share/man/man1'
/usr/bin/install -c -m 644 pixelserv-tls.1 '/usr/local/share/man/man1'
make[1]: Leaving directory '/root/pixelserv-tls'
root@raspberrypi:/pixelserv-tls# ls
aclocal.m4 depcomp pixelserv-tls.1
autom4te.cache INSTALL pixelserv_tls-certs.o
certs.c install-sh pixelserv_tls-logger.o
certs.h LICENSE pixelserv_tls-pixelserv.o
ChangeLog logger.c pixelserv_tls-socket_handler.o
compile logger.h pixelserv_tls-util.o
config.guess Makefile README.md
config.h Makefile.am socket_handler.c
config.h.in Makefile.in socket_handler.h
config.log Makefile-XC stamp-h1
config.status missing util.c
config.sub openssl util.h
configure pixelserv.c
configure.ac pixelserv-tls
root@raspberrypi:~/pixelserv-tls# ls
aclocal.m4 depcomp pixelserv-tls.1
autom4te.cache INSTALL pixelserv_tls-certs.o
certs.c install-sh pixelserv_tls-logger.o
certs.h LICENSE pixelserv_tls-pixelserv.o
ChangeLog logger.c pixelserv_tls-socket_handler.o
compile logger.h pixelserv_tls-util.o
config.guess Makefile README.md
config.h Makefile.am socket_handler.c
config.h.in Makefile.in socket_handler.h
config.log Makefile-XC stamp-h1
config.status missing util.c
config.sub openssl util.h
configure pixelserv.c
configure.ac pixelserv-tls

root@raspberrypi:/pixelserv-tls# cd tmp
root@raspberrypi:/pixelserv-tls# cd /tmp
root@raspberrypi:/tmp# nano /etc/default/pixelserv-tls
root@raspberrypi:/tmp# service pixelserv-tls restart
Failed to restart pixelserv-tls.service: Unit pixelserv-tls.service not found.`

unable to compile on a debian based setup.

It would be great to add support for OpenSSL's dynamic engine.

That way, it would be possible to offload the certificate signing to a separate entity, potentially an hardware security module.
This would probably require the ability to pass initialization commands to the engine, as well as the ability to override certain parameter given to the OpenSLL signature process.

In particular, I'm interested in using OpenSC's pkcs11 engine, to access a Yubikey Hardware Security Module (PIV application on a Yubikey 4).
More info here: https://developers.yubico.com/PIV/Guides/Certificate_authority.html

The relevant command line usage is at the end:

$ openssl << EOF
engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -pre VERBOSE
x509 -engine pkcs11 -CAkeyform engine -CAkey slot_1-id_2 -sha256 -CA yubico-internal-https-subca-$user-crt.pem -req -passin pass:$pin -in yubico-internal-https-ee-$host-csr.pem -extfile yubico-internal-https-ee-$host-crt.conf -out yubico-internal-https-ee-$host-crt.pem
EOF

It would seem that besides the engined initialization commands, the following would need to be provided during the signature step:

• Indicate that the CAkey should be loaded from the engine (-CAkeyform)
• Hardware slot of the CA in the -CAkey param
• pass:$pin as the password (-passin)

From a cursory read of the code, it seems that pixelserv-tls currently manually loads the RSA private key of the CA. I'm not sure what it would take to pass the necessary info to the engine instead.

root@unknown:/# opkg install pixelserv-tls
Unknown package 'pixelserv-tls'.
Collected errors:

• opkg_install_cmd: Cannot install package pixelserv-tls.

I'm trying to write a systemd unit for the pixelserv to have it behave like other services on my system.

I created a service user for pixelserv called pixelserv and did the appropriate chowns for /var/cache/pixelserv and /tmp/pixelserv. When starting the service I get the following errors:

pixelserv-tls[13715]: pixelserv-tls 2.2.1 (compiled: Sep  1 2019 17:45:50 flags: tfo no_tls1_3) options: -u pixelserv -f -l 4
pixelserv-tls[13715]: cert_tlstor_init: failed to load ca.crt
pixelserv-tls[13715]: cert_tlstor_init: failed to load ca.key
pixelserv-tls[13715]: sslctx_tbl_load: /var/cache/pixelserv/prefetch doesn't exist.
pixelserv-tls[13715]: Abort: Permission denied - :*:443

When I launch it as root it works. For security reasons I don't want to launch it as root, is there something we can do to fix the startup problem?

Client

Tapatalk Android client.

Symptom

On launch, Tapatalk sends a big chunk ~16KB of data using POST. Captured request looks like below. pixelserv-tls v2.0.1-rc2 crashes.

POST /v2.9/469687153111700/activities?access_token=&format=json&sdk=android HTTP/1.1
User-Agent: FBAndroidSDK.4.23.0
Accept-Language: es_ES
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Transfer-Encoding: chunked
Host: graph.facebook.com
Connection: Keep-Alive
Accept-Encoding: gzip

7056
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="format"

json
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="sdk"

android
--3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Content-Disposition: form-data; name="custom_events_file"; filename="custom_events_file"
Content-Type: content/unknown

[{"_eventName":"Start_Session","_logTime":1512749547,"_ui":"null","_session_id":"5d35bdf4-4862-492e-b8fc-f80c574721c2","Channel":"Push_Conv"},{"_eventName":"fb_mobile_activate_app","_logTime":1512749256,"_ui":"CreateMessageActivity","_session_id":"5d35bdf4-4862-492e-b8fc-f80c574721c2","fb_mobile_launch_source":"Unclassified"},

12: $cert_path = '/var/cache/pixelserv'
References location that is problematic because it requires elevated permissions to create, and would require to be done manually in preparation.
I recommend changing to /usr/local/var/cache/pixelserv as this is achievable with normal user permissions. (to be clear, I am running on macOS with a user that has administrative privileges. This is probably the most common case. I have not tested on a non administrative user account)

The caveats section also has required amendments.

==> Caveats
Set directory permission of CERT_PATH to 'nobody' by running:
sudo chown nobody /var/cache/pixelserv

To serve HTTPS requests, copy your ca.crt & ca.key into:
/var/cache/pixelserv

Instructions to generate ca.crt & ca.key:
https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

To have launchd start pixelserv-tls now and restart at startup:
sudo brew services start pixelserv-tls

The cert path directory does not then need to be modified. Also of note, you cannot run the brew command with sudo, as you will be warned if you try:

Error: Running Homebrew as root is extremely dangerous and no longer supported.
As Homebrew does not drop privileges on installation you would be giving all
build scripts full access to your system.