Forum
Feedback and questions
Syree
2 January 2015, 20:04
Hello everybody,
I discovered 'Hiawatha' this week and I want to say thank you for the development of this tool.
Would like to give some feedback, so you can perhaps continue improving the software.
1. I think it would be great if you could choose which ciphers you want to use and create a simple preference list. I know that there are already topics about this. But I don't really understand why this hasn't been implemented by now. I think only people with crypto-knowledge would change the default settings and to change the ssl.c-file isn't comfortable and not possible for non-programmers like me.
To change which ciphers are allowed to use would give more freedom to the user.
By the way: Is there a list where I can find all ciphers 'Hiawatha' is using?
2. I tested to use an encrypted private key for SSL so that I have to decrypt the key every time the webserver (re)starts. Unfortunately, it failed. Did I a mistake or is it not possible with 'Hiawatha'? Perhaps it could be a security feature which is useful for some people.
3. Has 'Hiawatha' already been audited and is there a report?
Thank you again for your work.
Syree
(Operating system: Linux)
I discovered 'Hiawatha' this week and I want to say thank you for the development of this tool.
Would like to give some feedback, so you can perhaps continue improving the software.
1. I think it would be great if you could choose which ciphers you want to use and create a simple preference list. I know that there are already topics about this. But I don't really understand why this hasn't been implemented by now. I think only people with crypto-knowledge would change the default settings and to change the ssl.c-file isn't comfortable and not possible for non-programmers like me.
To change which ciphers are allowed to use would give more freedom to the user.By the way: Is there a list where I can find all ciphers 'Hiawatha' is using?
2. I tested to use an encrypted private key for SSL so that I have to decrypt the key every time the webserver (re)starts. Unfortunately, it failed. Did I a mistake or is it not possible with 'Hiawatha'? Perhaps it could be a security feature which is useful for some people.
3. Has 'Hiawatha' already been audited and is there a report?
Thank you again for your work.
Syree
(Operating system: Linux)
Hugo Leisink
2 January 2015, 20:58
1) Hiawatha already has a cipher suite selection that gives you a highest possible SSL score (tested via ssllabs.com [www.ssllabs.com]). Why do you want to change that?
2) Encrypted SSL keys is not supported. Just make the key files readonly for root.
3) Many did their own security testing and many gave me compliments for my work. No official audits with reports have been done though.
2) Encrypted SSL keys is not supported. Just make the key files readonly for root.
3) Many did their own security testing and many gave me compliments for my work. No official audits with reports have been done though.
Syree
3 January 2015, 13:56
Hello Hugo.
Thank you for your answer.
1) Well, I think it's great that 'Hiawatha' offers secure ciphers but I also don't see a disadvantage if a user is able to change the settings and preferences easily. Perhaps someone want to use another cipher only because of the speed etc. But it's, of course, your decision and I wanted only to give some feedback because I like your software.
And a short beginner question:
'Hiawatha' starts as root and change the user to 'www-data' then. Does 'Hiawatha' load the SSL-key in RAM at the beginning or how can 'Hiawatha' read the file if it is only readable for root?
Thank you for your answer.
1) Well, I think it's great that 'Hiawatha' offers secure ciphers but I also don't see a disadvantage if a user is able to change the settings and preferences easily. Perhaps someone want to use another cipher only because of the speed etc. But it's, of course, your decision and I wanted only to give some feedback because I like your software.
And a short beginner question:
'Hiawatha' starts as root and change the user to 'www-data' then. Does 'Hiawatha' load the SSL-key in RAM at the beginning or how can 'Hiawatha' read the file if it is only readable for root?
Hugo Leisink
3 January 2015, 16:17
Yes, Hiawatha does some initialization things like loading the SSL keys when still running as root. When all is done, it switches to another user and starts handling HTTP requests.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
