On 7/1/2021 3:24 PM, James H. H. Lampert wrote:
On 6/21/21 9:42 AM, Christopher Schultz wrote:
If you are using h2c, you'll definitely want to 8.5.63 or later, as there is a critical fix there.

My understanding, based on what I looked up a week and a half ago, is that we're not using h2c, but at the same time, don't think I fully understand what "h2c" is.

h2c means HTTP/2 cleartext -- that is, without the TLS encryption that HTTPS provides. If Tomcat is reached directly by clients and the traffic doesn't go through a load balancer or proxy, then generally you don't want to enable h2c, you just want to enable h2. Technically h2c isn't in line with the goals of HTTP/2 ... encryption is assumed. But there are situations where it's what you really do want.

With a load balancer or proxy in the mix, things get a little more complicated. I personally would want the backend connection as fast as possible, and all the encryption handled by the front end -- the proxy or load balancer. So my backend connections are h2c, not h2.

But I have run into web applications that only work right if the back end connection is encrypted. Up until about a week ago, one such application for me was WordPress. Then I figured out the right config to make WordPress always assume https even if the connections coming into the web server (Apache httpd in this case) were not encrypted ... so I immediately got rid of the double encryption by using h2c on the back end.

A bit of trivia that doesn't affect these answers, but some might want to know: I use haproxy in front of my web services. It's lightning fast, does awesome TLS, and is extremely configurable.

I will note, however, that the Tomcat servers in question are *not* configured to listen on any ports other than HTTPS (either 443, 8443, or something else in that vein) and the shutdown port.

In that case, you don't need h2c, and probably don't want it.

Also, I've got somebody complaining about CVE-2021-25329. I'm not sure I understand what CVE-2021-25329 is, or what the underlying CVE-2020-9484 is.

I can't tell what those vulnerabilities are about, but I don't think they have anything to do with h2c.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to