Information Security News
Apache released an important update today to fix a vulnerability that affects servers that have http/2 enabled and use TLS client certificates for authentication.
Apache 2.4.18-20 are vulnerable if:
- TLS certificates are used for authenticating clients (look for the SSLVerifyClient require directive in your configuration file)
- http/2 is enabled. (see if the Protocols line includes h2 and/or h2c).">tshark -Y ssl.handshake.extensions_alpn_str == h2 -n -i en0 \
-T fields -e ip.src -e ip.dst -e ssl.handshake.type -e ssl.handshake.extensions_server_name \
-e ssl.handshake.extensions_alpn_str ">10.5.1.12 126.96.36.199 1 cm.g.doubleclick.net h2,spdy/3.1,http/1.1
188.8.131.52 10.5.1.12 2 h2
In this handshake, the client offers http/2, spdy/3.1 as well as http/1.1 to cm.g.doubleclick.net . The server then selects http/2 (h2).