enabling HTTP 2 to secure against Request smuggling - IIS 7 and cold-fusion 2016

New Here ,
Aug 21, 2020 Aug 21, 2020

Copy link to clipboard

Copied

Guys , 

i have a coldfusion 2016 website running over IIS 7.0 . I want to ensure it is not suspitble to HTTP smuglling

i want to enable HTTP 2 to resolve this issue ..

 

Question : what all places i have to make changes to enable HTTP 2 ?

1. IIS

2. is there any setting in coldfusion 2016 process as well to enable HTTP 2?

 

below is some reference material on what HTTP smuggling is :

http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling

https://www.youtube.com/watch?v=PFllH0QccCs 

 

  

Thanks

In this video, I explain how HTTP Smuggling can happen in version 1.1. Some mitigation is using HTTP/2 which dedicate each request in its own channel.🏭 Back...

Views

96

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 06, 2020 Sep 06, 2020

Copy link to clipboard

Copied

To enable HTTP 2:

1) Configure your IIS site to use HTTPS ;

2) Configure the HTTP connector in /cfusion/runtime/conf/server.xml to use TLS with a NIO protocol. Start with something like this:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS">

<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>

</Connector>

Or, perhaps the best alternative,

3)  Configure the HTTP connector in /cfusion/runtime/conf/server.xml to use TLS with an APR protocol
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>

 

together with the Tomcat Native Library.

 

How to find more on this? Google is your friend.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Sep 13, 2020 Sep 13, 2020

Copy link to clipboard

Copied

LATEST

You will find, among the comments of https://tracker.adobe.com/#/view/CF-4207070 , a description of how to install the Tomcat Native Library. Combining it with TLS should result in HTTP/2.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines