CF Gateway - Certificate Revocation List missing?

Hello,

in my company we are using Cloudflare Gateway with WARP.

If I try to access my websites hosted on Cloudflare via browser or via Invoke-WebRequest, everything is fine.

If I use a tool like curl, instead, it fails with an error on the Certificate revocation:

C:\Users\mam>curl “https://mydomainexample.com” -v

• Trying abcd:1200::4567:a1b2:443…
• Connected to mydomainexample.com (abcd:1200::4567:a1b2) port 443 (#0)
• schannel: disabled automatic use of client certificate
• schannel: ALPN, offering http/1.1
• schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
• Closing connection 0
  curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

It looks the issue is not related to the certificate of the website itself (issued by “Gateway Intermediate ECC Certificate Authority”), but to the fact that this CA doesn’t contain a CRL.

In fact, you can see that curl is able to connect to my website (connected), but it’s not able to check the revocation for the certificate. IMO, this happens because the “Gateway Intermediate ECC Certificate Authority” doesn’t define any CRL, which makes curl unable to perform such check.

In order to make it work, I’m forced to use the –ssl-no-revoke option:

C:\Users\mam>curl “https://mydomainexample.com” --ssl-no-revoke -v

• Trying abcd:1200::4567:a1b2:443…
• Connected to mydomainexample.com (abcd:1200::4567:a1b2) port 443 (#0)
• schannel: disabled automatic use of client certificate
• schannel: ALPN, offering http/1.1
• schannel: ALPN, server accepted to use http/1.1

GET / HTTP/1.1
Host: mydomainexample.com
User-Agent: curl/7.79.1
Accept: /

• schannel: failed to decrypt data, need more data
• Mark bundle as not supporting multiuse
  < HTTP/1.1 200 OK
  < Date: Thu, 27 Jan 2022 14:36:15 GMT
  < Content-Type: text/html; charset=utf-8

This is quite annoying, as some tools we use are failing because of this and it’d be quite impracticale to troubleshoot everyone one of them and find a workaround for that…

Any hints?

Thanks,

Marco

Probably similar tto Installing TLS / SSL ROOT Certificates to non-standard environments - Client Connector - Zenith you’ll want to import the cert.

Hello,

thanks for your reply.

As I was mentioning, curl validates the certificates (depending on the environment, one may or may not need to “install” the CA certificates by using the CURL_CA_BUNDLE= environment variable).

The problem is that it’s unable to perform the certificate validation check.
To me it looks like the certificate itself is recognized as valid, but it’s not able to validate that the certificate hasn’t been revoked as there’s no CRL in the CA itself.

If curl was unable to validate the certificate, I would have needed to run it with the –insecure option (super insure, skips the cert validation altogether), not with the –ssl-no-revoke (which just skips the certificate validation).

Marco