Weblog

Yesterday, the whole internet was talking about heartbleed, a nasty bug in OpenSSL. This bug allows an attacker to remotely steal information, including the private key being used, from the memory of your server without leaving a trace.

Users of the Hiawatha webserver can relax, you are all safe. Thanks to PolarSSL. The bug in OpenSSL was introduced in March 2012 and Hiawatha switched to PolarSSL in january 2012. So, although a bit of luck is involved, Hiawatha didn't let you down when it comes to security. Once again.

Chris Wadge has used the slowhttptest tool to see how well several (untuned) webservers are handling the slowloris attack. The results are quite interesting. I'll let them speak for themselves.

It's all about the green line and the required time to deal with the bad requests. It shows that Hiawatha stays available for other clients while under attack from one. In other words, if you want sleep well at night knowing that your websites are online even while under attack, go for Hiawatha!

Cherokee crash

The Cherokee webserver was also tested. But because it crashed out of the box during the test, it didn't meet the tester's 'untuned' criteria, which was used for all of the other webservers featured.

For quite some time, a particular person is having a problem with the logo of the Hiawatha webserver, and the one of the Cherokee webserver. Both have a happy little Indian kid for a logo, but for some reason this person sees it as an insult to the Indian people. I've always withhold myself from interfering with this nonsense discussion, but for once I had to respond. Hope this humbug ends soon.

Version 1.3.3 of the PolarSSL library has been released. Hiawatha comes with a script for easy upgrading of PolarSSL. After unpacking the Hiawatha source tarball, use

./polarssl/upgrade 1.3.3

to upgrade PolarSSL to the 1.3.3 version. Of course, don't forget to recompile Hiawatha. :)