20 May 2015, 09:16

Several weaknesses have been discovered in how Diffie-Hellman key exchange is being deployed in many servers and clients. Good thing to know is that with the default settings, the Hiawatha webserver is not vulnerable. Make sure you didn't set the DHsize setting to a lower value than its default value of 2048. For future releases, I will make 2048 the minimum value.

You can use this webpage to test whether your server is vulnerable or not.

26 May 2015, 21:44
And Hiawatha was secure like always
Chrisian W
27 May 2015, 15:42
Hallo Hugo,

very good! Short question: Where does Hiawatha takes its DH-parameter? Are they precomputed and hardcoded? Can I generate my own set DH-group and use it with Hiawatha?

Hugo Leisink
27 May 2015, 15:43
Precomputed and hardcoded. You can find them in src/tls.c Yes, you can use your own DH parameters, but that means changing the code and recompilation of Hiawatha.
Christian W
27 May 2015, 16:23
Thanks for the fast reply.
Code change and recompilation is perfectly fine!
3 June 2015, 16:16
Might as well skip 2048 and go to 4096. Just how I use SHA-512 for pretty much everything these days instead of 256. It's gonna happen, it's not that computationally expension, might as well do it now.
19 September 2016, 13:06
Hi @hugo, Please look into how dhparams could be read from a config file instead of being hardcoded. Replacing DH-params should be standard practice these days and thus should be made easy.
Hugo Leisink
19 September 2016, 13:13
There is no real need [security.stackexchange.com] to change them.