19 September 2019, 21:39

See the changelog for details.

4 October 2019, 23:09
Thanks for the maintenance update!
12 October 2019, 14:54
Thanks Hugo, was switched to an alternative Let's Encrypt script after the bundled one stopped working, great to have the original functionality back. Much appreciated!
15 October 2019, 04:37
Thank you so much hugo
19 October 2019, 00:28
Thanks a lot for sharing this update!
21 October 2019, 09:57
Thanks for this updates, really appreciate it.
27 October 2019, 01:02
Wow... an update. Will tell ${JOB - 3}. Thanks for the update
Josef Pospisil
9 November 2019, 23:30
Hello Hugo, i am loving endlessly hiawatha. And i am learning c programming at the moment and my aim will be to understand the code behind hiawatha because i just love it.
Please Hugo take into consideration to leave the forum open for people that need help...
And also have all the code on github that even people like my when i learn program could help you with hiawatha. That would be endlessly beautiful.

But i have a problem with getting hiawatha getting to work with fcgi and c++.

When i try to compile the c code under:


it tells me:

#/usr/bin/ld: fastcgi.c:(.text+0x3b): undefined reference to `FCGX_GetParam'
#/usr/bin/ld: fastcgi.c:(.text+0x66): undefined reference to `FCGX_FPrintF'

many times. And the link:


is not online anymore. And if i search for it i get:


and if i compile the:


the errors does not disappear.
Hugo Leisink
13 November 2019, 09:55
Did you use the -lfcgi option, as specified in the first line of fastcgi.c.txt?

Because Github was taken over by Microsoft, I moved all my projects to Gitlab. The new location of the 'FastCGI development kit' is https://gitlab.com/hsleisink/fcgi.
Chris Peachment
25 November 2019, 01:19
Hello Hugo:

I'm pleased to see you are continuing to work on Hiawatha. My two remote servers and my local machine will continue to use it.

I just downloaded version 10.10 and compiled it on Debian 10 (version number is coincidental). Debian is using an updated gcc:

$ gcc --version
gcc (Debian 8.3.0-6) 8.3.0
Copyright (C) 2018 Free Software Foundation, Inc.

that has "improved" diagnostics which are now warning of possible string overflows of the form:

/home/chris/local/hiawatha-10.10/src/rproxy.c: In function ‘init_rproxy_module’:
/home/chris/local/hiawatha-10.10/src/rproxy.c:65:30: warning: ‘%s’ directive writing up to 32 bytes into a region of size 13 [-Wformat-overflow=]
char str[50], *format = "%s %s\r\n";

plus a couple of:

/home/chris/local/hiawatha-10.10/src/target.c: In function ‘execute_cgi’:
/home/chris/local/hiawatha-10.10/src/target.c:1221:24: warning: this statement may fall through [-Wimplicit-fallthrough=]
session->keep_alive = false;

I am an advocate of zero reports from the compiler rather than ignore warnings so these reports are "useful" even if annoying. My own work in C is filled with such reports, despite my general avoidance of strcpy/strcat in favour of the strncpy/strncat versions. I am gradually cleaning them up and you might do the same. Your code has fewer warnings than mine :-)


Hugo Leisink
25 November 2019, 09:20
Hi Chris. Thanks for your feedback. I try to write my code as warning-free as possible. But 100% warning-free is very hard, due to errors in the compiler checks. Both issues you mentioned are not errors in my code, but in the compiler checks. So, I can't fix them, because there is nothing to fix.
28 November 2019, 17:27
Thanks for the update.
The windows 10.10 version of Hiawatha does not seem to run because "cygcrypt-2.dll is missing".
I am not sure how many people use the windows version and I would understand you discontinue it if you have limited time. Personally I will decommission my windows server soon.
Hugo Leisink
28 November 2019, 21:53
Weird. cygcrypt-0.dll is included and needed. I don't know what goes wrong.
1 December 2019, 15:29
yes cygcrypt-0.dll is included, here it also asks for cygcrypt-2.dll
1 December 2019, 15:33
I suppose that this package is missing https://cygwin.com/packages/summary/libcrypt2.html
Hugo Leisink
2 December 2019, 09:13
My advice: download the source, install cygwin and run extra/make_windows_package.
6 December 2019, 01:47
Sure, and amending the line files="cygcrypt-0.dll cyggcc_s-1.dll cyggcc_s-seh-1.dll cygrunsrv.exe cygiconv-2.dll cygwin1.dll cygxml2-2.dll cygxslt-1.dll cygz.dll cyglzma-5.dll" in extra/make_windows_package to include the missing dll.
15 December 2019, 00:21
Hi Hugo, Would you consider replacing line 10 of logrotate.in by `/usr/bin/killall -HUP hiawatha || true` in order to avoid logrotate errors when hiawatha is not running? (For example when logrotate starts before hiawatha at boot time).

See my related bugreport here https://www.hiawatha-webserver.org/weblog/134
Hugo Leisink
15 December 2019, 12:56
Sure, will be there in the next release.
26 January 2020, 23:23
Note that Mbed TLS 2.16.4 has been released
Hugo Leisink
27 January 2020, 00:12
Yeah, I noticed. Seen the sloppiness in that release? The files inside the package still have 2.16.3 as the version. To me, mbed TLS is dead. I'm migrating back to OpenSSL.
2 February 2020, 20:45
I updated to version 10.10 and version 2.1 (latest) of the letsencrypt script. I had been using version 1. I've been unsuccessful in renewing my certificates and was wondering if letsencrypt changed again... It gives me "account not registered yet".

"Renewing certificate for example1.com.
Generating RSA key.
Generating Certificate Signing Request (CSR).
Ordering certificate.
- Account not registered yet.
Renewing certificate for example2.com.
Generating RSA key.
Generating Certificate Signing Request (CSR).
Ordering certificate.
- Account not registered yet.
Hugo Leisink
3 February 2020, 23:53
Have you tried registering your account? Read the manual page?
6 February 2020, 22:33
Yes... Been going around in circles. I figured I would check to make sure this wasn't it.
8 February 2020, 04:24
I think my problem may not have to do with hiawatha (10.10) but somewhere else in my box.

----[ Fri, 07 Feb 2020 21:52:20 -0500 ]--------------------
>>> Registering account.
GET /acme/new-nonce
Server response: array(3) {
["status"] => int(204)
["headers"] => array(8) {
["server"] => string(5) "nginx"
["date"] => string(29) "Sat, 08 Feb 2020 02:53:07 GMT"
["connection"] => string(5) "close"
["cache-control"] => string(27) "public, max-age=0, no-cache"
["link"] => string(60) "<https://acme-v02.api.letsencrypt.org/directory>;rel="index""
["replay-nonce"] => string(47) "0102dmV91EKRae9CklplHiPiVxk7ejbfWJSDYP4uNlyvK4I"
["x-frame-options"] => string(4) "DENY"
["strict-transport-security"] => string(14) "max-age=604800"
["body"] => string(0) ""
POST /acme/new-acct
Payload: array(2) {
["contact"] => array(1) {
[0] => string(30) "mailto:me@example.com"
["termsOfServiceAgreed"] => bool(true)
Server response: array(3) {
["status"] => int(415)
["headers"] => array(8) {
["server"] => string(5) "nginx"
["date"] => string(29) "Sat, 08 Feb 2020 02:53:07 GMT"
["content-type"] => string(24) "application/problem+json"
["content-length"] => string(3) "168"
["connection"] => string(5) "close"
["cache-control"] => string(27) "public, max-age=0, no-cache"
["link"] => string(60) "<https://acme-v02.api.letsencrypt.org/directory>;rel="index""
["replay-nonce"] => string(47) "01012n-gfCPrpdPO9jJ0ysyDxRcqqqOJh-3f7xUWr0u-9Wo"
["body"] => string(168) "{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Invalid Content-Type header on POST. Content-Type must be \"application/jose+json\"",
"status": 415
Hugo 2
10 February 2020, 01:37
Groetjes, nja, zekere beeter dat ik niet meer proberen in NL schrijven.

Anyway, As many said, thank you very much for all the years of hiawatha, was my default server on my servers until i took them down 2ish years ago. Want to put some back up, so came here. I read your blog about scaling down and about some 'serious security issue' found. Can someone please give me a link to this so I can audit what has been done, what state it might be in , and if I possibly can add some patching if necessary.

P.S. I have a clear feeling we have similar foundation of ideas and notions/principles but who knows. I had a list of 6 people in the entire world to join me on a project.. I should have kicked it off 4-5 years ago to be fair. Still can. Think it could and would grow to largest tech company on my continent. Anyway, of the 6 names, you are one of them.
Hugo Leisink
12 February 2020, 13:50
The 'serious security issue' has been fixed in the latest release, so don't worry about that. And thanks for your confidence in me.
15 February 2020, 13:05
Thank You, Hugo for continuing to do critical work on Hiawatha.

Any possibility for Hiawatha becoming community supported? I haven't programmed in C in decades so would not be a good contributor.
Hugo Leisink
15 February 2020, 20:20
Well, that depends on the community. But in the last 20 years, no one has every done any serious contribution to Hiawatha, so I don't think it will ever happen. Anyone with good OpenSSL skills is welcome.
20 February 2020, 14:15
Why not LibreSSL instead of OpenSSL?
Josef Pospisil
6 March 2020, 22:45
Hello Hugo, i am still struggling to setup hiawatha to use C and fcgi. The error message is FastCGI server fcgi is still (partially) unavailable... Would you please be that kind to publish a cool howto about how to setup hiawatha to work with fcgi. I am still so sad that i managed to work with fcgi only apache2. And there i struggle that the FCGI_stdio is not working. Means i cannot acces post data. Please would you be that kind to publish even how to write a fcgi application in detail. I am endlessly sure that many people would aperciate that and you would help the community.

thank you so much hugo! And keep on the great work!!
greetings Josef
Josef Pospisil
6 March 2020, 22:59
There are 100 of millions of web servers running on the internet and nowhere you can find a good explanation how to set up fcgi for a web server. Nor one can find a good explanation how to programm an fcgi application where steps like getting post data from a html form is explained... Since you know even how to programm an fcgi interface you could help endlessly the community. We all would apperciate a detailed explanation how to setup on hiawatha c and fcgi.
Hugo Leisink
12 March 2020, 10:19
All there is to know is described here.
25 April 2020, 17:48
There has been a few Mbed TLS releases which used to be the opportunity of new Hiawatha releases. Has the development been discontinued for good or shall we expect a new one later this year with OpenSSL?
Hugo Leisink
26 April 2020, 10:07
I usually don't release a new version, just to update mbed TLS. You can simply run ./mbedtls/upgrade in the source directory to manually upgrade mbed TLS and then recompile / rebuild.
Chris Wadge
26 April 2020, 15:12
@kewl, my Debian builds of Hiawatha track the current mbed TLS (currently 2.16.6). Feature releases are released as optional, bugfix / security releases in the main repository.
6 May 2020, 17:53
Thank you so much Hugo. I love Hiawatha and thank you for all you've done. I appreciate it very much!
9 May 2020, 16:08
@Chris I use Arch but well noted, thanks
Chris Wadge
12 May 2020, 16:52
@kewl If you're up for doing your own builds, Hugo's Hiawatha source includes a script to pull down an arbitrary version of Mbed TLS from upstream.
13 June 2020, 15:13
@Chris sure, thanks, then whether Mbed TLS will be replaced by OpenSSL in the next version is the big unknown