Full SSL - when does it activate and how?

I have read the suggested associated articles but they do not seem to answer my problem. I am new to Cloudflare and have just set up my site basically using all the Cloudflare default settings.

I cant access my site at all with any https prefix yet in my control panel under SSL/TLS my site is shown as

Your SSL/TLS encryption mode is Full and the Full option (recommended by cloudflare) is selected. (not Full Strict)

I can change to flexible and immediately use my site via https (I know this is not full ssl).

My question is - Can I use Full, do I have to wait for something to be configured, do I have to Install something on my server. Do I use Full or not, if so how ?

Thanks

You should only use Full strict.

1 Like

Then my question would expand to why is Full an option, why is it the default and why do Cloudflare state it as the recommended option.

If I choose full strict - what happens then, do I get a certificate to install on my server, is there a charge ?
Thanks

Put simply and bluntly, because Cloudflare believes it is better to leave the impression of security than to properly secure connections.

You need Full strict, with a valid certificate on you server. That’s it.

1 Like

Yes.

Generate an origin certificate from Cloudflare dashboard - no need to pay in order to use this.

1 Like

OK, I understand, I am disappointed but think I understand, except I would wonder how it gives an impression of security when it does not work at all.

Can I explore the ‘impression of security’ further, is there anything else I need to do to actually have just Full active and working, even if it is not truly full security.

I mean I accept this is not best solution, but is there anyway to get it actually working so I can at least experiment with it

… and that would be used with Full strict, but not just Full ?

You should not have Full in the first place, so there’s no question to begin with. Install a certificate on your server and use Full strict. What’s unclear?

Hi, let me clarify the SSL levels for you.

So there is the Flexible level, which definitely falls into the “impression of security” category. It shows an HTTPS connection to the visitors, but Cloudflare will connect via plain HTTP to the origin.

Then there is the Full option (non-strict). Lots of users have expired or self-signed certificates on their origin and don’t want their sites to be down if they forget to update their certificate regularly. These certificates can still be used to encrypt data however. This means the data is fully encrypted, but any certificate would work and therefore certain attacks would still be possible.

The Full (Strict) option is the most secure, but requires you to keep your origin’s certificate valid and up to date at all times. You can use paid certificate authorities, but also free ones like LetsEncrypt or Cloudflare Origin CA. If the SSL certificate ever expires on your origin and if you don’t renew it in time, then your site might be down.

Hope that helps

2 Likes

True, but because there is no certificate validation any middleman can hijack that connection.

1 Like

This is what he already mentioned.

And that’s where that option becomes pointless as well.

1 Like

@speak-easy, it’s really not difficult. You just make sure you have a proper SSL setup on your machine, just like you wold have it in any other case and you’ll be good to go.

1 Like

Well basically I like to understand all options. I would like to at least know why, as an option it does not work at all and how it is meant to be installed. I fully appreciate that Full strict is best in your opinion. There is a question to begin with which is how are you meant to configure the Cloudflare Full (recommended) option - secure or not.

I completely accept that in your opinion ‘You should not have Full in the first place’ but that is not my question. My question is ‘How do I configure Full to work as intended within Cloudflare with the limitations it has.’

Why would you even ask about an option you shouldn’t use in the first place?

Where’s the difficulty with a server certificate?

I ask about things because I want to know, I was taught to not follow the advice - don’t ask. I am trying to understand the workings of this option, not whether it is recommended. There are many facilities I do not use on many systems, not because I was told ‘dont ask’ but because I asked and investigated.

I am still unclear how to implement Full - IF I wanted to

You have two reasonable options on Cloudflare. Strict and Off.

The other two simply open up your site and your visitors to active attacks or even passive ones, where anyone on the line can get hold of your data.

There’s nothing to implement when it comes to Full. You seem to misunderstand its implications. I’d suggest you check out support.cloudflare.com, in particular if you don’t want to follow advice.

Full is simply a broken implementation of Full Strict and that’s pretty much everything about it.

OK so I understand Flexible. Are you saying Full only works if I have a certificate installed and it is a way of using basically insecure / expired certificates. In that case that answers my question - To use Full I must already have a certificate of some kind - but it is not really secure. So the reason it is not working is that I have no existing certificate at all - does that sound correct.

I fully accept Full strict is best - but I want to understand Full
Thanks

1 Like