Hiawatha: PolarSSL Advantage

Hiawatha is using PolarSSL for SSL/TLS implemention known commonly as https, which is forced to be used here by setting:
RequireSSL = yes
inside the VirtualHost section.
I think it activates Strict Transport Security (HSTS) with max-age of 31536000 aswell.
Another really cool feature by Hiawatha is the
RandomHeader = 1000
option, which has to be put into the VirtualHost section.
In the above case, it adds between 1 and 1000 Bytes of Header Response.
This helps prevent attackers from guessing what file was requested based on the response length.

Hiawatha is the first webserver I know of, that implements such genious technique.

HTTPS Header when RandomHeader activated:
curl -I https://solsocog.de
HTTP/1.1 200 OK
Date: Sun, 29 Jun 2014 07:20:11 GMT
Server: Hiawatha v9.6
Connection: keep-alive
X-Random: iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked

as you see it adds X-Random, it is indeed random, here are some other X-Random headers
X-Random: 77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777
X-Random: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
X-Random: 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
X-Random: PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
X-Random: 444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
X-Random: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
X-Random: jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
So every https transfer size differs, even if the page is the same. I like it a lot.

The webserver also uses TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(with Forward Secrecy of course) by default!
1024Bit is the default Diffie-Hellman Keysize, it can be increased up to 4096 by setting
DHsize = 4096
into the servers main configuration.

Lets compare the ciphers of PolarSSL to the more often used SSL Library,
OpenSSL 1.0.1h

Ciphers
AES, Blowfish, Camellia, SEED, CAST-128, DES, IDEA, RC2, RC4, RC5, Triple DES, GOST 28147-89[7]
Cryptographic hash functions
MD5, MD4, MD2, SHA-1, SHA-2, RIPEMD-160, MDC-2, GOST R 34.11-94[7]
Public-key cryptography
RSA, DSA, Diffie–Hellman key exchange, Elliptic curve, GOST R 34.10-2001[7]

(Perfect forward secrecy is supported using elliptic curve Diffie–Hellman since version 1.0.[8])

PolarSSL 1.3.7

Ciphers
AES, Camellia, DES, RC4, RC5, Triple DES, XTEA, Blowfish
Cryptographic hash functions
MD5, MD2, MD4, SHA-1, SHA-2
Public-key cryptography
RSA, Diffie-Hellman key exchange, Elliptic curve cryptography (ECC), Elliptic curve Diffie–Hellman (ECDH), Elliptic Curve DSA (ECDSA)
PolarSSL is neat having a smaller footprint, especially in combination with Hiawatha, which adds some security to https aswell.

Set
MinSSLversion = TLS1.2
if you want to support only the latest TLS version for maxed out security, older computers can’t visit your https page anymore though.




From my Hiawatha article series