On 7/1/2021 3:24 PM, James H. H. Lampert wrote:
On 6/21/21 9:42 AM, Christopher Schultz wrote:
If you are using h2c, you'll definitely want to 8.5.63 or later, as
there is a critical fix there.
My understanding, based on what I looked up a week and a half ago, is
that we're not using h2c, but at the same time, don't think I fully
understand what "h2c" is.
h2c means HTTP/2 cleartext -- that is, without the TLS encryption that
HTTPS provides. If Tomcat is reached directly by clients and the
traffic doesn't go through a load balancer or proxy, then generally you
don't want to enable h2c, you just want to enable h2. Technically h2c
isn't in line with the goals of HTTP/2 ... encryption is assumed. But
there are situations where it's what you really do want.
With a load balancer or proxy in the mix, things get a little more
complicated. I personally would want the backend connection as fast as
possible, and all the encryption handled by the front end -- the proxy
or load balancer. So my backend connections are h2c, not h2.
But I have run into web applications that only work right if the back
end connection is encrypted. Up until about a week ago, one such
application for me was WordPress. Then I figured out the right config
to make WordPress always assume https even if the connections coming
into the web server (Apache httpd in this case) were not encrypted ...
so I immediately got rid of the double encryption by using h2c on the
back end.
A bit of trivia that doesn't affect these answers, but some might want
to know: I use haproxy in front of my web services. It's lightning
fast, does awesome TLS, and is extremely configurable.
I will note, however, that the Tomcat servers in question are *not*
configured to listen on any ports other than HTTPS (either 443, 8443, or
something else in that vein) and the shutdown port.
In that case, you don't need h2c, and probably don't want it.
Also, I've got somebody complaining about CVE-2021-25329. I'm not sure I
understand what CVE-2021-25329 is, or what the underlying CVE-2020-9484
is.
I can't tell what those vulnerabilities are about, but I don't think
they have anything to do with h2c.
Thanks,
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
