I use CF tunnels to publicly expose sites that I run at home. I had “HTTP/3 (with QUIC)” enabled, and I also have a WAF rule to require a Cloudflare-generated client certificate. On my home network, no client certificate is required because my internal DNS directs my sites to my server’s internal IP address.
A few weeks ago, an update to Chrome (noticed it in Brave as well) resulted in the lack of the typical client cert prompt when accessing my sites via CF after I had accessed them at home. That is, if I accessed my site without a client certificate, I’d no longer be prompted for one when it was required. I found this to be the case for both Linux and Android versions of Chrome.
After turning off “HTTP/3 (with QUIC)”, the issue went away. I suspect this is a Chrome issue rather than a CF issue, but I figured I’d share my findings if anyone else experiences the same problem.
- Connect to the site outside of CF (in my case, I connected via my home network; connecting via CF pre-client cert enablement may work as well)
- Setup client certs for the site under “SSL/TLS - Client Certificates”
- Add a WAF rule to require client certs (Block with rule:
(not cf.tls_client_auth.cert_verified) or cf.tls_client_auth.cert_revoked)
- Ensure “HTTP/3 (with QUIC)” is enabled under “Network”
- Attempting to connect to the site will now fail with “Access Denied”; no client cert prompt appears.
- Disable “HTTP/3 (with QUIC)”
- Reload site. Cert prompt will appear, and site can be connected to as usual.
Tested with Brave for Linux 1.44.112 (Chromium 106.0.5249.119) and Chrome for Android 106.0.5249.118.