CloudFlare connecting to our servers using TLS1.1?

What is the name of the domain?

asite.io

What is the error number?

525

What is the error message?

SSL handshake failed

What is the issue you’re encountering

Intermittent errors with resources failing to load

What steps have you taken to resolve the issue?

Our firewall is configured to only accept connections from TLS 1.2 and above however this is the problem as Cloudflare appears to be trying to connect using TLS 1.1. Our firewall vendor captured the TLS negotiations and was able to confirm this.

For our host asite.io we’re seeing 525 SSL handshake failed errors (visible in the Cloudflare portal). Our firewall shows failed connections for the following range of IP addresses:
172.68.22.247
172.68.210.75
172.68.228.155
172.69.0.160
172.69.0.176
172.69.0.179
172.71.88.139

What is the current SSL/TLS setting?

Min TLS 1.2 (both on our firewall and in the Cloudflare portal).

Can you share those captures?

Screen shot as follows:

I was more hoping for an actual capture of the packets in question, rather than a screenshot.

1 Like

Couldn’t find a way to PM you or upload so here’s a link to the capture:

I can’t download that file.

Error
Private crypto key is missing in url.

Sorry about this and appreciate your patience. I didn’t want to use the business OneDrive as the link includes my email address so here’s another OneDrive link:
14922955_wan1_root.pcap

1 Like

There’s nothing in the capture to suggest this.

Both the blocked and the successful handshakes offered TLS 1.0 through 1.3 in the ClientHello packets.

See this screen. I’ve put a blocked connection on the left and a successful connection on the right:

They seem to be identical in the relevant fields.

2 Likes

Thanks for looking into this but why attempt a connection to TLS 1.0 or 1.1 in the first place?

On the left showing the blocked example 172.68.22.247 appears to be trying TLS1.0 but I would expect Cloudflare to try connections from TLS 1.3 down to 1.0. Other Cloudflare IPs connect with no issue (eg, 172.69.0.169) trying TLS1.3. This results in the intermittent issue (depending on the Cloudflare IP trying to connect to our servers).

In your opinion is this valid and why would a bunch of Cloudflare IPs be failing the handshake while others have no issue? I’m still trying to dig into other possibilities from this end.

Look at the part I highlighted in the bottom left corner. Cloudflare offers all 4 TLS versions in the Client Hello, same as in the successful connection.

The TLS version in the Info column at the top is just a “guess” by Wireshark. In this case, it says TLSv1 because it was blocked, not the other way around.

Can the firewall vendor provide the actual reason the request was blocked?