tracker issue : CF-4198446

select a category, or use search below
(searches all categories and all time range)
Title:

Reload/Redirect Loop caused by HTTP2, IIS10 and Safari.

| View in Tracker

Status/Resolution/Reason: To Test//Fixed

Reporter/Name(from Bugbase): Daniel Heighton / Daniel Heighton ()

Created: 03/27/2017

Components: Net Protocols, HTTP

Versions: 2016

Failure Type: Non Functioning

Found In Build/Fixed In Build: 301771 /

Priority/Frequency: Normal / Some users will encounter

Locale/System: ALL / Mac 10 All

Vote Count: 26

Problem Description:
While accessing a Coldfusion site on HTTP2 with IIS10/Server 2016 it causes a redirect loop. I found a blog post explaining the issue here:
http://www.giancarlogomez.com/2016/05/coldfusion-iis-10-http2-safari-bug.html

It is limited to issue with Coldfusion sites, on the same server i have a PHP site, and Safari can access it just fine.
Steps to Reproduce:
Set up IIS10 and Coldfusion on a server, and a site using SSL. Try to access it from a computer running Safari.
Actual Result:
The site shows up as a "white", and if you use server logs, you can see the browser is stop in a request loop where it keeps requesting the page.
Expected Result:
The page should show up

Any Workarounds:
Disable HTTP2 on the server entirely.

Attachments:

Comments:

This is also occurring in CF 11. Same exact setup.
Comment by John M.
983 | April 26, 2017 04:57:41 PM GMT
Sounds right. It's mostly likely an issue with Tomcat not having full HTTP2 support until version 8.5 and 9.
Comment by Daniel H.
984 | April 26, 2017 05:48:34 PM GMT
Do we know if the issue still exists in CF 2016? If I can fix the issue by upgrading from CF 11 to CF 2016, I'm willing to do that, but I'd like to be certain it works before making that investment.
Comment by David S.
985 | May 04, 2017 10:20:39 AM GMT
Yes, the issue still exists in CF 2016. That is what I am using on my servers.
Comment by Daniel H.
986 | May 04, 2017 03:03:37 PM GMT
What's going on Adobe Team? Are you guys going to look into this?
Comment by Giancarlo G.
987 | May 04, 2017 03:32:13 PM GMT
Hi all, Adobe says: "We can observe the issue noted in that bug report. Investigation and fix for the bug is targeted for the next update release." Related URL: http://blogs.coldfusion.com/post.cfm/coldfusion-2016-support-for-windows-server-2016#comment-B316BA45-A411-5AB1-A37CF32D39C0E914 Thanks!, -Aaron
Comment by Aaron N.
988 | May 13, 2017 04:03:07 AM GMT
ColdFusion 2016 Update 4 is using Tomcat 8.5.11.0. In the Tomcat docs, it appears that Tomcat 8.5.15 (perhaps earlier versions too?) supports HTTP2 (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#HTTP/2_Support) with some caveats. According to the docs, "Because Java 8's TLS implementation does not support ALPN (which is required for HTTP/2 over TLS), you must be using an OpenSSL based TLS implementation to enable HTTP/2 support." IIS does not implement OpenSSL to my knowledge. I believe it is called SChannel. I am not sure if this is still true but according to this blog, https://blogs.iis.net/davidso/http2, IIS currently only supports HTTP/2 over TLS. JDK 9 implements the ALPN natively over TLS (https://stackoverflow.com/questions/39856972/http-2-java-8-jetty-and-alpn) Can we upgrade our JDK to 9 on CF 2016? JDK 9 will be released on September 21, 2017 according to their site (http://openjdk.java.net/projects/jdk9/). Lastly, it appears as though Tomcat "says" JDK 8+ is supported, http://tomcat.apache.org/whichversion.html. So that's encouraging. Perhaps just a few more months!?
Comment by Michael T.
989 | June 15, 2017 03:06:51 PM GMT
I also noticed on our server that this only happens if the default document of index.cfm exists. I can go to the site fine if I type in any other document (including the index.cfm document) and it will go right there. Causing us havoc using Let's Encrypt on our sites. Nobody in safari can get to the homepages. Other browsers work fine.
Comment by Patrick H.
990 | June 29, 2017 02:37:36 AM GMT
Has one of you tried it with a newer tomcat version? With JDK 9 I guess we need to wait until Adobe releases an updater that makes it compatible. This may take half a year or so... if we compare the upgrade with CF2016 jump from JDK7 to JDK8. Anyone has news from Adobe about this issue? I'm not getting good answers from them.
Comment by Alexander H.
991 | September 18, 2017 08:42:42 AM GMT
I thought about trying to update the version of tomcat, but decided it wasn't worth the effort. Just Disabling HTTP2 in the registry is the quickest/fastest solution. While not having HTTP/2 feels bad, it's not like I didn't have it for years before now. So I figure I can just deal with not having it for another year.
Comment by Daniel H.
992 | September 18, 2017 03:19:05 PM GMT
We *only* upgraded our infrastructure to Windows 2016 to get HTTP2 and now it is not working at all! And why - just because ColdFusion 2016 is not compatible with Windows 2016, but listed as compatible. I feal very angry. We are permanently asked by externals (e.g. Google) why we are not using HTTP2 as it improves client performance and affects search engine ranking. Additionally we want to run on SSL only. If you run on a HTTP2 your page may load in 0.5 seconds compared to 3-4 seconds without and this makes a critical difference. This issue may has not proper priority at Adobe.
Comment by Alexander H.
993 | September 19, 2017 10:35:18 AM GMT
Same problem with CF 2016 / Apache / IIS 10 / Windows server 2016
Vote by Karel V.
1010 | October 03, 2017 07:25:54 AM GMT
This issue just manifested today when clients reported that they couldn't connect to the application. I used BrowserStack to troubleshoot and discovered iOS/Mac Safari are the only browsers that can't connect to the default "index.cfm" document. I'm using CF2016 w/ jdk1.8.0_14 and patch 4 and/or 5 on Windows 2016 and pages won't load for Safari users if SSL is used. This is a major show stopper. When I dump CGI paramters, it indicates that the server_protocol is HTTP/1.1... so I'm not sure if this is entirely an HTTP/2 issue as the same CFML template executes as expected if renamed to something other than the root document ("index.cfm".)
Comment by James M.
994 | October 03, 2017 10:49:59 PM GMT
I found this video that explains it more... it may not be entirely related to ColdFusion. https://www.youtube.com/watch?v=a__h2EkbCb4 "This came to light on a production server where if the end user leaves their browser open can cause 100's of hit's per second recorded in IIS logs that can last for hours.?"
Comment by James M.
995 | October 03, 2017 10:58:44 PM GMT
Here's a work-around that was discovered to Nginx: https://medium.com/@jason.mcclellan/nginx-safari-http2-not-working-607a8333e67a SOLUTION: Set Http2-specific buffer values separately from the ones set for Http1. Is this a potential solution for fixing it on ColdFusion 2016?
Comment by James M.
996 | October 03, 2017 11:00:39 PM GMT
James, That's the youtube video created by the guy who's blog post I referenced in the original ticket. The only solution I've found so far to solve this is to just disable HTTP/2 on Windows Server via the registry https://stackoverflow.com/questions/44660634/how-to-disable-http-2-on-iis-of-windows-server-2016 Doing that immediately fixed all connection issues for me.
Comment by Daniel H.
997 | October 03, 2017 11:02:34 PM GMT
We don't normally use or test with Safari, but unfortunately our paying clients do and they think the platform we use is "broken" as a result. I see "HF6" under version details... is it "fixed" and just not released yet?
Vote by James M.
1011 | October 03, 2017 11:03:21 PM GMT
Last friday I received feedback from Adobe. They told me they opened a ticket with Apple. I pinged back that this is not an Apple bug and they need to fix their software. As the video shows requests to files e.g. /index.cfm work and only „/„ does not work, this points to the IIS connector. Since this is like a DDoS we cannot wait for Apple to change Safari. Something need to be implemented on server side!
Comment by Alexander H.
998 | October 04, 2017 07:47:47 AM GMT
I agree with your assessment. I provided some other links and this could be something that is fixed on the server side especially since it's only an issue with the default/root files. FYI: The video I posted above that was also shared with Adobe was posted on May 9, 2016; 17 months ago; 1 day before Patch 1 was released on 5/10/2016. The bug was reported before Patch 4. Adobe has already had 1-4 patch releases to review and fix this "critical" bug. Perhaps this issue doesn't have the minimum amount of upvotes to warrant their attention or enough Enterprise users haven't complained yet. The status is not "FIXED" yet, so there's no promise that it will even be in an upcoming HP6. (I've seen verified bugs never get fixed & released.) This bug is easy to identify provided that you have CF2016 installed on Windows 2016 server and have a single Safari user attempting to visit the homepage of your website. NOTE: When I was troubleshooting a separate caching issue with the CF Team, they didn't bother to use the sample CFML code that I had provided and insisted that the issue was "fixed". Their sample code updated a value in a query object using "Query.Field" (which only updates the field the first row) instead of testing "Query.Field[Row]". Do they need sample code or access to a server? If Adobe doesn't have the resources to do this, I'll volunteer and provide them full access to a Windows 2016 server so they can review this further. In the meantime, let's solicit other members of the ColdFusion community to come and upvote this this "neglected, 17 month old, show-stopping issue" to give it the attention that rightfully deserves.
Comment by James M.
999 | October 04, 2017 01:41:48 PM GMT
@James: I think the only issue is that nobody pushes them. Do you have a support contract, too? By creating this issue, nothing happens! You need to log the case and than call them / send emails to look into the case. I'm doing this more than once a week since 3 weeks and I'm very angry on them, but then last friday - after 3 weeks of silence - they told me that CF2018 alpha lauch made them busy. Apologies do not help us, but this need to moved to a solution. So I push them again as I have not received an answer to my email on friday. HF6 is just the next one... it does not mean it will be fixed there. What values have been set in https://medium.com/@jason.mcclellan/nginx-safari-http2-not-working-607a8333e67a for the settings? The article is not really helpful about this important detail. Just a note about the params. I'm not sure if IIS has such a setting... @Karel Verbert: Are you running Apache or IIS or both? What versions? @All: Has one tried with newer JDK9 or at least a newer external Tomcat? I never tested it. If we can put a finger on something or at least exclude something more it can only help.
Comment by Alexander H.
1000 | October 04, 2017 02:43:05 PM GMT
Also the issues from HTTP/2 IIS10 CF/Tomcat aren't unique to Safari. In at least version 54 of Mozilla Firefox, Firefox will duplicate every request. I tested and verified this on my staging server when we were checking if this was still in an issue in Update 4. Google Chrome on the same instance did not generate this behavior. It is something Adobe needs to address, but at the very least you can get things working work your clients by disabling HTTP/2
Comment by Daniel H.
1001 | October 04, 2017 02:51:44 PM GMT
This is a major bug and should be addressed immediately.
Vote by Dave Q.
1012 | October 05, 2017 06:01:22 AM GMT
@Daniel: Hopefully this is not firebug that makes the second request while you debug it. Feedback from Adobe: Issue is reproducible at our end and our engineers are debugging it within our code and as well as mod_jk. We found out that the code flow is different in safari vs Chrome. Will get back to you shortly with detailed analysis of the root cause.
Comment by Alexander H.
1002 | October 09, 2017 07:57:06 AM GMT
Same issue Windows 2016 with CF 2016. For some reason occurs on root directories only, while accessing the same directory with index.cfm file works OK. This is a major issue
Vote by Yahya A.
1013 | October 23, 2017 10:40:07 PM GMT
This bug made switching to SSL a nightmare....
Vote by Derek R.
1014 | October 25, 2017 10:09:43 PM GMT
I've encountered both the Safari and Firefox double post issue pertaining to HTTP/2 being enabled. Following the suggested workaround of disabling HTTP/2 solved the issue for Safari and Firefox. It would be great if Adobe would take a look at this important issue.
Comment by Dana B.
1003 | November 13, 2017 03:54:52 PM GMT
Please fix this! Been waiting months for this to be resolved. Seems okay in iOS11 now but still an issue for everything before.
Vote by Dave H.
1015 | November 16, 2017 09:20:33 PM GMT
Hi, We have been working with Microsoft to resolve this bug. This is a complicated issue which has several components involved in it. Following are the points which highlight the current state of the issue. 1. First and foremost, ColdFusion is able to process the request properly, in both the cases (HTTP/1.1 or HTTP/2). But, in the error case, when the connector tries to write the response back to the client browser, it fails (the Microsoft API fails to write it to client), and instead, the TCP connection is reset. 2. Earlier our doubt was that Microsoft IIS is causing the issue by having some problems in processing the HTTP/2 request. 3. But recently, we found out that, IIS does nothing with the encrypted HTTP/2 request, and passes it to a component called HTTP.sys. This is where the request fails and the TCP reset is initiated. We are coordinating with the HTTP.sys team at Microsoft to get this resolved as soon as possible. We will keep upadting this thread as and when we receive more updates on this issue.
Comment by Nikhil S.
1004 | January 17, 2018 02:28:08 PM GMT
Hi, The latest update on this bug is that Microsoft has accepted the bug.   Thanks Nikhil Siddhartha
Comment by Nikhil S.
1005 | January 30, 2018 06:32:35 AM GMT
Now, february 2018 and still only solution is disable http/2.
Vote by Kai K.
1016 | February 09, 2018 03:22:49 PM GMT
There are some good news. I'm not sure why Adobe is not giving status updates here, but they worked together with MS on the issue and MS identified the issue as a bug in their Windows 2016 HTTP.Sys. The bug has already been fixed in a future version of Windows before it was reported by Adobe, but was never ported back to Windows 2016. As MS has agreed on business justification they plan to come up with a fix. No date has been given yet, but things seems moving to a solution.
Comment by e
1006 | February 13, 2018 01:11:32 PM GMT
Update: Microsoft has accepted the business justification for this issue and will provide us with a private package as soon as possible, which should resolve this bug.
Comment by Nikhil S.
1007 | February 20, 2018 06:30:26 AM GMT
As follow up to my last comment on 02/13/2018. Adobe received a private hotfix from MS for testing and it seems working per Adobe. I hope I will get this patch, too. MS has integrated the fix in upcomming Windows-Rollup April 2018. We are therefore very close to a public available solution for all Tomcat servers running behind Microsoft IIS 2016.
Comment by ALEXANDER H.
1008 | March 07, 2018 12:14:27 PM GMT
Update:  Microsoft will provide the fix for this bug as a part of their Windows update being rolled out in April. Unfortunately, they can not provide any separate hotfix for this, due to a change in their internal build technology. Hence, the only way to get this issue fixed is wait for them to release the update which should (ideally) be made public in April, 2018.
Comment by Nikhil S.
1009 | March 09, 2018 07:20:14 AM GMT
Having this issue as well. Sub'd
Vote by Chris D.
27330 | April 09, 2018 05:13:58 PM GMT
Does anyone know exactly when this fix will be released? I installed a cumulative update on Windows 2016 today, and it didn't seem to fix the issue.
Comment by David H.
27552 | April 11, 2018 10:45:30 PM GMT
Update: This issue has been fixed in the Windows update released by Microsoft. The update's key is: KB4093120. It can be found on this link: [https://www.catalog.update.microsoft.com/Search.aspx?q=2018-04|https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.catalog.update.microsoft.com%2FSearch.aspx%3Fq%3D2018-04&data=02%7C01%7Cssengupt%40adobe.com%7C0fa23303783f428f228a08d5a5634374%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636596768149475373&sdata=4xKm44Nv8p0Zq55GGjGIjtUZv1Cc%2BRz2nZM9n%2Fsm53c%3D&reserved=0]   We have verified this fix at our end and everything seems to work fine. Please do let us know in case you find that the issue has not been fixed Microsoft in their update.
Comment by Nikhil S.
27553 | April 22, 2018 09:51:26 PM GMT
I have been having experiencing similar problems and in the process of downloading the patch. I have other issues with IIS 10 on CF Server 2016 showing that our site is only serving http/1 while setup to run http/2. Not found a solution,yet.
Comment by Edward L.
28995 | June 04, 2018 01:44:33 PM GMT
Nikhil and others, I can confirm this is finally fixed. I re-enabled http/2 and all appears resolved. One note, I did have to re-enable some cipher suites that http/2 depends on as part of getting this to work. The initial response after enabling http/2 was might be temporarily down or it may have moved permanently to a new web address. ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY Checking my own cipher suites against the default Windows Server 2016 cipher suites and enabling some that had been disabled, was the fix.
Comment by David S.
29542 | August 18, 2018 11:36:17 AM GMT
I suggest to protect your IIS. Default is not the good, see https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12
Comment by ALEXANDER H.
29543 | August 18, 2018 02:04:26 PM GMT