Cloudflare Full SSL certiciates and Symantec SSL at origin?

ssl

#1

Symantec SSL certs total disavowal will happen with Chrome 70 in a few days https://www.theregister.co.uk/2018/10/09/chrome_70_symantec_cert_disavowal/ so that has me curious for Cloudflare Full SSL, if an origin server had Symantec SSL certs after October 16, 2018, could Cloudflare Full SSL continue to work or is Cloudflare rejecting Symantec SSL certs on origin servers too ?

I don’t have any Symantec SSL but was curious what happens in this case :slight_smile:

@cloonan @cscharff


#2

My assumption is that as long as you have set it to ‘Full SSL’, it will not have any effect. Full SSL also works with self-signed certificates.

Full SSL (Strict) will likely be affected as the issuing CA needs to be valid. I am also curious to know when that will happen.

On a side note, Mozilla just decided to delay distrust till later this year:
https://blog.mozilla.org/security/2018/10/10/delaying-further-symantec-tls-certificate-distrust/


#3

Yeah Full SSL Strict probably be affected.

Yeah so some sites will get some extra time


#4

AFAIK the certs themselves haven’t been revoked so it should still work.


#5

I would agree with you, Google is removing their CA from the embedded trust, but it isn’t actually (can’t physically) revoking them anywhere. It’s also confirmed by the fact that not all browser vendors are doing that…


#6

Main concern is if it’s removed from the ca-certificates package in each linux distro. I imagine CF just pulls from that list of CA’s + the origin CA.


#7

Yeah that was my thinking too


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.