Weblog

Thanks for the maintenance update!

Thanks Hugo, was switched to an alternative Let's Encrypt script after the bundled one stopped working, great to have the original functionality back. Much appreciated!

Thank you so much hugo

Thanks a lot for sharing this update!

Thanks for this updates, really appreciate it.

Wow... an update. Will tell ${JOB - 3}. Thanks for the update

Hello Hugo, i am loving endlessly hiawatha. And i am learning c programming at the moment and my aim will be to understand the code behind hiawatha because i just love it.
Please Hugo take into consideration to leave the forum open for people that need help...
And also have all the code on github that even people like my when i learn program could help you with hiawatha. That would be endlessly beautiful.

But i have a problem with getting hiawatha getting to work with fcgi and c++.


When i try to compile the c code under:

#https://www.hiawatha-webserver.org/files/fastcgi/fastcgi.c.txt

it tells me:

#/usr/bin/ld: fastcgi.c:(.text+0x3b): undefined reference to `FCGX_GetParam'
#/usr/bin/ld: fastcgi.c:(.text+0x66): undefined reference to `FCGX_FPrintF'

many times. And the link:

#https://github.com/hsleisink/fcgi

is not online anymore. And if i search for it i get:

#https://github.com/FastCGI-Archives/FastCGI.com/tree/master/original_snapshot

and if i compile the:

#fcgi-2.4.1-SNAP-0910052249.tar.gz

the errors does not disappear.

Did you use the -lfcgi option, as specified in the first line of fastcgi.c.txt?

Because Github was taken over by Microsoft, I moved all my projects to Gitlab. The new location of the 'FastCGI development kit' is https://gitlab.com/hsleisink/fcgi.

Hello Hugo:

I'm pleased to see you are continuing to work on Hiawatha. My two remote servers and my local machine will continue to use it.

I just downloaded version 10.10 and compiled it on Debian 10 (version number is coincidental). Debian is using an updated gcc:

$ gcc --version
gcc (Debian 8.3.0-6) 8.3.0
Copyright (C) 2018 Free Software Foundation, Inc.

that has "improved" diagnostics which are now warning of possible string overflows of the form:

/home/chris/local/hiawatha-10.10/src/rproxy.c: In function ‘init_rproxy_module’:
/home/chris/local/hiawatha-10.10/src/rproxy.c:65:30: warning: ‘%s’ directive writing up to 32 bytes into a region of size 13 [-Wformat-overflow=]
char str[50], *format = "%s %s\r\n";

plus a couple of:

/home/chris/local/hiawatha-10.10/src/target.c: In function ‘execute_cgi’:
/home/chris/local/hiawatha-10.10/src/target.c:1221:24: warning: this statement may fall through [-Wimplicit-fallthrough=]
session->keep_alive = false;

I am an advocate of zero reports from the compiler rather than ignore warnings so these reports are "useful" even if annoying. My own work in C is filled with such reports, despite my general avoidance of strcpy/strcat in favour of the strncpy/strncat versions. I am gradually cleaning them up and you might do the same. Your code has fewer warnings than mine :-)

Regards,
Chris

Hi Chris. Thanks for your feedback. I try to write my code as warning-free as possible. But 100% warning-free is very hard, due to errors in the compiler checks. Both issues you mentioned are not errors in my code, but in the compiler checks. So, I can't fix them, because there is nothing to fix.

Thanks for the update.
The windows 10.10 version of Hiawatha does not seem to run because "cygcrypt-2.dll is missing".
I am not sure how many people use the windows version and I would understand you discontinue it if you have limited time. Personally I will decommission my windows server soon.

Weird. cygcrypt-0.dll is included and needed. I don't know what goes wrong.

yes cygcrypt-0.dll is included, here it also asks for cygcrypt-2.dll

I suppose that this package is missing https://cygwin.com/packages/summary/libcrypt2.html

My advice: download the source, install cygwin and run extra/make_windows_package.

Sure, and amending the line files="cygcrypt-0.dll cyggcc_s-1.dll cyggcc_s-seh-1.dll cygrunsrv.exe cygiconv-2.dll cygwin1.dll cygxml2-2.dll cygxslt-1.dll cygz.dll cyglzma-5.dll" in extra/make_windows_package to include the missing dll.

Hi Hugo, Would you consider replacing line 10 of logrotate.in by `/usr/bin/killall -HUP hiawatha || true` in order to avoid logrotate errors when hiawatha is not running? (For example when logrotate starts before hiawatha at boot time).

See my related bugreport here https://www.hiawatha-webserver.org/weblog/134

Sure, will be there in the next release.

Note that Mbed TLS 2.16.4 has been released

Yeah, I noticed. Seen the sloppiness in that release? The files inside the package still have 2.16.3 as the version. To me, mbed TLS is dead. I'm migrating back to OpenSSL.

I updated to version 10.10 and version 2.1 (latest) of the letsencrypt script. I had been using version 1. I've been unsuccessful in renewing my certificates and was wondering if letsencrypt changed again... It gives me "account not registered yet".

"Renewing certificate for example1.com.
Generating RSA key.
Generating Certificate Signing Request (CSR).
Ordering certificate.
- Account not registered yet.
Renewing certificate for example2.com.
Generating RSA key.
Generating Certificate Signing Request (CSR).
Ordering certificate.
- Account not registered yet.

Have you tried registering your account? Read the manual page?

Yes... Been going around in circles. I figured I would check to make sure this wasn't it.

I think my problem may not have to do with hiawatha (10.10) but somewhere else in my box.

----[ Fri, 07 Feb 2020 21:52:20 -0500 ]--------------------
>>> Registering account.
GET /acme/new-nonce
Server response: array(3) {
["status"] => int(204)
["headers"] => array(8) {
["server"] => string(5) "nginx"
["date"] => string(29) "Sat, 08 Feb 2020 02:53:07 GMT"
["connection"] => string(5) "close"
["cache-control"] => string(27) "public, max-age=0, no-cache"
["link"] => string(60) "<https://acme-v02.api.letsencrypt.org/directory>;rel="index""
["replay-nonce"] => string(47) "0102dmV91EKRae9CklplHiPiVxk7ejbfWJSDYP4uNlyvK4I"
["x-frame-options"] => string(4) "DENY"
["strict-transport-security"] => string(14) "max-age=604800"
}
["body"] => string(0) ""
}
POST /acme/new-acct
Payload: array(2) {
["contact"] => array(1) {
[0] => string(30) "mailto:me@example.com"
}
["termsOfServiceAgreed"] => bool(true)
}
Server response: array(3) {
["status"] => int(415)
["headers"] => array(8) {
["server"] => string(5) "nginx"
["date"] => string(29) "Sat, 08 Feb 2020 02:53:07 GMT"
["content-type"] => string(24) "application/problem+json"
["content-length"] => string(3) "168"
["connection"] => string(5) "close"
["cache-control"] => string(27) "public, max-age=0, no-cache"
["link"] => string(60) "<https://acme-v02.api.letsencrypt.org/directory>;rel="index""
["replay-nonce"] => string(47) "01012n-gfCPrpdPO9jJ0ysyDxRcqqqOJh-3f7xUWr0u-9Wo"
}
["body"] => string(168) "{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Invalid Content-Type header on POST. Content-Type must be \"application/jose+json\"",
"status": 415
}"
}

Groetjes, nja, zekere beeter dat ik niet meer proberen in NL schrijven.

Anyway, As many said, thank you very much for all the years of hiawatha, was my default server on my servers until i took them down 2ish years ago. Want to put some back up, so came here. I read your blog about scaling down and about some 'serious security issue' found. Can someone please give me a link to this so I can audit what has been done, what state it might be in , and if I possibly can add some patching if necessary.

P.S. I have a clear feeling we have similar foundation of ideas and notions/principles but who knows. I had a list of 6 people in the entire world to join me on a project.. I should have kicked it off 4-5 years ago to be fair. Still can. Think it could and would grow to largest tech company on my continent. Anyway, of the 6 names, you are one of them.

The 'serious security issue' has been fixed in the latest release, so don't worry about that. And thanks for your confidence in me.

Thank You, Hugo for continuing to do critical work on Hiawatha.

Any possibility for Hiawatha becoming community supported? I haven't programmed in C in decades so would not be a good contributor.

Well, that depends on the community. But in the last 20 years, no one has every done any serious contribution to Hiawatha, so I don't think it will ever happen. Anyone with good OpenSSL skills is welcome.

Why not LibreSSL instead of OpenSSL?

Hello Hugo, i am still struggling to setup hiawatha to use C and fcgi. The error message is FastCGI server fcgi is still (partially) unavailable... Would you please be that kind to publish a cool howto about how to setup hiawatha to work with fcgi. I am still so sad that i managed to work with fcgi only apache2. And there i struggle that the FCGI_stdio is not working. Means i cannot acces post data. Please would you be that kind to publish even how to write a fcgi application in detail. I am endlessly sure that many people would aperciate that and you would help the community.

thank you so much hugo! And keep on the great work!!
greetings Josef

There are 100 of millions of web servers running on the internet and nowhere you can find a good explanation how to set up fcgi for a web server. Nor one can find a good explanation how to programm an fcgi application where steps like getting post data from a html form is explained... Since you know even how to programm an fcgi interface you could help endlessly the community. We all would apperciate a detailed explanation how to setup on hiawatha c and fcgi.
THANK YOU ONCE AGAIN!

All there is to know is described here.

There has been a few Mbed TLS releases which used to be the opportunity of new Hiawatha releases. Has the development been discontinued for good or shall we expect a new one later this year with OpenSSL?

I usually don't release a new version, just to update mbed TLS. You can simply run ./mbedtls/upgrade in the source directory to manually upgrade mbed TLS and then recompile / rebuild.

@kewl, my Debian builds of Hiawatha track the current mbed TLS (currently 2.16.6). Feature releases are released as optional, bugfix / security releases in the main repository.

Thank you so much Hugo. I love Hiawatha and thank you for all you've done. I appreciate it very much!

@Chris I use Arch but well noted, thanks

@kewl If you're up for doing your own builds, Hugo's Hiawatha source includes a script to pull down an arbitrary version of Mbed TLS from upstream.

@Chris sure, thanks, then whether Mbed TLS will be replaced by OpenSSL in the next version is the big unknown