[Feature Request] Full SSL - Whitelist SSL Certificates


#1

Since the Full SSL mode (non-strict mode) doesn’t check if an SSL certificate is valid. Would it be possible to implement an option to whitelist an SSL certificate on the origin server and block connections when any other SSL certificate is presented?


#2

If you’re going to have an invalid SSL certificate on your server, why not use a Cloudflare Origin Certificate? That will let you use SSL in Full (Strict) mode.


#3

I’m working on creating a WordPress multisite network where users will be able to add a custom domain to their website. Currently, the only way for this to work is to enable Full SSL mode in their CloudFlare account. My server that is hosting the multisite network has a valid SSL certificate, but the domains that are being mapped to the network don’t.


#4

I’m not clear on how your server could end up using an improper certificate for a given domain that would require Cloudflare to check for that.

Have you been having a problem with users messing up your system?


#5

I guess what the OP is after is a sort of certificate pinning. He wants an invalid certificate (because of the domain mismatch) to be accepted but only that invalid certificate and no other. Unfortunately an origin certificate wouldnt help here either.

@marcwoodyard, I dont think Cloudflare would implement this straight away but I can reckon it as a legitimate request and would suggest you change the category of this posting to “Product Request” so people can vote for it.


#6

This seems problematic to me, because if you control the host enough to know when certificates will change, you control it enough to install a certificate. If not, pinning will likely fail when the host changes certificates or configuration (and they have no particular need to tell clients about such in advance).


#7

My assumption would be the OP does not want to configure individual certificates (or SANs) for each domain added.


#8

Okay, but typically you pin certificates with a fingerprint, so when that certificate changes every single site is going to break until you update Cloudflare.

You could do it by making a connection and expecting to get a certificate from a different hostname, but again, unless you run the server yourself this is going to be fragile at best.

My money says this feature would have a high support cost because it’s complex to grasp and would only really be useful to administrators who are unable to script a better solution (pulling a origin certificate from Cloudflare and installing it automatically, Let’s Encrypt, etc).


#9

Of course, but I believe that was the point of it.

Just dont make it too easy to enable :wink:

Flexible has a high support cost and yet it is there, though I dont want to drag this thread into my crusade for SSL :smile: