Copy link to clipboard
Copied
Guys ,
i have a coldfusion 2016 website running over IIS 7.0 . I want to ensure it is not suspitble to HTTP smuglling
i want to enable HTTP 2 to resolve this issue ..
Question : what all places i have to make changes to enable HTTP 2 ?
1. IIS
2. is there any setting in coldfusion 2016 process as well to enable HTTP 2?
below is some reference material on what HTTP smuggling is :
http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling
https://www.youtube.com/watch?v=PFllH0QccCs
Thanks
Copy link to clipboard
Copied
To enable HTTP 2:
1) Configure your IIS site to use HTTPS ;
2) Configure the HTTP connector in /cfusion/runtime/conf/server.xml to use TLS with a NIO protocol. Start with something like this:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
</Connector>
Or, perhaps the best alternative,
3) Configure the HTTP connector in /cfusion/runtime/conf/server.xml to use TLS with an APR protocol
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
together with the Tomcat Native Library.
How to find more on this? Google is your friend.
Copy link to clipboard
Copied
You will find, among the comments of https://tracker.adobe.com/#/view/CF-4207070 , a description of how to install the Tomcat Native Library. Combining it with TLS should result in HTTP/2.