Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5
On 01/07/2021 22:24, James H. H. Lampert wrote: Also, I've got somebody complaining about CVE-2021-25329. I'm not sure I understand what CVE-2021-25329 is, or what the underlying CVE-2020-9484 is. If the person complaining about CVE-2021-25329 can't explain (or demonstrate) why it is an issue for your environment (other than to state you are running version X and this CVE is listed against that version) I'd argue that the credibility of their complaint is significantly reduced. And https://nvd.nist.gov/vuln/detail/CVE-2020-9484 doesn't exactly help a whole lot: it talks about "PersistenceManager," and I'm not entirely sure what that even *is.* Have you tried looking in the Tomcat documentation? You want https://tomcat.apache.org/tomcat-8.5-doc/config/manager.html It is an alternative session manager that persists session data via a configured Store. There are two Store implementations provided by default - File and DataSource. You would know if you were using it as it requires explicit configuration. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5
On 02/07/2021 01:10, James H. H. Lampert wrote: On 7/1/21 4:55 PM, in response to: I will note, however, that the Tomcat servers in question are *not* configured to listen on any ports other than HTTPS (either 443, 8443, or something else in that vein) and the shutdown port. Shawn Heisey wrote: In that case, you don't need h2c, and probably don't want it. O. . . . k. That makes sense, so far, but how is it even enabled? Is there some way I could have h2c enabled, with the situation I described (no HTTP at all, not even as a redirect), and not *know* I have it enabled? With no HTTP configured, there is no way h2c can be enabled. You have to explicitly add an appropriate element to an HTTP connector. You then see a log message on Tomcat start along the lines of: The ["http-nio-8080"] connector has been configured to support HTTP upgrade to [h2c] Configuration h2 (the standard encrypted version of HTTP/2) works the same way but you add the to a connector configured for HTTPS. In that case the log message on start looks something like: The ["https-jsse-nio-8443"] connector has been configured to support negotiation to [h2] via ALPN Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5
On 7/1/2021 6:10 PM, James H. H. Lampert wrote: On 7/1/21 4:55 PM, Shawn Heisey wrote: In that case, you don't need h2c, and probably don't want it. O. . . . k. That makes sense, so far, but how is it even enabled? Is there some way I could have h2c enabled, with the situation I described (no HTTP at all, not even as a redirect), and not *know* I have it enabled? I am a lurker on this list. Although I used Tomcat quite a bit in a past job, it's not something I configure these days. All my past Tomcat experience was before HTTP/2 became widespread, so I have no idea how to configure it. Google has a number of hits that look useful if you search for "tomcat http/2". I don't imagine it's difficult to do. I do know that for full http/2 functionality it's best if you have a Java version newer than Java 8. Java 11 is probably a good choice. Note that if you use Oracle Java, they have changed their licensing, and most people actually are required to pay to use it. Thanks, Shawn - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5
On 7/1/21 4:55 PM, in response to: I will note, however, that the Tomcat servers in question are *not* configured to listen on any ports other than HTTPS (either 443, 8443, or something else in that vein) and the shutdown port. Shawn Heisey wrote: In that case, you don't need h2c, and probably don't want it. O. . . . k. That makes sense, so far, but how is it even enabled? Is there some way I could have h2c enabled, with the situation I described (no HTTP at all, not even as a redirect), and not *know* I have it enabled? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5
On 7/1/2021 3:24 PM, James H. H. Lampert wrote: On 6/21/21 9:42 AM, Christopher Schultz wrote: If you are using h2c, you'll definitely want to 8.5.63 or later, as there is a critical fix there. My understanding, based on what I looked up a week and a half ago, is that we're not using h2c, but at the same time, don't think I fully understand what "h2c" is. h2c means HTTP/2 cleartext -- that is, without the TLS encryption that HTTPS provides. If Tomcat is reached directly by clients and the traffic doesn't go through a load balancer or proxy, then generally you don't want to enable h2c, you just want to enable h2. Technically h2c isn't in line with the goals of HTTP/2 ... encryption is assumed. But there are situations where it's what you really do want. With a load balancer or proxy in the mix, things get a little more complicated. I personally would want the backend connection as fast as possible, and all the encryption handled by the front end -- the proxy or load balancer. So my backend connections are h2c, not h2. But I have run into web applications that only work right if the back end connection is encrypted. Up until about a week ago, one such application for me was WordPress. Then I figured out the right config to make WordPress always assume https even if the connections coming into the web server (Apache httpd in this case) were not encrypted ... so I immediately got rid of the double encryption by using h2c on the back end. A bit of trivia that doesn't affect these answers, but some might want to know: I use haproxy in front of my web services. It's lightning fast, does awesome TLS, and is extremely configurable. I will note, however, that the Tomcat servers in question are *not* configured to listen on any ports other than HTTPS (either 443, 8443, or something else in that vein) and the shutdown port. In that case, you don't need h2c, and probably don't want it. Also, I've got somebody complaining about CVE-2021-25329. I'm not sure I understand what CVE-2021-25329 is, or what the underlying CVE-2020-9484 is. I can't tell what those vulnerabilities are about, but I don't think they have anything to do with h2c. Thanks, Shawn - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
