We use Cloudflare Client Certificate to restrict access to some of our internal urls. The firewall rule is to block with the expression like
(http.host in {"git.mydomain.com" "dev.mydomain.com"} and ssl and not cf.tls_client_auth.cert_verified)
We have three client certificates visible in the web ui and all of them are in revoked status but actually I can still access the git.mydomain.com and dev.mydomain.com with the revoked client certificates.
I see it as a security issue as I expect the revoked client certificates to be not accepted by Cloudflare firewall as there is cf.tls_client_auth.cert_verified condition.
Certificate revocation comes up from time to time. From what I recall, Cloudflare Client Certs only have a “Delete” option, so I’m not sure that means it’s revoked. I could be wrong.
Now there is no Delete option, there is a Revoke button and a Restore button if the cert is in revoked status. So that’s why i expect the certs in revoked status to be not accepted as valid.
Certificate revocation comes up from time to time. From what I recall, Cloudflare Client Certs only have a “Delete” option, so I’m not sure that means it’s revoked. I could be wrong.
I see the certs are revoked. If I try to access the hostnames in question, I get blocked by way of Firewall rule you have in place. Does this happen if you try to access with a different device?
If i don’t have any client cert on a device then i get blocked. But if i have one of the revoked certs on a device then firewall does not block me and i still can access the resources. This way the ex-employees we shared the certs with can still access our internal resources though the certs were revoked.
I see the certs are revoked. If I try to access the hostnames in question, I get blocked by way of Firewall rule you have in place. Does this happen if you try to access with a different device?
@1blas For now we have three client certificates and all three are revoked. Still i can access our “client certificate protected” resources with any of the revoked certificates. Is it ok or am i facing a bug that will be fixed?
This issue seems to be a serious security risk, please let me know if i should expect the revoked certificates to stop working. Otherwise i should stop using client certificate as an access control measure in my project as soon as possible and look for another solution.
@1blas I understand that you personally can be not working nowadays, changed jobs or on vacation, i don’t know, it can be anything. But i don’t know how to reach Cloudflare Team otherwise.
The statement you made
I see the certs are revoked. If I try to access the hostnames in question, I get blocked by way of Firewall rule you have in place.
makes me think my question is not understood right and i tried to make it more clear.
My assumption is that you do not have access to the client certificates that i have so you get blocked. If you have the certificates, then it is
surprising that you have them but ok, you are in the cloudflare team;
surprising because the firewall works as expected for you but not for five people in my team.
Can anyone please give a clear answer if the revoked certificates are expected to be not working?
| 
| 
