Forum

Hiawatha version: 8.7
Operating System: Ubuntu Server 12.04 LTS

Hi Hugo (or any one else who chimes in)

first of all Hiawatha is super simple, and I love the built in security functions. I do have a question and a simple one at that (i think )

The question : On the HOWTO pages for SSL and Normal bindings you have an example using OPENSSL.

I thought as of 8.0 OPENSSL was replaced with POLARSSL

"Replaced OpenSSL with PolarSSL. Many thanks to Paul Bakker."

I got that quote from this link : http://www.hiawatha-webserver.org/changelog

So is my logic flawed? Or do I still have to use OPENSSL to generate my keys?

PolarSSL is just a library to be used in applications. OpenSSL is both a library (like PolarSSL) and a command line tool for cryptographic tasks. PolarSSL and OpenSSL are compatible when it comes to handling certificates and cryptographic messages. So, although Hiawatha uses the PolarSSL library, you can still use the OpenSSL command line to to create certificate and keys. PolarSSL has no such command line tool.

Splendid. Also I am greatly appretiative for your hard work. Again thank you very much and please don't stop developing this Httpd. I spread the word to my IT teacher and will be presenting my application for use to my community college to the College IT Department. I will obviously link my applications success to Hiawatha and of course you.

KEEP GOING MAN!

Thanks, will do! And please tell others. I really can use the publicity!

And if you like my webserver, have you seen my secure PHP framework [www.banshee-php.org]?

Well I'm knew to php and well I have no expierence with Frameworks, however my final version of the application will be MVC based I have been looking into CodeIgniter. I have looked at Banshee though, just not a lot of external documentation. If you can give me a non biased answer on why to use Banshee I will then take a deep look into and will also suggest it to fellow classmates. Only reason I see the other frameworks as "better" is for employment oppurtunities ya know? But I would like to read your non biased explenation though.

First you have to understand the difference between a framework and a CMS. Both are software which can be used to create a website. But a framework requires programming to build a website with it and a CMS doesn't. Most frameworks don't have CMS functionality, so the disadvantage of a framework is that you have to write functionality that almost every website needs yourself, such as user administration. A disadvantage of a CMS is that, because they don't require programming, they are mostly big, bloated and therefor buggy (Joomla and TYPO3 are not known for their security).

Banshee is a framework with default CMS functionality. It requires programming to build a website but functionality that most websites need is already there. With Banshee you can create lean-and-mean website in a short time. And because security is the top priority, it's not likely that the result will be insecure, of course unless are you have absolutley no idea what you are doing.

When I was a freelancer, I used Banshee to build www.security.nl [www.security.nl], the biggest IT security news website in the Netherlands. You can understand that many people will try to hack this website. The website has been audited intensely and no issues were found. That website has been up and running for many years without a single security incident.

I know the documentation can be better, but Banshee is very easy to understand. Although the available documentation is short, it's enough to understand the framework. All you need is proper knowledge about PHP, MySQL and XSLT.

So, if you are looking for a framework to build fast and secure websites in a relatively short time and don't what to write basic website functionality like user administration over and over again, then Banshee is your place to start.

that was very well put. I will take a look into it. Security is the main goal of this application I am working on. Nothing else, not flashy-ness, not the look, just security and functionality. i have written all of the PHP myself but it took a dam long time. If it is already done for me then shoot that is nice. Like I said I will look into it. Thanks Hugo.

This is very nice testimony how the security is not the question of the language (there are lot of PHP bashing), but something else is the cause of it.

@Gour Yes, I really hate the PHP bashing... "python is better" "dude you got to learn RAILS!" Like seriously if a language works for me and I comfy with it then let me make my mistakes or let me get a good paying job with my knowledge. Well put Gour.

Language-bashing is pointless and meaningless. It's like trying to that "I'd like to have a beer" is better or worse than "Je voudrais prendre une bière" or "Ik wil graag een biertje". A language is just a tool. Anything that can be done with PHP, can also be done with .NET or Python. The same for the other way around. For me, language-bashing is nothing more than a sign of being immature and insecure.

This might be another simple question but a question that I can not find resources on.

1) When I inspect my certificate file at my browser it says : Connection Encrypted: High-grade Encryption (RC4, 128 bit Keys)
The connection uses TLS 1.1.
My question is in apache the encryption bit that I had set up is 256, this is just merely a number, but does hiawatha only support 128 bit keys? While creating the .pem file with openssl i chose to create a 4096 length key like I did when using apache.

Just curious is all, why 128 and not 256.

And don't take this as a "oh well hiawatha sucks because of 128 bits less"

I'm actually in love with this server. It was hard to get used to (for me) since i was a apache guy sudo apt-get install and boom your done. So again I love the work your doing in trying to keep our web apps safe! (also the ban feature is stupendous!, I banned myself on accident atleast 20 times today. - 10 hour bans that is lol)

That is a very valid question. The key length is 128 because that's the maximum voor RC4. AES can use 256 or even 512 bit keys. The reason for RC4 is because your setup also supports TLS 1.0. With TLS 1.0 AES is vulnerable for the BEAST attack. If you set the minimum TLS version to 1.1, Hiawatha will use AES by default. This can be done via

MinSSLversion = TLS1.1

Be carefull with this, Firefox doesn't support TLS1.1 yet. The SSL library that Firefox uses, NSS, only recently has support for TLS1.1. So, you will be able to set MinSSLversion to TLS1.1 soon, but not now. Unless you don't care about visitors using Firefox of course . For an overview of browser support, see this page [en.wikipedia.org].

Splendid! My College comes with stndard chrome support for all computers, so yes I wouldn't need to care about firefox users since my coworkers and I consistantly use Chrome. Thanks a whole lot Hugo. So just a test of logic, if I do set the MinSSLversion = TLS1.1 then I can still use the same .pem file? If not then its really not a biggie as you already made a howto on how to create the .pem file.

You can still use the same PEM files. TLS 1.0, 1.1 and 1.2 use the same crypto protocols. Main difference between the versions is how the protocols are initialized.

Your connection to www.rixajait.com is encrypted with 256-bit encryption.

The connection uses TLS 1.1.

The connection is encrypted using CAMELLIA_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.

The connection does not use SSL compression.

Thanks for the help!