Check Certs Before Changing SSL Mode to Strict

We currently use Full SSL mode checking and are considering changing it to Full (Strict).
Is there a way to tell what origin servers/certificates would not pass strict testing before making this change?

That’s a good thing to do, though you shouldn’t have used Full in the first place.

As for checking, you can pause Cloudflare or connect directly to your IP address. You can also use the hosts file for that. If it loads fine when connecting directly, it will also work fine with Strict. Origin certificates are the exception of course.

I was hoping there was a report that could be pulled from Cloudflare as there are a few hundred servers and they are IP restricted to Cloudflare’s IP addresses.

My concern is that there are outdated origin certs that work fine under Full, but will fail under Strict.

Cloudflare only has the SSL recommender

Difficult to say how much of use that will be for you.

You could probably run some script locally (assuming you accept at least local connections) and check the certificate in that way.

Yeah, we have the recommender turned on, which is what recommended we change the setting to Strict. However, it doesn’t tell us what servers, if any would fail if we change that setting.

We could log into each of the servers and test them manually, but that’s a lot of servers and endpoints to have to log into and test manually - not to mention the likelihood of missing something.

Sounds like it is unavoidable. Cloudflare has a lot of reports for things like the TLS version, but I guess they don’t track things like this.

The recommender is always per domain. So you presumably can switch to Strict on any domain where you got that email.

But I’d really recommend to rather go through the setups, as you mentioned, and make sure they are all properly and securely configured. Will take some work, but then you’ll know you have a secure platform.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.