enabling HTTP 2 to secure against Request smuggling - IIS 7 and cold-fusion 2016

Forum|Forum|5 years ago
August 21, 2020
1 reply
968 views

Guys ,

i have a coldfusion 2016 website running over IIS 7.0 . I want to ensure it is not suspitble to HTTP smuglling

i want to enable HTTP 2 to resolve this issue ..

Question : what all places i have to make changes to enable HTTP 2 ?

1. IIS

2. is there any setting in coldfusion 2016 process as well to enable HTTP 2?

below is some reference material on what HTTP smuggling is :

http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling

https://www.youtube.com/watch?v=PFllH0QccCs

Thanks

This topic has been closed for replies.

BKBK

Community Expert

To enable HTTP 2:

1) Configure your IIS site to use HTTPS ;

2) Configure the HTTP connector in /cfusion/runtime/conf/server.xml to use TLS with a NIO protocol. Start with something like this:

</Connector>

Or, perhaps the best alternative,

3) Configure the HTTP connector in /cfusion/runtime/conf/server.xml to use TLS with an APR protocol
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>

together with the Tomcat Native Library.

How to find more on this? Google is your friend.

BKBK

Community Expert

You will find, among the comments of https://tracker.adobe.com/#/view/CF-4207070 , a description of how to install the Tomcat Native Library. Combining it with TLS should result in HTTP/2.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded