Does Cloudflare support SSL offloading?


#1

I’m having to fill out a security questionnaire and it asks if cloudflare uses SSL Offloading. Does anyone know the answer as a search brings back nothing.

Andrew


#2

Cloudflare’s Keyless SSL is the closest thing I could find to SSL Offloading (Enterprise Plan only):

Otherwise, all SSL connection will be decrypted at Cloudflare’s PoP and re-encrypted with the site’s SSL key (if the site owner wishes so) before it is delivered to the origin server.


#3

Thanks Tanto.

I ended up going for a bit of vague techno babble hopefully that will suffice.

'Cloud flare does not support SSL offloading as there infrastructure already guarantees maximum SSL throughput. ’


#4

So… technically Cloudflare is an SSL endpoint when we’re proxying. So we’re a. requiring the connecting client to complete a TCP handshake before we’ll even think about making a connection to your origin server. And we’re initiating an SSL handshake with the client so that we can inspect the request (for layer 7 DDoS, WAF, rules processing, etc).

So in that sense yes we’ve offloaded the SSL. From there we make a connection to your origin server. You could theoretically make the connection between Cloudflare and your origin http (we call that flexible SSL) but you probably don’t want that because the connection between our POP and your origin is still over the public internet.

So instead we’re going to make a connection to your origin from our POP with a new SSL connection for any requests which need to go to your origin. We do a number of things to optimize this connection (SSL session reuse, RTT0, ECC certificates).

SSL offloading is a reasonable checkbox for an on-prem solution, but for any cloud based solution (not just Cloudflare) I would argue that the architecture alone doesn’t make that desirable. And as you pointed out in your follow-up, internal to Cloudflare we have no need to do that and believe the internal architecture of Cloudflare’s tech stack doesn’t require it to effectively process inbound requests.

I think your vague technobabble is on point. Well done. :wink:


#5

Thanks csharff.

I get a few of these requests for 'security information' mainly from people who have done a course and learned a few buzz words but seldom understand what they are actually talking about. GDPR seems to have sparked a wave of these.

#6

:rofl: