All articles

All tags: Years: Periods:

Weblog

RSS

Hiawatha 9.1 has been released

15 April 2013, 18:28

This release brings two interesting new security features:

  • Ciphersuite selection based on protocol: A while ago, a vulnerability called BEAST was discovered in CBC ciphers in TLS1.0. Many experts advised to use RC4 instead. However, a vulnerability was recently also discovered in RC4. The best solution is to switch to TLS1.1 with CBC ciphers, but that will cause problems for many users because Firefox still doesn't support TLS1.1 and in Opera and Internet Explorer support for TLS1.1 is disabled by default.

    What to do then? Many believe that using RC4 is still the best choice when using TLS1.0. However, using RC4 gives lower security to TLS1.1 and TLS1.2 users than while using CBC ciphers. But using CBC ciphers makes TLS1.0 users vulnerable for the BEAST attack. Hiawatha has the best answer thanks to PolarSSL. Hiawatha will use RC4 for SSL3.0 and TLS1.0, CBC ciphers for TLS1.1 and GCM or CBC ciphers for TLS1.2. As far as I know, no other SSL library and therefore no other webserver can offer this solution.
  • Protection against uploaded malware: Via the new FileHashes option, you can specify a list of files and the hash of their contents. Before serving a file, Hiawatha checks the hash of that file with the one in the list. If the hash doesn't match or the file is not listed, access is denied. This prevents against unauthorized file changing or uploading.
Tags: release
by Hugo Leisink
Comments: 16

Hiawatha 9.0 has been released

28 March 2013, 12:34

I proudly present to you version 9.0 of the Hiawatha webserver. This release handles clients via a thread pool instead of creating them upon a new connection. Performance increase is between 1% and 10%, depending on whether the clients supports keep-alive connections or not.

Also, the URL Toolkit has been improved. It has the Header option and in several cases negative pattern matching can be done (perform action when pattern does not match). A complete and easy overview of all URL Toolkit commands can be found in the manual page and in the file config/toolkit.conf inside the source package.

Tags: release
by Hugo Leisink
Comments: 11

Hiawatha 9.0 beta

18 March 2013, 19:28

The first beta of Hiawatha 9.0 has been released. The biggest change in this release is the usage of a thread pool instead of creating a new thread when a client connects. Please, test this new feature for me and let me know what you think of it.

A thing that will be implemented for the next beta is a configurable default thread pool size, which is now hard coded in src/workers.c.

Hiawatha 9.0-beta can be downloaded via the download page.

Updates:
Beta 2: This one includes a thread pool manager and the thread pool size can be set via the configuration file.
Beta 3: The Header option has been added to the UrlToolkit. The DenyBot and OldBrowser options have been removed.
Beta 4: Wigwam has improved UrlToolkit testing: Referer and User-Agent HTTP header via environment variables.

Tags: release
by Hugo Leisink
Comments: 3

Bug in Hiawatha

5 March 2013, 15:36

I found a bug in Hiawatha which can lead to a server crash when using Tomahawk. The bug is in hiawatha.c at line 1894. The last "pollfd*" should be just "pollfd":

if ((poll_data = (struct pollfd*)malloc((number_of_bindings + MAX_ADMIN_CONNECTIONS) * sizeof(struct pollfd))) == NULL) {

This issue has been fixed in version 8.8.1, which just has been released. The Windows and MacOS X packages are coming soon.

Tags: bug
by Hugo Leisink
Comments: 2

PolarSSL patch

26 February 2013, 14:37

The current version of PolarSSL has session caching capabilities, but unfortunately the peer SSL certificate (in case of client SSL authentication) is not included in this cache. This cause Hiawatha to lose information about the peer's SSL certificate when new connections are made within the same SSL session.

I've written a patch for PolarSSL which fixes this issue. With this patch, CGI applications will always have the right information about the current client SSL certificate that has been used for the SSL authentication proces.

This patch has of course also been sent to the PolarSSL developer. He is aware of the issue and has placed it on his todo list.

Write the patch to a file (for example cache_peer_cert.diff), go to the polarssl directory inside the Hiawatha source and apply the patch via: patch -p1 < cache_peer_cert.diff

diff -ru polar/include/polarssl/ssl_cache.h polarssl/include/polarssl/ssl_cache.h
--- polar/include/polarssl/ssl_cache.h  2013-02-02 19:23:57.000000000 +0100
+++ polarssl/include/polarssl/ssl_cache.h       2013-02-24 19:03:51.337337050 +0100
@@ -46,6 +46,7 @@
 {
     time_t timestamp;           /*!< entry timestamp    */
     ssl_session session;        /*!< entry session      */
+    x509_buf peer_cert;         /*!< entry peer_cert    */
     ssl_cache_entry *next;      /*!< chain pointer      */
 };

diff -ru polar/library/ssl_cache.c polarssl/library/ssl_cache.c
--- polar/library/ssl_cache.c   2013-02-02 19:23:57.000000000 +0100
+++ polarssl/library/ssl_cache.c        2013-02-24 19:30:04.333337079 +0100
@@ -71,6 +71,27 @@
             continue;

         memcpy( session->master, entry->session.master, 48 );
+
+        /*
+         * Restore peer certificate
+         */
+        if( entry->peer_cert.p != NULL )
+        {
+            session->peer_cert = ( x509_cert* )malloc( sizeof( x509_cert ) );
+            if( session->peer_cert == NULL )
+                return( 1 );
+
+            memset( session->peer_cert, 0, sizeof( x509_cert ) );
+            if( x509parse_crt(session->peer_cert, entry->peer_cert.p, entry->peer_cert.len) != 0 )
+            {
+                free( session->peer_cert );
+                session->peer_cert = NULL;
+                return( 1 );
+            }
+
+            session->peer_cert->next = NULL;
+        }
+
         return( 0 );
     }

@@ -120,6 +140,8 @@
         {
             cur = old;
             memset( &cur->session, 0, sizeof( ssl_session ) );
+            if( cur->peer_cert.p != NULL )
+                free(cur->peer_cert.p);
         }
         else
         {
@@ -135,14 +157,31 @@
                 prv->next = cur;
         }

+        cur->peer_cert.p = NULL;
+        cur->peer_cert.len = 0;
+
         cur->timestamp = t;
     }

     memcpy( &cur->session, session, sizeof( ssl_session ) );
-
-    // Do not include peer_cert in cache entry
-    //
-    cur->session.peer_cert = NULL;
+
+    /*
+     * Store peer certificate
+     */
+    if( session->peer_cert != NULL )
+    {
+        cur->peer_cert.p = ( unsigned char* )malloc( session->peer_cert->raw.len );
+        if( cur->peer_cert.p == NULL )
+            return( 1 );
+
+        memcpy( cur->peer_cert.p, session->peer_cert->raw.p, session->peer_cert->raw.len );
+               cur->peer_cert.len = session->peer_cert->raw.len;
+
+        cur->session.peer_cert = NULL;
+    } else {
+        cur->peer_cert.p = NULL;
+        cur->peer_cert.len = 0;
+    }

     return( 0 );
 }
@@ -173,6 +212,10 @@
         cur = cur->next;

         ssl_session_free( &prv->session );
+
+        if( prv->peer_cert.p != NULL)
+            free( prv->peer_cert.p );
+
         free( prv );
     }
 }
Tags: bugSSL
by Hugo Leisink
Comments: 2
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.