Minimum TLS Settings not working

I have a CNAME entry for www.XYZ.com, pointing to our company’s HubSpot URL. When I run a TLS checker on www.XYZ.com, I see that TLS versions lower than 1.2 are not allowed. Great, this is what I want.

I have another CNAME entry for XYZ.com, pointing to www.XYZ.com. When I run a TLS checker on this, it shows that lower versions of TLS are enabled. Why would this be?

I have no page rules, and the edge certificate settings are as follows:
Always Use HTTPS - True
Minimum TLS Version - TLS 1.2
Opportunistic Encryption - True
TLS 1.3 - Enabled
Automatic HTTPS Rewrites - True

What is the domain?

physnet.com redirects to www.physnet.com on Cloudflare so I assume the redirect is processed before your TLS preferences. Due to that, no-one can reach your site with TLSv1.1 or lower anyway.

I understand, however, there’s an issue with a third-party scanning my domain. It’s affecting my security rating unfairly because they’re penalizing me for allowing TLS1.1 without considering the actual context.

Remove the Cloudflare redirect and do the redirect on your origin so the request for physnet.com passes through the Cloudflare TLS settings.

[add] Just checked my redirects and they are only working at the configured TLS setting so my assumption about the pipeline process is likely wrong. I’ll dig deeper…

Try removing the CNAME for physnet.com and use a proxied dummy value of A 192.0.2.1 or AAAA 100:: instead. Shouldn’t make any difference but worth checking.

That’s weird. My 100::: DNS record I use for a redirect shows as TLS 1.2 and above only:

https://www.ssllabs.com/ssltest/analyze.html?d=www.b8a.me&latest

My wild guess is that this is all going on in Hubspot’s Cloudflare account and that you might not have much (or any) control over its behavior.

As another test, I’ve removed the CNAME entry for the root physnet.com and utilized the Cloudflare page rule functionality to redirect to www.physnet.com. Again, the entry with www scans properly and the root domain does not. Very odd.

If you set your page rule to redirect to someplace completely different, does it do it?

Very odd. I updated the redirect to https://www.google.com, and the TLS scanner still showed the older versions enabled. I am using ssllabs.com for scanning.

Ok, but does the redirect actually take you to Google?

Yes, it did take me to Google.

1 Like

I have resolved this. In hubspot there is a domain security setting to restrict TLS versions on the domain. Even though the main site (www.physnet.com) had the TLS version restricted, I also needed to restrict it on the redirect definition (physnet.com).

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.