Weblog

Chris Wadge has used the slowhttptest tool to see how well several (untuned) webservers are handling the slowloris attack. The results are quite interesting. I'll let them speak for themselves.

It's all about the green line and the required time to deal with the bad requests. It shows that Hiawatha stays available for other clients while under attack from one. In other words, if you want sleep well at night knowing that your websites are online even while under attack, go for Hiawatha!

For quite some time, a particular person is having a problem with the logo of the Hiawatha webserver, and the one of the Cherokee webserver. Both have a happy little Indian kid for a logo, but for some reason this person sees it as an insult to the Indian people. I've always withhold myself from interfering with this nonsense discussion, but for once I had to respond. Hope this humbug ends soon.

Version 1.3.3 of the PolarSSL library has been released. Hiawatha comes with a script for easy upgrading of PolarSSL. After unpacking the Hiawatha source tarball, use

./polarssl/upgrade 1.3.3

to upgrade PolarSSL to the 1.3.3 version. Of course, don't forget to recompile Hiawatha. :)

It turned out that the issue with PolarSSL 1.3 in the rc0 release was because how PolarSSL 1.3 was compiled by Hiawatha, which is a bit different that with PolarSSL 1.2. This has been fixed in the rc1 release. I've also included keep-alive connections for the reverse proxy in Hiawatha.

Please, test this 9.3-rc1 release and inform me about any issues. If no issues are reported before next sunday, I will then release 9.3

Update (15 oct 2013):
PolarSSL 1.3.1 has been released. To use this new SSL library, go to the directory polarssl inside the source package and run './upgrade 1.3.1'

Second update (19 oct 2013):
There still is a bug in PolarSSL, so no Hiawatha release this weekend.