Weblog

Hiawatha v9.12 has been released

13 February 2015, 10:04

After every release, I always think: what's next? But somehow, there is always something to improve or fix. This new release of the Hiawatha webserver contains two main changes.

First, Hiawatha now uses mbed TLS instead of PolarSSL. What, a new SSL library? No, PolarSSL has been acquired by ARM, so PolarSSL has been rebranded as mbed TLS. The effect of this name change is that Hiawatha can no longer support earlier versions of PolarSSL, because several changes has been done to the code. mbed TLS 1.3.10 uses both polarssl and mbedtls in the code (quite confusing), but a/the next release of mbed TLS will contain no reference to the name PolarSSL any more. So, also a/the next release of Hiawatha will no longer support earlier version of mbed TLS.
The Hiawatha SSL library (not PolarSSL / mbed TLS itself) contained a memory leak, which occured when a client tried to connect with SSL3.0, while support for it was turned off or not included at all. For every 'No cypher overlap during SSL handshake.' in your system.log, there was a small leak. But when someone did a large amount of SSL3.0 connection attempts to your server, you could have problem. I therefor advice everyone to update to v9.12. The leak was, by the way, very easy to find via the XCode tool Instruments, which is an awesome tool!

David Oliver

13 February 2015, 10:45

Hi Hugo,

Many thanks for the update and notes. I hadn't heard about PolarSSL. Am I right in thinking this update to Hiawatha should "just work" regarding SSL, and that no additional configuration will be required?

Hugo Leisink

13 February 2015, 10:48

Hi David. Yes, updating to 9.12 will 'just work'. Besides some improvements and fixes that are compatible with previous versions, several 'polarssl' strings have been replaced with 'mbedtls'. That only causes issues when compiling with previous versions, because Hiawatha expects 'polarssl', but finds 'mbedtls'.

Heiko

13 February 2015, 11:11

Its working fine on OpenBSD current and Raspbian. I updated my Raspi-Binaries, if somebody is interested for Raspberry Pi: https://files.intermezzo.net/hiawatha_raspi/

Chris Wadge

13 February 2015, 11:52

Thanks, Hugo!

New Debian builds available at files.tuxhelp.org [files.tuxhelp.org] and mirror.tuxhelp.org [mirror.tuxhelp.org]. apt.sparkz.no [apt.sparkz.no] should be synced soon.

Kapageridis Stavros

13 February 2015, 22:38

Thanks Hugo

Were

14 February 2015, 21:45

@Chris Wadge: Thanks also for your work. Is it planned to add Hiawatha to Debian/Ubuntu?

Chris Wadge

15 February 2015, 01:53

@Were You're welcome. ;-) To answer your question, I've thought about trying to get Hiawatha inducted into mainline Debian. What's made me hesitate is that, at least on stable releases, we'd wind up with a bugfix-only release several revisions behind the current version upstream. For things like webservers, I personally think it's really nice to just have the latest version of Hiawatha all the time. Of course, adding mirror.tuxhelp.org or apt.sparkz.no to your system as a repository allows you to keep up to date just as easily. Is there a particular advantage of inclusion I'm overlooking?

Hugo Leisink

15 February 2015, 09:19

@Kapageridis: I've tried it myself to get Hiawatha in both Debian and Ubuntu. It's near impossible to do. You need someone 'inside' to do it for you, otherwise nobody will be interested to do it. Using Chris' repository is an even better alternative, as he already explained.

www/hiawatha freebsd 9.12

19 February 2015, 22:23

I saw an update to Hiawatha 9.12 and I will update this when I have time, as I am currently at work and won't get off until 9th of March, Just thought I would let people know here.

Tej

20 February 2015, 21:30

@Chris Wadge:
Would be great if you could also download 'armhf.deb'-packages for the Raspberry Pi.
Is it planned to add this?

Thanks.

Alex

21 February 2015, 18:51

Thank you so mach for updates www/hiawatha freebsd 9.12
We need it highly.

Chris Wadge

22 February 2015, 07:44

@Tej I'd like to add some non-x86 packages to the repo in the near future. The only thing that's holding me back is a lack of hardware to test on.

Hugo Leisink

22 February 2015, 08:08

For Raspberry Pi packages, see https://files.intermezzo.net/hiawatha_raspi/.

Tej

22 February 2015, 08:51

@Hugo Leisink: A trustworthy source or do you know the provider?

Hugo Leisink

22 February 2015, 08:57

It's a repository by Heiko Zimmermann, who's from Germany. Although I don't know him personally, I have no reason to believe he has any bad intention. He's using Hiawatha for quite some time.