cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
1
Upvote

enabling HTTP 2 to secure against Request smuggling - IIS 7 and cold-fusion 2016

sonu5FBD
New Here ,
Aug 21, 2020 Aug 21, 2020

Copy link to clipboard

Copied

Guys , 

i have a coldfusion 2016 website running over IIS 7.0 . I want to ensure it is not suspitble to HTTP smuglling

i want to enable HTTP 2 to resolve this issue ..

 

Question : what all places i have to make changes to enable HTTP 2 ?

1. IIS

2. is there any setting in coldfusion 2016 process as well to enable HTTP 2?

 

below is some reference material on what HTTP smuggling is :

http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling

https://www.youtube.com/watch?v=PFllH0QccCs 

 

  

Thanks

Views

615

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 2 Replies 2
latest latest Jump to latest reply
BKBK Community Expert
Community Expert ,
Sep 06, 2020 Sep 06, 2020

Copy link to clipboard

Copied

To enable HTTP 2:

1) Configure your IIS site to use HTTPS ;

2) Configure the HTTP connector in /cfusion/runtime/conf/server.xml to use TLS with a NIO protocol. Start with something like this:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS">

<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>

</Connector>

Or, perhaps the best alternative,

3)  Configure the HTTP connector in /cfusion/runtime/conf/server.xml to use TLS with an APR protocol
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>

 

together with the Tomcat Native Library.

 

How to find more on this? Google is your friend.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Sep 13, 2020 Sep 13, 2020

Copy link to clipboard

Copied

LATEST
In Response To BKBK

You will find, among the comments of https://tracker.adobe.com/#/view/CF-4207070 , a description of how to install the Tomcat Native Library. Combining it with TLS should result in HTTP/2.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices