Weblog

Thank you for your hard work Hugo! And congratulations to the little Indian guy for his tenth anniversary!

In an earlier post you mentioned a potential problem with PolarSSL, the SSL handshake option doesn't have a timeout value, allowing a potential denial-of-service problem. I looked at this problem back then, and could easily let a connection "hang".

I took a peek at the source, and concluded it would take more than a few minutes to fix it ... I added it to my long "maybe I should look into that someday list", but (as usual) I never did (The code did look pretty clean by the way!)

Has this problem been resolved? I looked at PolarSSL 1.0 (IIRC), I see the latest version is 1.1.1

Also, do you have plans to maintain the 7.x branch for security/serious bugfixes? While I hold no love for OpenSSL, it *does* have widespread usage, which means it has *some* degree of stability. PolarSSL is still fairly new, and I'd prefer to wait a bit before upgrading to the new hiawatha version on my live server...

Thanks!
Martin

The fixes in PolarSSL 1.1.1 are not relevant for Hiawatha, but thanks for letting me know.

PolarSSL based applications can indeed be DoS-ed if no measures are taken. But with PolarSSL it was much easier to create a workaround for this than with OpenSSL. OpenSSL is suffering from the same issue btw. With version 8.0, Hiawatha should no longer be vulnerable for a DoS attack via an incomplete SSL handshake. But you are of course welcome to test it yourself.

If a security issue has been found in 7.x, I will only release a fix for it if someone requests one. Otherwise, it will only be fixed in a 8.x release.

Nice release, PolarSSL is a welcome replacement as far as I'm concerned. The Debian packages have been updated to the latest public release:

http://files.tuxhelp.org/hiawatha/

Note that starting with version 8, these packages are built against Debian "Squeeze", since Lenny is now EOL. They may or may not work on Ubuntu, but that has not been tested by me, so your mileage may vary.

-Chris

Wow thanks. Best webserver Pls don't add new features, it is perfect.

Thanks for all of your work Hugo. I just made 8.0 available in the Arch Linux AUR.

I was wondering if there is a way to have Hiawatha use an existing shared Polarssl library rather than building a new Polarssl library with Hiawatha.

Thanks Kurt. The reason why I include PolarSSL is because not every distro does have PolarSSL or at least not the latest release. And I also have no idea how to detect if the latest version of PolarSSL is installed. To make it as easy as possible for the user, I included PolarSSL. Maybe in a later release of Hiawatha, but for now I stick with including PolarSSL in Hiawatha.

Thanks, that's probably the best path for now, as Polar SSL is pretty new.

Curiously, how is detecting Polarssl different from detecting openssl? Is it just a cmake issue that is unfamiliar?

I might like to hack a bit if you can give me a clue.

With CMake, I don't detect PolarSSL, because it is shipped with Hiawatha. However, detecting PolarSSL isn't any different from detecting any other library. Just check for the existence of a function in that library. Take a look at the "Compiler options" section starting at line 52 in CMakeLists.txt.

Will do. Thanks