Hiawatha: PolarSSL Advantage

Hiawatha is using PolarSSL for SSL/TLS implemention known commonly as https, which is forced to be used here by setting:
RequireSSL = yes
inside the VirtualHost section.
I think it activates Strict Transport Security (HSTS) with max-age of 31536000 aswell.
Another really cool feature by Hiawatha is the
RandomHeader = 1000
option, which has to be put into the VirtualHost section.
In the above case, it adds between 1 and 1000 Bytes of Header Response.
This helps prevent attackers from guessing what file was requested based on the response length.

Hiawatha is the first webserver I know of, that implements such genious technique.

HTTPS Header when RandomHeader activated:
curl -I https://solsocog.de
HTTP/1.1 200 OK
Date: Sun, 29 Jun 2014 07:20:11 GMT
Server: Hiawatha v9.6
Connection: keep-alive
X-Random: iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked

as you see it adds X-Random, it is indeed random, here are some other X-Random headers
X-Random: 77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777
X-Random: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
X-Random: 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
X-Random: PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
X-Random: 444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
X-Random: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
X-Random: jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj

So every https transfer size differs, even if the page is the same. I like it a lot.

The webserver also uses TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(with Forward Secrecy of course) by default!
1024Bit is the default Diffie-Hellman Keysize, it can be increased up to 4096 by setting
DHsize = 4096
into the servers main configuration.

Lets compare the ciphers of PolarSSL to the more often used SSL Library,
OpenSSL 1.0.1h

Ciphers
AES, Blowfish, Camellia, SEED, CAST-128, DES, IDEA, RC2, RC4, RC5, Triple DES, GOST 28147-89[7]
Cryptographic hash functions
MD5, MD4, MD2, SHA-1, SHA-2, RIPEMD-160, MDC-2, GOST R 34.11-94[7]
Public-key cryptography
RSA, DSA, Diffie–Hellman key exchange, Elliptic curve, GOST R 34.10-2001[7]

(Perfect forward secrecy is supported using elliptic curve Diffie–Hellman since version 1.0.[8])

PolarSSL 1.3.7

Ciphers
AES, Camellia, DES, RC4, RC5, Triple DES, XTEA, Blowfish
Cryptographic hash functions
MD5, MD2, MD4, SHA-1, SHA-2
Public-key cryptography
RSA, Diffie-Hellman key exchange, Elliptic curve cryptography (ECC), Elliptic curve Diffie–Hellman (ECDH), Elliptic Curve DSA (ECDSA)

PolarSSL is neat having a smaller footprint, especially in combination with Hiawatha, which adds some security to https aswell.

Set
MinSSLversion = TLS1.2
if you want to support only the latest TLS version for maxed out security, older computers can’t visit your https page anymore though.




From my Hiawatha article series

Speichere in deinen Favoriten diesen permalink.

2 Antworten zu Hiawatha: PolarSSL Advantage

  1. Chris Wadge sagt:

    Just a head’s up, and I know the age of this article makes this necroposting, but it looks like your header.solsocog.de sub has an invalid cert along with HSTS. Thus, it is pretty severely broken. You might consider moving to Let’s Encrypt for little stub domans like that. 😉

    All the best,
    -C

    • solsocog.de sagt:

      Thank you for noticing me. Actually I forgot to A. renew hiawatha.be (now on sale for 999€) and B. switched to nginx for flawless cloudflare integration. But now that I’ve dropped cf I might reconsider using hiawatha again.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.