Cloudflare.com. Fully Qualified Domain Names Do Not Work For Cloudflare Customers

I can’t figure out where to report this but if you connect using the FQDN https://cloudflare.com. you get SSL_ERROR_NO_CYPHER_OVERLAP in Firefox and ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Chrome.

This seems to apply to any site hosted on Cloudflare. Eg. https://sourcegraph.com. https://doordash.com.

You’re trying to visit https://cloudflare.com./ with a . between .com and ending / slash

Trying to request invalid https://www.cloudflare.com./

 curl -Iv https://www.cloudflare.com./
* About to connect() to www.cloudflare.com. port 443 (#0)
*   Trying 2606:4700::6810:7c60...
* Connected to www.cloudflare.com. (2606:4700::6810:7c60) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=ssl383624.cloudflaressl.com
*       start date: Apr 08 00:00:00 2020 GMT
*       expire date: Oct 15 23:59:59 2020 GMT
*       common name: ssl383624.cloudflaressl.com
*       issuer: CN=COMODO ECC Domain Validation Secure Server CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
* NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE)
* Peer's Certificate has expired.
* Closing connection 0
curl: (60) Peer's Certificate has expired.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

happens with non-CF domains is you try to use incorrect . before ending / slash

curl -Iv https://www.anandtech.com./
* About to connect() to www.anandtech.com. port 443 (#0)
*   Trying 108.159.227.118...
* Connected to www.anandtech.com. (108.159.227.118) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=*.anandtech.com
*       start date: Oct 23 00:00:00 2021 GMT
*       expire date: Nov 20 23:59:59 2022 GMT
*       common name: *.anandtech.com
*       issuer: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* Closing connection 0
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

request is looking for SSL certificate’s specified common name for anandtech.com. and not the certificate’s anandtech.com without ending .

My web browser is able to visit https://www.anandtech.com./ just fine (for reference they use Cloudfront (AWS)). Along with being able to visit sites such as https://www.google.com./ and https://www.youtube.com./

anandtech keeps the final . where google and youtube like to redirect to a version of the url without that .

Yeah that maybe because anandtech’s SSL cert for ./ request isn’t expired while Cloudflare’s universal cert is?

Though on CentOS 7/Curl

curl -Iv https://www.google.com./
* About to connect() to www.google.com. port 443 (#0)
*   Trying 2607:f8b0:4009:80a::2004...
* Connected to www.google.com. (2607:f8b0:4009:80a::2004) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=www.google.com
*       start date: Feb 17 11:32:42 2022 GMT
*       expire date: May 12 11:32:41 2022 GMT
*       common name: www.google.com
*       issuer: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* Closing connection 0
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

At least on my machine curl strips out the final . when setting the Host header so I can’t use curl to look into it. Maybe I can manually set the Host header?

nc - l localhost 1234 and curl http://localhost.:1234:

GET / HTTP/1.1
Host: localhost:1234
User-Agent: curl/7.81.0
Accept: */*

nc - l localhost 1234 and firefox

GET / HTTP/1.1
Host: localhost.:1234
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1

Edit: Using -H I can manually set the Host header to add . at the end, but it doesn’t run into a TLS issue like I am seeing in firefox and chrome.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.