Hiawatha is using PolarSSL for SSL/TLS implemention known commonly as https, which is forced to be used here by setting:

`RequireSSL = yes`

inside the VirtualHost section.

I think it activates Strict Transport Security (HSTS) with max-age of 31536000 aswell.

Another really cool feature by Hiawatha is the

`RandomHeader = 1000`

option, which has to be put into the VirtualHost section.

In the above case, it adds between 1 and 1000 Bytes of Header Response.

This helps prevent attackers from guessing what file was requested based on the response length.

Hiawatha is the first webserver I know of, that implements such genious technique.

HTTPS Header when RandomHeader activated:

`curl -I https://solsocog.de`

HTTP/1.1 200 OK

Date: Sun, 29 Jun 2014 07:20:11 GMT

Server: Hiawatha v9.6

Connection: keep-alive

X-Random: iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

Strict-Transport-Security: max-age=31536000

Transfer-Encoding: chunked

as you see it adds X-Random, it is indeed random, here are some other X-Random headers

`X-Random: 77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777`

X-Random: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

X-Random: 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999

X-Random: PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP

X-Random: 444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444

X-Random: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

X-Random: jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj

So every https transfer size differs, even if the page is the same. I like it a lot.

The webserver also uses TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(with Forward Secrecy of course) by default!

1024Bit is the default Diffie-Hellman Keysize, it can be increased up to 4096 by setting

`DHsize = 4096`

into the servers main configuration.

Lets compare the ciphers of PolarSSL to the more often used SSL Library,

OpenSSL 1.0.1h

Ciphers

AES, Blowfish, Camellia, SEED, CAST-128, DES, IDEA, RC2, RC4, RC5, Triple DES, GOST 28147-89[7]

Cryptographic hash functions

MD5, MD4, MD2, SHA-1, SHA-2, RIPEMD-160, MDC-2, GOST R 34.11-94[7]

Public-key cryptography

RSA, DSA, Diffie–Hellman key exchange, Elliptic curve, GOST R 34.10-2001[7]

```
```

`(Perfect forward secrecy is supported using elliptic curve Diffie–Hellman since version 1.0.[8])`

PolarSSL 1.3.7

Ciphers

AES, Camellia, DES, RC4, RC5, Triple DES, XTEA, Blowfish

Cryptographic hash functions

MD5, MD2, MD4, SHA-1, SHA-2

Public-key cryptography

RSA, Diffie-Hellman key exchange, Elliptic curve cryptography (ECC), Elliptic curve Diffie–Hellman (ECDH), Elliptic Curve DSA (ECDSA)

PolarSSL is neat having a smaller footprint, especially in combination with Hiawatha, which adds some security to https aswell.

Set

`MinSSLversion = TLS1.2`

if you want to support only the latest TLS version for maxed out security, older computers can’t visit your https page anymore though.

From my Hiawatha article series

Just a head’s up, and I know the age of this article makes this necroposting, but it looks like your header.solsocog.de sub has an invalid cert along with HSTS. Thus, it is pretty severely broken. You might consider moving to Let’s Encrypt for little stub domans like that. 😉

All the best,

-C

Thank you for noticing me. Actually I forgot to A. renew hiawatha.be (now on sale for 999€) and B. switched to nginx for flawless cloudflare integration. But now that I’ve dropped cf I might reconsider using hiawatha again.