What's new in Hiawatha 11.5
Oct 13, 2023
- Mbed TLS updated to 3.5.0.
New in Hiawatha 11.4 (Apr 6, 2023)
- mbed TLS updated to 3.4.0.
- Bugfix: TunnelSSH issue with latest PuTTY versions.
New in Hiawatha 11.3 (Jan 4, 2023)
- PHP 8 compatibility for Let's Encrypt script.
- Applied some patches from the FreeBSD community.
- mbed TLS updated to 3.3.0.
New in Hiawatha 11.2 (Jul 14, 2022)
- Mbed TLS updated to 3.2.1.
- Small improvements.
New in Hiawatha 11.1 (Dec 23, 2021)
- Mbed TLS updated to 3.1.0.
- Small bugfixes.
New in Hiawatha 11.0 (Jul 23, 2021)
- Mbed TLS updated to 3.0.0.
- Dropped support for TLSv1.0 and TLSv1.1. Configuration option MinTLSversion removed.
- Dropped support for HTTP Public Key Pinning (HPKP). Configuration option PublicKeyPins removed.
New in Hiawatha 10.12 (Mar 26, 2021)
- Mbed TLS updated to 2.26.0.
- New LE_ISSUERS setting for Let's Encrypt script.
- Bugfix: vfprintf issue for syslog in log.c.
New in Hiawatha 10.11 (Jul 8, 2020)
- Default value of MinTLSversion set to 1.2.
- mbed TLS updated to 2.23.0.
- Small bugfixes.
New in Hiawatha 10.10 (Sep 20, 2019)
- Removed several build options. Functionalities are now always enabled.
- mbed TLS updated to 2.16.3.
- Updated Let's Encrypt script due to changes in the API.
- Bugfix: AlterMode not working correctly.
New in Hiawatha 10.9 (Feb 19, 2019)
- Let's Encrypt script installed via CMake.
- mbed TLS updated to 2.16.0.
- Small improvements.
New in Hiawatha 10.8.4 (Feb 13, 2019)
- Bugfix: Directory traversal when AllowDotFiles is enabled.
New in Hiawatha 10.8.3 (Sep 17, 2018)
- Several fixes in build system.
- mbed TLS updated to 2.13.0.
- Added build system for nghttp2.
New in Hiawatha 10.8.2 (Sep 17, 2018)
- mbed TLS updated to 2.12.0.
- New style for directory index.
- uri_depth added to XML for directory index.
New in Hiawatha 10.8.1 (Apr 11, 2018)
- mbed TLS updated to 2.8.0.
- Removed support for secp192r1 and secp192k1 curves, to make it PCI DSS compliant out of the box.
- Small improvements to Let's Encrypt ACMEv2 script.
New in Hiawatha 10.8 (Mar 23, 2018)
- New Let's Encrypt script that supports ACME v2.
- Added Syslog option.
- Added GZipExtensions option.
- AllowDotFiles now used to show hidden files in directory listings.
- mbed TLS updated to 2.7.0.
- Removed support for static RSA ciphers.
- Hiawatha log format changed.
- Small improvements.
- Bugfix: certain characters in filenames disrupted directory index output.
- Bugfix: requesting non-regular files now results in a 403 instead of blocking that thread.
New in Hiawatha 10.7 (Mar 23, 2018)
- Connect to a reverse proxy via a Unix socket.
- Added BlockExtensions setting.
- mbed TLS updated to 2.6.0.
- Small improvements.
- Bugfix: error in handling renewal scripts in Let's Encrypt script.
New in Hiawatha 10.6 (Mar 23, 2018)
- Added PublicKeyPins option.
- Added renewal-scripts to Let's Encrypt script.
- mbed TLS updated to 2.4.2.
- Small changes to CMake build system.
- Small improvements.
- Bugfix: SCSV bug in mbed TLS.
New in Hiawatha 10.5 (Mar 23, 2018)
- mbed TLS updated to 2.4.0, using GPL version.
- Added CustomHeaderBackend option.
- Renamed CustomHeader option to CustomHeaderClient. Old name still works.
- Hiawatha ignores FileHashes and ReverseProxy for Let's Encrypt authentication requests.
- Small bugfixes.
New in Hiawatha 10.4 (Mar 23, 2018)
- mbed TLS updated to 2.3.0.
- SkipCacheCookie option added.
- Added Systemd init script to Debian package.
- Small improvements and bugfixes.
New in Hiawatha 10.3 (Mar 23, 2018)
- PreventCSRF, PreventSQLi and PreventXSS improved.
- Prevention of MySQL data mining via SQL injection. Thanks to Esmaeil Rahimian <[email protected]>.
- Added revoke option to Let's Encrypt script.
- Hiawatha ignores RequireTLS for Let's Encrypt authentication requests.
- Small bugfixes and improvements.
- Bugfix: possible HTTP request pipelining error after CSRF prevented.
New in Hiawatha 10.2 (Mar 23, 2018)
- Added Let's Encrypt script (see extra/letsencrypt).
- Added support for requesting Let's Encrypt certificates (see AccessList and PasswordFile settings in manual page).
- Small improvements.
- Bugfix: HideProxy not working for Forwarded header.
New in Hiawatha 10.1 (Mar 23, 2018)
- Added Extensions setting.
- Added support for X-Sendfile header.
- mbed TLS updated to 2.2.1.
- Improved SQL injection detection.
- Small bugfixes and improvements.
New in Hiawatha 10.0 (Mar 23, 2018)
- Usage of Directory sections changed.
- Added support for RFC 5785.
- Added support for GZip compression. Removed the UseGZfile option.
- Added ECDSA support for TLS 1.0 and TLS 1.1.
- Replaced UrlToolkit Expire option with ExpirePeriod in Directory section.
- Replaced IgnoreDotHiawatha option with UseLocalConfig.
- Removed the VolatileObject option.
- Improved SQL injection detection.
- mbed TLS updated to 2.2.0.
- Small improvements.
New in Hiawatha 9.15 (Mar 23, 2018)
- Support for WebSockets via reverse proxy.
- UNIX socket support for connections to WebSockets.
- Responsive design for directory index and error message.
- mbed TLS updated to 2.1.2.
- Fixed mbed TLS linking in CMake configuration.
- ListenBacklog option added.
- Small bugfixes.
New in Hiawatha 9.14 (Mar 23, 2018)
- mbed TLS updated to 2.0.0.
- Small bugfixes.
- Bugfix: crash when sending very large request to FastCGI server.
New in Hiawatha 9.13 (May 12, 2015)
- Renamed SSLcertFile to TLScertFile.
- Renamed RequireSSL to RequireTLS.
- Renamed SSL_* CGI environment variables to TLS_*.
- Renamed UrlToolkit option UseSSL to UseTLS.
- Replaced MinSSLversion by MinTLSversion.
- LogTimeouts option added.
- Added 'skip directories' parameter to reverse proxy.
- Failed logins sent to Hiawatha Monitor.
- Small bugfix and improvements.
New in Hiawatha 9.12 (Feb 13, 2015)
- PolarSSL 1.3.9 upgraded to mbed TLS 1.3.10.
- MacOS X PreferencePane removed from MacOS X package.
- Bugfix: memory leak in SSL library.
- Small bugfix.
New in Hiawatha 9.11 (Jan 19, 2015)
- ChallengeClient option added.
- UrlToolkit options TotalConnections and OmitRequestLog added.
- Improvements to UrlToolkit and reverse proxy swap.
- UrlToolkit rules are also applied to PUT and DELETE.
- Small improvements.
New in Hiawatha 9.10 (Jan 5, 2015)
- Support for banning bad clients who connect via a proxy
- UrlToolkit option Do added. Changed how Call and Skip should be called
- General UrlToolkit improvements. See config/toolkit.conf for syntax
- Hiawatha now prefers reverse proxies with a scheme matching the one of the client connection. See config/toolkit.conf for syntax
- Hiawatha will now first process UrlToolkit rules before using ReverseProxy
- Small bugfixes and improvements
New in Hiawatha 9.9 (Dec 8, 2014)
- HTTPAuthToCGI option added.
- BanByCGI option added.
- PolarSSL updated to version 1.3.9.
- Improved SSL ciphersuite selections.
- CAcertificates options added.
- Dropped support for SSL3.0.
- Small bugfixes and improvements.
New in Hiawatha 9.8 (Sep 29, 2014)
- Added support for websockets. WebSocket option added.
- Added Red Hat package building script (extra/make_redhat_package).
- SSL key and certificate checks added to wigwam.
- Small bugfixes and improvements.
New in Hiawatha 9.7 (Aug 25, 2014)
- UseToolkit now possible in .hiawatha file at root of website
- Method option added to URL Toolkit
- SetResourceLimit option added
- ThreadKillRate option added
- Improved SQL injection detection
- Default value for DHsize set to 2048
- PolarSSL updated to version 1.3.8
- Memory allocation debugger module added
- Small bugfixes and improvements
- Bugfix: incorrect file hash printing by wigwam with directory as symlink
New in Hiawatha 9.6 (Jun 2, 2014)
- Logfile rotation for access logfiles
- HTTP Strict Transport Security header made optional for RequireSSL
- Support for chunked transfer encoded requests (not for PUT)
- Support for improved server statistics in Hiawatha Monitor
- The Hiawatha Monitor is now supported without the need for XSLT
- PolarSSL updated to version 1.3.7
- A few bugfixes as reported by Coverity
- Bugfix: SQL injection detection was broken since 8.6
- Bugfix: XSS detection didn't work for reverse proxy
- Small bugfixes
New in Hiawatha 9.5 (Apr 24, 2014)
- Added support for CGI statistics in Hiawatha Monitor
- MonitorRequests and MonitorStatsInterval option removed
- Added support for Origin HTTP header to prevent CSRF
- EnforceFirstHostname option added
- ScriptAlias option added
- PolarSSL updated to version 1.3.6
- Dropped support for PolarSSL 1.2
New in Hiawatha 9.4 (Mar 24, 2014)
- Keep-Alive connections for reverse proxy made optional
- ErrorXSLTfile option added
- IgnoreDotHiawatha option added
- RandomHeader option added
- Dropped support for RC4
- PolarSSL updated to version 1.3.4
- Added support for Hyper Text Coffee Pot Control Protocol (RFC2324)
- Added SSL_CIPHER to CGI environment
- Added Public/Private to UrlToolkit expire option
- Small improvements
New in Hiawatha 9.3.1 (Mar 24, 2014)
- Several bugfixes in reverse proxy.
New in Hiawatha 9.3 (Nov 6, 2013)
- PolarSSL updated to version 1.3.2.
- Added support for Elliptic Curve Cryptography.
- TunnelSSH option added.
- AnonymizeIP option added. Thanks to Klemens Scholhorn.
- Keep-alive connections for reverse proxy.
- Small improvements.
New in Hiawatha 9.2 (Jun 24, 2013)
- Added support for compiling Hiawatha against the system's default version (>=1.2.0) of the PolarSSL library
- PolarSSL updated to version 1.2.8
- Small bugfixes (memory leaks in error situations)
- Bugfix: virtual hostname selection for IPv6 with non-standard port
New in Hiawatha 9.1 (Apr 16, 2013)
- FileHashes option added.
- PolarSSL updated to version 1.2.7. Enabled ciphersuite selection based on protocol version.
- Enabled accf_http support for FreeBSD.
- ImageReferer option removed.
- Bugfix: incorrect BanOnFlooding behavior.
- Small improvements.
New in Hiawatha 9.0 (Mar 28, 2013)
- Clients handled via thread pool instead of creating threads on the fly.
- ThreadPoolSize option added.
- Header option added to URL Toolkit.
- Improved client SSL certificate handling. Environment variables renamed.
- PolarSSL updated to version 1.2.6.
- Improved Reverse Proxy caching support for requests with URL parameters.
- CacheMinFilesize option removed.
- DenyBot option removed. Use UrlToolkit's Header option instead.
- OldBrowser option removed from URL Toolkit. Use Header option instead.
- Improved UrlToolkit rule testing in wigwam.
- Small bugfixes and improvements.
New in Hiawatha 8.8.1 (Mar 5, 2013)
- Bugfix: Incorrect size of buffer for poll() can lead to a crash when using Tomahawk.
New in Hiawatha 8.8 (Feb 19, 2013)
- Caching for Reverse Proxy. CacheRProxyExtensions option added.
- Basic HTTP authentication now supports the glibc2 version of crypt().
- Hostname in ImageReferer can now contain a wildcard.
- DenyBody matching is now case insensitive.
- PolarSSL updated to version 1.2.5.
- Small improvements.
New in Hiawatha 8.7 (Jan 10, 2013)
- Support for HTTP Strict Transport Security (RFC 6797). Integrated in RequireSSL option.
- DHsize option added.
- PolarSSL updated to version 1.2.3.
- CloudFlare headers placed in environment variables.
- Removed php-fcgi.
- Small improvements.
- Bugfix: slow page loading via Reverse Proxy.
New in Hiawatha 8.6 (Nov 1, 2012)
- PolarSSL updated to version 1.2. Added support for TLS 1.2 and secure renegotiation.
- Added support for Server Name Indication.
- MinSSLversion option added.
- ServerRoot option removed.
- Improved MacOS X package building script.
- Marked php-fcgi as deprecated. Use php-fpm instead.
- Small bugfixes and improvements.
New in Hiawatha 8.5 (Sep 10, 2012)
- Improved Reverse Proxy.
- Changed error message style.
- Renamed Command Channel to Tomahawk.
- Return 403 instead of 401 upon correct password for HTTP authentication but user not in right group.
- Small improvements.
- Bugfix: replaced select() with poll() to prevent crashes in case of large amount of simultaneous connections.
New in Hiawatha 8.4 (Jul 28, 2012)
- MaxServerLoad option added.
- Bugfix: invalid reverse proxy request when URL parameters are present.
- PolarSSL updated to version 1.1.4.
- Small bugfixes and improvements.
New in Hiawatha 8.3.2 (Jun 5, 2012)
- Bugfix: memory leak in SSL library.
New in Hiawatha 8.3.1 (Jun 5, 2012)
- Improved security for reverse proxy (works with PreventSQLi, etc).
New in Hiawatha 8.3 (Jun 5, 2012)
- ReverseProxy option added.
- PolarSSL updated to version 1.1.3.
New in Hiawatha 8.2 (Jun 5, 2012)
- WebDAVapp option added. Enables support for WebDAV applications like ownCloud (http://owncloud.org/).
- Removed support for the OPTIONS method.
- AllowDotFiles option added.
- Global forks setting in php-fcgi.conf moved to Server setting.
- Small bugfixes and improvements.
New in Hiawatha 8.1 (Mar 7, 2012)
- BanOnInvalidURL option added
- PolarSSL updated to version 1.1.1
- Small improvements in Windows packaging script
- Bugfix: paths missing in default values and examples in manual pages
New in Hiawatha 8.0 (Feb 6, 2012)
- Replaced Autoconf with CMake. Many thanks to Sander Niemeijer.
- Replaced OpenSSL with PolarSSL. Many thanks to Paul Bakker.
- AllowedCiphers and DHparameters options removed.
- Added IE7 to UrlToolkit's OldBrowser list, removed IE5.
- MaxUrlLength option added, can return 414 Request-URI Too Long.
- Changed default value of TriggerOnCGIstatus to 'no'.
- Equalized format of logfiles.
- Extra checks added to php-fcgi.
- Small improvements.
New in Hiawatha 7.7 (Oct 8, 2011)
- First parameter of Alias can now contain subdirectories.
- Improved stability for connections with SSL client authentication.
- Bugfix: BanOnFlooding was broken.