A revoked Client Certificate still passes `cf.tls_client_auth.cert_verified` firewall rule

We use Cloudflare Client Certificate to restrict access to some of our internal urls. The firewall rule is to block with the expression like

(http.host in {"git.mydomain.com" "dev.mydomain.com"} and ssl and not cf.tls_client_auth.cert_verified)

We have three client certificates visible in the web ui and all of them are in revoked status but actually I can still access the git.mydomain.com and dev.mydomain.com with the revoked client certificates.

I see it as a security issue as I expect the revoked client certificates to be not accepted by Cloudflare firewall as there is cf.tls_client_auth.cert_verified condition.

Certificate revocation comes up from time to time. From what I recall, Cloudflare Client Certs only have a “Delete” option, so I’m not sure that means it’s revoked. I could be wrong.

Now there is no Delete option, there is a Revoke button and a Restore button if the cert is in revoked status. So that’s why i expect the certs in revoked status to be not accepted as valid.

sdayman MVP '18 - '21
August 5

Certificate revocation comes up from time to time. From what I recall, Cloudflare Client Certs only have a “Delete” option, so I’m not sure that means it’s revoked. I could be wrong.

1 Like

I see the certs are revoked. If I try to access the hostnames in question, I get blocked by way of Firewall rule you have in place. Does this happen if you try to access with a different device?

1 Like

If i don’t have any client cert on a device then i get blocked. But if i have one of the revoked certs on a device then firewall does not block me and i still can access the resources. This way the ex-employees we shared the certs with can still access our internal resources though the certs were revoked.

blas Cloudflare Team
August 5

I see the certs are revoked. If I try to access the hostnames in question, I get blocked by way of Firewall rule you have in place. Does this happen if you try to access with a different device?

@1blas Can u please confirm if i am facing a bug or it is an expected firewall operation?

Just for a reference i will add the screenshot

And this is how it looks like with an active certificate - there is a Revoke button

@1blas For now we have three client certificates and all three are revoked. Still i can access our “client certificate protected” resources with any of the revoked certificates. Is it ok or am i facing a bug that will be fixed?

This issue seems to be a serious security risk, please let me know if i should expect the revoked certificates to stop working. Otherwise i should stop using client certificate as an access control measure in my project as soon as possible and look for another solution.

@1blas I understand that you personally can be not working nowadays, changed jobs or on vacation, i don’t know, it can be anything. But i don’t know how to reach Cloudflare Team otherwise.

The statement you made

I see the certs are revoked. If I try to access the hostnames in question, I get blocked by way of Firewall rule you have in place.

makes me think my question is not understood right and i tried to make it more clear.

My assumption is that you do not have access to the client certificates that i have so you get blocked. If you have the certificates, then it is

  1. surprising that you have them but ok, you are in the cloudflare team;
  2. surprising because the firewall works as expected for you but not for five people in my team.

Can anyone please give a clear answer if the revoked certificates are expected to be not working?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.