Cloudflare breaks Client-Side-Authentication

ssl

#1

Hello,

Recently, I try to implement Client-Side-Authentication on my blog server to protect my management access point.

After I done all configurations, the setup works without cloudflare. But with cloudflare enabled, my browser does not prompt to let me select my cert, instead, it was showing this info:

When “Authenticated Origin Pulls” enabled:

400 Bad Request:
No required SSL certificate was sent

When “Authenticated Origin Pulls” disabled:

400 Bad Request:
The ssl certificate error

Helps are appreciated.

Thanks.


#2

I don’t exactly know for sure if you can authenticate via a certificate on the client’s side through Cloudflare. Have you looked at JWT’s and Cloudflare’s Access?


#3

Hi,

Thank you for your reply.

I think the client side authenticate is a more secure way. Looks like CloudFlare interrupted the TLS handshake between client and origin server.

It would be a great feature if cloudflare support client side authenticate since it’s widely used and more secure than other ways.


#4

There is no handshake between these two in the first place.


#5

Cloudflare acts as an SSL termination endpoint to provide DDoS/WAF and CDN services. If we couldn’t see the traffic it would be difficult for us to do much than act as a basic dumb firewall.

Mutual TLS is available as an additional option to Enterprise customers today and client based authentication enhancements are being worked on for other plan tiers.


#6

Well, My mistake. I mean for client side authentication to work, there should be tls handshake between client and origin server, right? While Cloudflare stand in the middle of origin server and clients, it can not proxy the handshake, resulting in authcate failure.

I’m not a expert in this area, thanks for helping.


#7

It would be great if Cloudflare implement this feature. I think client side authentication is more secure than password.

Thank you for your great work.


#8

An easy way to protect the Management Access Point would be to use Cloudflare’s Access feature. Single-user is free. Note that your server’s firewall needs to block all access except for Cloudflare’s IP addresses.


#9

I will give it a shot. Thanks.


#10

This topic was automatically closed after 14 days. New replies are no longer allowed.