Edge Certificate Settings Not Taking Effect

What is the name of the domain?

What is the issue you’re encountering

My edge certificate ssl settings aren’t taking effect

What steps have you taken to resolve the issue?

I enabled settings like HSTS and minimum SSL version 1.3, but look in SSL Labs and my site still advertises no HSTS, etc.: SSL Server Test: kerrnel.com (Powered by Qualys SSL Labs)

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

See SSL Server Test: kerrnel.com (Powered by Qualys SSL Labs)

How so? :thinking:
Your Website loads fine over HTTPS using Cloudflare as far as I can see and tested few moments ago:

:+1:

I don’t se HSTS header (Strict-Transport-Security) being present anymore in a response:

$ curl -I https://kerrnel.com/
HTTP/2 200
date: Sun, 10 Nov 2024 19:25:56 GMT
content-type: text/html; charset=utf-8
access-control-allow-origin: *
cache-control: public, max-age=0, must-revalidate
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
vary: Accept-Encoding
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 8e086e6bfacdc228-VIE

slika

1 Like

I want the HSTS headers to go through like they did when I ran my own apache2 server. I worked in web browser security for year (not anymore) so it’s just sort of near and dear to my heart and, frankly, it should be reliable for cloudflare users to get best practices like HSTS headers.

Checking the headers confirms there’s no HSTS headers being sent.

These are my settings so it should be working

May I ask if you’ve enabled HSTS at Cloudflare under the SSL/TLS tab → Edge Certificates, or via next link https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates/ ? :thinking:

Helpful article:

1 Like

I see the problem - it was an issue with how the UX got rendered in firefox. For some reason it auto scrolled down so I never saw the HSTS button at the top, and I thought the other buttons enabled it. Wow, easy miss! Thank you

1 Like

Out of pure curiosity, do you know why it isn’t forcing TLS 1.3? This isn’t really important but it’s interesting to me as a cyber security person.

Now I confirm I do see HSTS headers being present:

$ curl -I https://kerrnel.com/
HTTP/2 200
date: Sun, 10 Nov 2024 19:33:01 GMT
...
x-content-type-options: nosniff
cf-cache-status: DYNAMIC
strict-transport-security: max-age=15552000; includeSubDomains; preload
server: cloudflare
...
1 Like

I believe TLSv1.2 is still being advertised per the output of

curl https://kerrnel.com -svo /dev/null --tls-max 1.2
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=kerrnel.com
*  start date: Nov 10 16:55:25 2024 GMT
*  expire date: Feb  8 17:55:20 2025 GMT
*  subjectAltName: host "kerrnel.com" matched cert's "kerrnel.com"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://kerrnel.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: kerrnel.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: kerrnel.com
> User-Agent: curl/8.7.1
> Accept: */*

You mean, why the HSTS option doesn’t force TLS v.1.3 be default? :thinking:

I am not aware if that’s interconnected within Cloudflare code, however possibly we could expect this in some soon future.

Nevertheless, the Minimum TLS version option is there separately I believe because quite a lot requests still go with 1.2 of nowadays Web browsers, despite TLS v1.3 is supported, however we can expect this to be “normal” as 1.3 in next coming years, my best guess.

Using TLS v.1.3 only would block some portion of users trying to access your Website.

It’s good to keep it as Minimum TLS v1.2 for now on.

1 Like

No I have it enabled it the UX to be TLS V1.3 only.

TLSv1.3 gets rid of a lot of weak cipher suites. Now does it matter for a personal static website that there are some theoretically weak cipher suites being used? No, but it’s weird the option doesn’t do anything, right? A bug?

FWIW someone explains this issue here and the reason is totally rational: "Minimum TLS Version" = 1.3 doesn't work when the origin is a Cloudflare Pages site

Thanks for solving my HSTS issue! :smiley: We can close this

1 Like

I agree, yes.

Qualys SSL Labs would report them, yes.
It could be done via an API to modify ciphers settings (allowlist):

Helpful article for cipher suites:

However, I am afraid this would require you to have an Advanced Certificate Manager subscription purchased for $5/month for your zone (which would also allow you to have e.g sub.sub.domain.com as an deep-level sub-domains covered with Cloudflare’s Universal SSL):

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.