Highlighted

enabling HTTP 2 to secure against Request smuggling - IIS 7 and cold-fusion 2016

New Here ,
Aug 21, 2020

Copy link to clipboard

Copied

Guys , 

i have a coldfusion 2016 website running over IIS 7.0 . I want to ensure it is not suspitble to HTTP smuglling

i want to enable HTTP 2 to resolve this issue ..

 

Question : what all places i have to make changes to enable HTTP 2 ?

1. IIS

2. is there any setting in coldfusion 2016 process as well to enable HTTP 2?

 

below is some reference material on what HTTP smuggling is :

http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling

https://www.youtube.com/watch?v=PFllH0QccCs 

 

  

Thanks

In this video, I explain how HTTP Smuggling can happen in version 1.1. Some mitigation is using HTTP/2 which dedicate each request in its own channel. 🏭 Back...

Views

63

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

enabling HTTP 2 to secure against Request smuggling - IIS 7 and cold-fusion 2016

New Here ,
Aug 21, 2020

Copy link to clipboard

Copied

Guys , 

i have a coldfusion 2016 website running over IIS 7.0 . I want to ensure it is not suspitble to HTTP smuglling

i want to enable HTTP 2 to resolve this issue ..

 

Question : what all places i have to make changes to enable HTTP 2 ?

1. IIS

2. is there any setting in coldfusion 2016 process as well to enable HTTP 2?

 

below is some reference material on what HTTP smuggling is :

http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling

https://www.youtube.com/watch?v=PFllH0QccCs 

 

  

Thanks

In this video, I explain how HTTP Smuggling can happen in version 1.1. Some mitigation is using HTTP/2 which dedicate each request in its own channel. 🏭 Back...

Views

64

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Aug 21, 2020 1
Adobe Community Professional ,
Sep 06, 2020

Copy link to clipboard

Copied

To enable HTTP 2:

1) Configure your IIS site to use HTTPS ;

2) Configure the HTTP connector in /cfusion/runtime/conf/server.xml to use TLS with a NIO protocol. Start with something like this:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS">

<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>

</Connector>

Or, perhaps the best alternative,

3)  Configure the HTTP connector in /cfusion/runtime/conf/server.xml to use TLS with an APR protocol
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>

 

together with the Tomcat Native Library.

 

How to find more on this? Google is your friend.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 06, 2020 0
BKBK LATEST
Adobe Community Professional ,
Sep 13, 2020

Copy link to clipboard

Copied

You will find, among the comments of https://tracker.adobe.com/#/view/CF-4207070 , a description of how to install the Tomcat Native Library. Combining it with TLS should result in HTTP/2.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 13, 2020 0