I set Minimum TLS version to 1.2 but it accepts down to TLS 1.0

Hi there

I am trying to enforce TLS 1.2 on our website.

I reviewed this help and set the Minimum TLS property to TLS 1.2.

But when I try with curl to do requests with TLS 1.1 or 1.0, it accepts them. Could you let me know why that is and how to enforce TLS 1.2?

For example… if I run the example command here…
curl https://reachinschools.org -svo /dev/null --tls-max 1.1
there is no error preventing this…

  • Trying 66.235.200.145…

  • TCP_NODELAY set

  • Connected to reachinschools.org (66.235.200.145) port 443 (#0)

  • ALPN, offering h2

  • ALPN, offering http/1.1

  • successfully set certificate verify locations:

  • CAfile: /etc/ssl/cert.pem
    CApath: none

  • TLSv1.1 (OUT), TLS handshake, Client hello (1):
    } [154 bytes data]

  • TLSv1.1 (IN), TLS handshake, Server hello (2):
    { [100 bytes data]

  • TLSv1.1 (IN), TLS handshake, Certificate (11):
    { [2776 bytes data]

  • TLSv1.1 (IN), TLS handshake, Server key exchange (12):
    { [298 bytes data]

  • TLSv1.1 (IN), TLS handshake, Server finished (14):
    { [4 bytes data]

  • TLSv1.1 (OUT), TLS handshake, Client key exchange (16):
    } [37 bytes data]

  • TLSv1.1 (OUT), TLS change cipher, Change cipher spec (1):
    } [1 bytes data]

  • TLSv1.1 (OUT), TLS handshake, Finished (20):
    } [16 bytes data]

  • TLSv1.1 (IN), TLS change cipher, Change cipher spec (1):
    { [1 bytes data]

  • TLSv1.1 (IN), TLS handshake, Finished (20):
    { [16 bytes data]
    *** SSL connection using TLSv1.1 / ECDHE-RSA-AES128-SHA**

  • ALPN, server accepted to use h2

  • Server certificate:

  • subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=reachinschools.org

  • start date: Jul 7 00:00:00 2020 GMT

  • expire date: Jul 7 12:00:00 2021 GMT

  • subjectAltName: host “reachinschools.org” matched cert’s “reachinschools.org

  • issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc RSA CA-2

  • SSL certificate verify ok.

  • Using HTTP2, server supports multi-use

  • Connection state changed (HTTP/2 confirmed)

  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0

  • Using Stream ID: 1 (easy handle 0x7febc6808200)

GET / HTTP/2
Host: reachinschools.org
User-Agent: curl/7.64.1
Accept: /

  • Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
    < HTTP/2 301
    < date: Sat, 25 Jul 2020 14:24:52 GMT
    < content-type: text/html; charset=UTF-8
    < set-cookie: __cfduid=dd21bb2a68deedc1335761665803173851595687088; expires=Mon, 24-Aug-20 14:24:48 GMT; path=/; domain=.reachinschools.org; HttpOnly; SameSite=Lax
    < expires: Thu, 19 Nov 1981 08:52:00 GMT
    < cache-control: no-store, no-cache, must-revalidate
    < pragma: no-cache
    < x-redirect-by: WordPress
    < set-cookie: PHPSESSID=8185d762cfd957dc0d51fca97740c490; path=/
    < vary: Accept-Encoding
    < location: https://www.reachinschools.org/
    < host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
    < cf-cache-status: MISS
    < cf-request-id: 0427f5c9a6000016a950a96200000001
    < expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
    < server: cloudflare
    < cf-ray: 5b868bef7ea516a9-SYD
    <
    { [0 bytes data]
  • Connection #0 to host reachinschools.org left intact
  • Closing connection 0

edit: Looks like you haven’t enabled the Cloudflare proxy. The proxy (orange cloud :orange: on your DNS records) determines whether or not you’re proxying traffic through CF and is required to do stuff like setting a minimum TLS version.

dig www.reachinschools.org

;; ANSWER SECTION:
www.reachinschools.org. 0       IN      CNAME   reachinschools.org.
reachinschools.org.     0       IN      A       66.235.200.145
2 Likes

Thanks for explaining. Sorry for a simple question. How can I enable the proxy?

You can enable the proxy by going to your DNS tab, clicking edit on DNS records, and clicking on the grey cloud :grey: to turn it orange :orange:. You should only do this for your website (eg. www and example.com), and not anything like mail since Cloudflare is not compatible with other ports.

1 Like