27 January 2012, 12:06

I'm proud to present version 8.0 of the Hiawatha webserver. In this new major release, Autoconf has been replaced with CMake. The source tarball has been reorganized and the build system with CMake is much easier to maintain for me.

Another big change is that OpenSSL has been replaced with PolarSSL. Unlike OpenSSL, PolarSSL is well documented and easy to learn. Hiawatha's SSL library is much cleaner and simpler due to PolarSSL. No more dirty callback stuff to make it work. It's now more likely that a future release has SNI support.

Don't forget to read the ChangeLog before you upgrade to this release and please let me know what you think of it.

Martin Tournoij
27 January 2012, 21:50
Thank you for your hard work Hugo! And congratulations to the little Indian guy for his tenth anniversary!

In an earlier post you mentioned a potential problem with PolarSSL, the SSL handshake option doesn't have a timeout value, allowing a potential denial-of-service problem. I looked at this problem back then, and could easily let a connection "hang".

I took a peek at the source, and concluded it would take more than a few minutes to fix it ... I added it to my long "maybe I should look into that someday list", but (as usual) I never did (The code did look pretty clean by the way!)

Has this problem been resolved? I looked at PolarSSL 1.0 (IIRC), I see the latest version is 1.1.1

Also, do you have plans to maintain the 7.x branch for security/serious bugfixes? While I hold no love for OpenSSL, it *does* have widespread usage, which means it has *some* degree of stability. PolarSSL is still fairly new, and I'd prefer to wait a bit before upgrading to the new hiawatha version on my live server...

Hugo Leisink
27 January 2012, 22:05
The fixes in PolarSSL 1.1.1 are not relevant for Hiawatha, but thanks for letting me know.

PolarSSL based applications can indeed be DoS-ed if no measures are taken. But with PolarSSL it was much easier to create a workaround for this than with OpenSSL. OpenSSL is suffering from the same issue btw. With version 8.0, Hiawatha should no longer be vulnerable for a DoS attack via an incomplete SSL handshake. But you are of course welcome to test it yourself.

If a security issue has been found in 7.x, I will only release a fix for it if someone requests one. Otherwise, it will only be fixed in a 8.x release.
Chris Wadge
27 January 2012, 22:13
Nice release, PolarSSL is a welcome replacement as far as I'm concerned. The Debian packages have been updated to the latest public release:


Note that starting with version 8, these packages are built against Debian "Squeeze", since Lenny is now EOL. They may or may not work on Ubuntu, but that has not been tested by me, so your mileage may vary.

29 January 2012, 17:25
Wow thanks. Best webserver Pls don't add new features, it is perfect.
Kurt Marasco
5 February 2012, 08:34
Thanks for all of your work Hugo. I just made 8.0 available in the Arch Linux AUR.

I was wondering if there is a way to have Hiawatha use an existing shared Polarssl library rather than building a new Polarssl library with Hiawatha.
Hugo Leisink
5 February 2012, 08:55
Thanks Kurt. The reason why I include PolarSSL is because not every distro does have PolarSSL or at least not the latest release. And I also have no idea how to detect if the latest version of PolarSSL is installed. To make it as easy as possible for the user, I included PolarSSL. Maybe in a later release of Hiawatha, but for now I stick with including PolarSSL in Hiawatha.
Kurt Marasco
5 February 2012, 21:45
Thanks, that's probably the best path for now, as Polar SSL is pretty new.

Curiously, how is detecting Polarssl different from detecting openssl? Is it just a cmake issue that is unfamiliar?

I might like to hack a bit if you can give me a clue.

Hugo Leisink
5 February 2012, 22:08
With CMake, I don't detect PolarSSL, because it is shipped with Hiawatha. However, detecting PolarSSL isn't any different from detecting any other library. Just check for the existence of a function in that library. Take a look at the "Compiler options" section starting at line 52 in CMakeLists.txt.
Kurt Marasco
5 February 2012, 23:48
Will do. Thanks