Disable HTTP/2 on TrustBuilder Components

This tutorial is created because of a known vulnerability with HTTP/2

One of the components, shipped as part of the TrustBuilder IDHub package, contains a HTTP/2 vulnerabilities that allow potential DoS attacks on NGINX.

Details can be found on: https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/

TrustBuilder Gateway

This needs to be executed on EVERY server block that has been configured within the NGINX configuration. HTTP/2 support is configurable on the listen settings. You will need to delete the http2 from these setting lines.

listen 443 ssl http2 default;

To

listen 443 ssl default;

TrustBuilder Orchestrator & TrustBuilder Admin

HTTP/2 needs to be disabled on the Tomcat-Core also as NGINX modules, used by TrustBuilder Gateway, are not communicating anymore with HTTP/2 enabled servers.

Edit the file /opt/trustbuilder/tomcat-core/conf/server.xml and delete the UpgradeProtocol tags from within the connector tags.

<Connector ... >
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>

To

<Connector ... protocol="HTTP/1.1" />

By default the connector returns back to HTTP/1.1 support. But can also be defined in the connector tag.

Source: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#HTTP/2_Support

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.