After every release, I always think: what's next? But somehow, there is always something to improve or fix. This new release of the Hiawatha webserver contains two main changes.
- First, Hiawatha now uses mbed TLS instead of PolarSSL. What, a new SSL library? No, PolarSSL has been acquired by ARM, so PolarSSL has been rebranded as mbed TLS. The effect of this name change is that Hiawatha can no longer support earlier versions of PolarSSL, because several changes has been done to the code. mbed TLS 1.3.10 uses both polarssl and mbedtls in the code (quite confusing), but a/the next release of mbed TLS will contain no reference to the name PolarSSL any more. So, also a/the next release of Hiawatha will no longer support earlier version of mbed TLS.
- The Hiawatha SSL library (not PolarSSL / mbed TLS itself) contained a memory leak, which occured when a client tried to connect with SSL3.0, while support for it was turned off or not included at all. For every 'No cypher overlap during SSL handshake.' in your system.log, there was a small leak. But when someone did a large amount of SSL3.0 connection attempts to your server, you could have problem. I therefor advice everyone to update to v9.12. The leak was, by the way, very easy to find via the XCode tool Instruments, which is an awesome tool!