Hiawatha
A secure and advanced webserver

All articles

All tags: Years: Periods:

Hiawatha weblog

Hiawatha 8.0 has been released

27 January 2012, 12:06

I'm proud to present version 8.0 of the Hiawatha webserver. In this new major release, Autoconf has been replaced with CMake. The source tarball has been reorganized and the build system with CMake is much easier to maintain for me.

Another big change is that OpenSSL has been replaced with PolarSSL. Unlike OpenSSL, PolarSSL is well documented and easy to learn. Hiawatha's SSL library is much cleaner and simpler due to PolarSSL. No more dirty callback stuff to make it work. It's now more likely that a future release has SNI support.

Don't forget to read the ChangeLog before you upgrade to this release and please let me know what you think of it.

Tags: cmakereleaseSSL
by Hugo Leisink
Comments: 4

10th Anniversary

27 January 2012, 00:51

Today is the 10th anniversary of the Hiawatha webserver! In the last 10 years, Hiawatha has grown from a small and simple webserver to a full functional webserver with security features no other webserver has. Although Hiawatha is not used by many, I still enjoy working on it. I have no big plans for the future, but development will continue and release by release, Hiawatha will become better and better.

Thanks to everybody who has supported and helped me in any kind of way. And of course, thanks to everybody who is using and enjoying the power of the Hiawatha webserver.

Later this day, at 12:06 GMT+1, exactly 10 years after the release of 0.1, I will release Hiawatha 8.0.

Tags: funfuture
by Hugo Leisink
Comments: 8

Hash-algorithm-collision DoS attack

29 December 2011, 21:58

As you probably already have heard, multiple languages appear to be vulnerable for hash collisions DoS attacks. If you don't know what this is about, I'll explain it here. When a webbrowser sends variables (GET or POST) to a website, the website application places those variables in an indexed array. For example, with the URL http://www.website.com/index.php?test=123, PHP places the value '123' in the $_GET array with 'test' as the index key. For quick lookup, most languages use hash algoritms, mostly 'Daniel J. Bernstein, Times 33 with Addition'.

In case of a collision (multiple keys give the same hash value), hashes will not be used. To lookup a value in the array in such case, string compares for each entry will be done. Of course, this requires more CPU power than using hashes to calculate the index key value. So, if a hacker sends a HTTP request in which he deliberately uses two keys which give the same hash and adds several thousands of other variables, the CPU of the webserver will be quite busy when looking up variables. POST requests are more interesting for this attack, because a request body can contain more data than the URL.

Most vendors are already working on patches for this problem. But what to do in the meantime or when you can't upgrade to the latest version of your web language? Well, the Hiawatha webserver wouldn't be the Hiawatha webserver if it hadn't a mechanism to protect you against such DoS attack.

You can of course limit the request size, but more effective is to limit the amount of variables in the request. This can be done via the UrlToolkit and the DenyBody option. For example, to limit the amount of variables to 10, use the following configuration:

UrlToolkit {
    ToolkitID = limit_params
    Match (&.*){10,} DenyAccess
}

VirtualHost {
    ...
    UseToolkit = limit_params
    DenyBody = (&.*){10,}
}

The value 10 is just an example. To see what value is right for your website, find the maximum amount of input elements in the forms of your website (don't forget the hidden inputs) and the maximum amount of URL parameters. Only use this if you think your website might be a possible target for hackers. Otherwise, it's just a waste of CPU power. Regular expressions don't come cheap...

  1. http://www.kb.cert.org/vuls/id/903934
  2. http://isc.sans.edu/diary.html?rss=&storyid=12286
  3. http://thehackernews.com/2011/12/web-is-vulnerable-to-hashing-denial-of.html
  4. http://theelitist.net/hash-algorithm-collision-denial-of-service-vulnerability

Tags: security
by Hugo Leisink
Comments: 5

Hiawatha and CMake

11 December 2011, 21:41

A beta version of Hiawatha 8.0 which uses CMake instead of Autoconf is now ready for download. Please, test it and send me your feedback. Installation instructions can be found in a INSTALL file inside the source package.

The source package can be found at the download page.

Tags: cmakerelease
by Hugo Leisink
Comments: 18

Hiawatha 8.0 beta

8 December 2011, 08:41

The beta version of Hiawatha 8.0 has been released! In this version, OpenSSL has been replaced with PolarSSL. This website is currently served by 8.0 beta. The first tests show that it's working fine.

The only thing left to do for the final 8.0 release is to replace autoconf with cmake. This weekend, I will start working on it.

The beta release can be found here.

Tags: releaseSSL
by Hugo Leisink
Comments: 0

Home
Hiawatha weblog
Hiawatha Monitor website
Previous polls
About
Features
License
Newsletter
Contribute
Download
Changelog
Support
HOWTO
Manual pages
F.A.Q.
Forum
Search

Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.