Weblog

The IETF HTTP Working Group has approved the HTTP/2 specification. This draft will now get the 'request-for-comments' status for a short while, which allows others to make their comments. After that, the IETF will publish it as an official standard.

After every release, I always think: what's next? But somehow, there is always something to improve or fix. This new release of the Hiawatha webserver contains two main changes.

• First, Hiawatha now uses mbed TLS instead of PolarSSL. What, a new SSL library? No, PolarSSL has been acquired by ARM, so PolarSSL has been rebranded as mbed TLS. The effect of this name change is that Hiawatha can no longer support earlier versions of PolarSSL, because several changes has been done to the code. mbed TLS 1.3.10 uses both polarssl and mbedtls in the code (quite confusing), but a/the next release of mbed TLS will contain no reference to the name PolarSSL any more. So, also a/the next release of Hiawatha will no longer support earlier version of mbed TLS.
• The Hiawatha SSL library (not PolarSSL / mbed TLS itself) contained a memory leak, which occured when a client tried to connect with SSL3.0, while support for it was turned off or not included at all. For every 'No cypher overlap during SSL handshake.' in your system.log, there was a small leak. But when someone did a large amount of SSL3.0 connection attempts to your server, you could have problem. I therefor advice everyone to update to v9.12. The leak was by the way very easy to find via the XCode tool Instruments, which is an awesome tool!

Version 9.11 of the Hiawatha webserver has been released. This release brings the ChallengeClient option, which gives Hiawatha the ability to reduce the effects of a DDoS attack. This is done by checking if the client has a certain cookie set. If this is not the case for the first request within a connection, Hiawatha sends a 307 and this cookie (via a Set-Cookie HTTP header or a Javascript) back to the client. If the second request within a connection doesn't has this cookie, the client is banned. The idea is that normal browsers understand the 307 and the HTTP Set-Cookie header or the Javascript, but HTTP bots don't.

Please note that this although this option works from a technical point of view, it should be used with great care. Proper testing is strongly advised. Also note that this option should only be used when options like ConnectionsPerIP, ReconnectDelay and BanOnFlooding are insufficient.

Many thanks to Andrey Vasilev and Chris Wadge for all the testing and feedback.

The 9.10-rc1 release caused no trouble for anyone, so here is the final release. Nothing changed. Have fun with it!

The first release candidate of version 9.10 has been released. In this version some significant changes have been made. This requires careful testing, so please download it and help me to do the testing of the following changes.

• The code for calling the UrlToolkit and the reverse proxy have been swapped. This means that you can now specify an UrlToolkit rule which will be processed before using a reverse proxy. The Expire and UseFastCGI actions have no effect when using a reverse proxy.
• The syntax of the UrlToolkit has been changed a bit. Main change is the introduction of the 'Do' command, which unconditionally performs an action. The command 'Call' and 'Skip' can now only be used as a action for the 'Do' command. And several commands can now be used with extra actions. See config/toolkit.conf for a complete syntax overview. This change made the UrlToolkit code a bit more simple. Easier code means less chance of a bug which means less chance of a security issue.
• You can now ban misconducting clients who connect via a proxy specified via the HideProxy setting.
• When you specify multiple reverse proxies for a virtual host, Hiawatha will first look for a matching URL pattern for the reverse proxy with a scheme matching the scheme of the client connection. So, incoming HTTPS connections will be forwarded to a HTTPS reverse proxy when available and HTTP connections to a HTTP reverse proxy when available.

I'm looking forward to your feedback. Even if you didn't find any issue. The 9.10 release candidate can be found at the download page.