Hi there
I am trying to enforce TLS 1.2 on our website.
I reviewed this help and set the Minimum TLS property to TLS 1.2.
https://support.cloudflare.com/hc/en-us/articles/360003205452-Using-Minimum-TLS-Version-in-Cloudflare-SSL-TLS
But when I try with curl to do requests with TLS 1.1 or 1.0, it accepts them. Could you let me know why that is and how to enforce TLS 1.2?
For example… if I run the example command here…
curl https://reachinschools.org -svo /dev/null --tls-max 1.1
there is no error preventing this…
-
Trying 66.235.200.145…
-
TCP_NODELAY set
-
Connected to reachinschools.org (66.235.200.145) port 443 (#0)
-
ALPN, offering h2
-
ALPN, offering http/1.1
-
successfully set certificate verify locations:
-
CAfile: /etc/ssl/cert.pem
CApath: none -
TLSv1.1 (OUT), TLS handshake, Client hello (1):
} [154 bytes data] -
TLSv1.1 (IN), TLS handshake, Server hello (2):
{ [100 bytes data] -
TLSv1.1 (IN), TLS handshake, Certificate (11):
{ [2776 bytes data] -
TLSv1.1 (IN), TLS handshake, Server key exchange (12):
{ [298 bytes data] -
TLSv1.1 (IN), TLS handshake, Server finished (14):
{ [4 bytes data] -
TLSv1.1 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data] -
TLSv1.1 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data] -
TLSv1.1 (OUT), TLS handshake, Finished (20):
} [16 bytes data] -
TLSv1.1 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data] -
TLSv1.1 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
*** SSL connection using TLSv1.1 / ECDHE-RSA-AES128-SHA** -
ALPN, server accepted to use h2
-
Server certificate:
-
subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=reachinschools.org
-
start date: Jul 7 00:00:00 2020 GMT
-
expire date: Jul 7 12:00:00 2021 GMT
-
subjectAltName: host “reachinschools.org” matched cert’s “reachinschools.org”
-
issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc RSA CA-2
-
SSL certificate verify ok.
-
Using HTTP2, server supports multi-use
-
Connection state changed (HTTP/2 confirmed)
-
Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
-
Using Stream ID: 1 (easy handle 0x7febc6808200)
GET / HTTP/2
Host: reachinschools.org
User-Agent: curl/7.64.1
Accept: /
- Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 301
< date: Sat, 25 Jul 2020 14:24:52 GMT
< content-type: text/html; charset=UTF-8
< set-cookie: __cfduid=dd21bb2a68deedc1335761665803173851595687088; expires=Mon, 24-Aug-20 14:24:48 GMT; path=/; domain=.reachinschools.org; HttpOnly; SameSite=Lax
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< x-redirect-by: WordPress
< set-cookie: PHPSESSID=8185d762cfd957dc0d51fca97740c490; path=/
< vary: Accept-Encoding
< location: https://www.reachinschools.org/
< host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
< cf-cache-status: MISS
< cf-request-id: 0427f5c9a6000016a950a96200000001
< expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
< server: cloudflare
< cf-ray: 5b868bef7ea516a9-SYD
<
{ [0 bytes data] - Connection #0 to host reachinschools.org left intact
- Closing connection 0
on your DNS records) determines whether or not you’re proxying traffic through CF and is required to do stuff like setting a minimum TLS version.
to turn it orange 
. You should only do this for your website (eg.