"Minimum TLS Version" = 1.3 doesn't work when the origin is a Cloudflare Pages site

I’m testing the viability of TLS1.3-only sites, I know the Cloudflare documentation still says “not recommended” but times are changing and I’m doing it anyway.

It works fine when the origin is something other than Cloudflare Pages, but when the origin is Cloudflare Pages, it seems to still allow TLS 1.2 for some reason

I’ve set up the following subdomains for testing:

https://test1.skyqueen.cc/ – this is hosted on Github Pages and proxied through Cloudflare
https://test2.skyqueen.cc/ – this is hosted on Cloudflare Pages (and obviously proxied through Cloudflare)

“Minimum TLS Version” for the domain is set to 1.3

Testing reveals that the “test1” subdomain (Github Pages + Cloudflare proxy) works as expected (TLS 1.2 requests are refused)

However the “test2” subdomain (Cloudflare Pages) still allows TLS 1.2 connections

This can be verified using curl:

$ curl -Ik --tls-max 1.2 https://test1.skyqueen.cc/
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
$ curl -Ik --tls-max 1.2 https://test2.skyqueen.cc/
HTTP/2 200

This can also be verified using the SSL Labs tester:

test1: SSL Server Test: test1.skyqueen.cc (Powered by Qualys SSL Labs)

test2: SSL Server Test: test2.skyqueen.cc (Powered by Qualys SSL Labs)

So in the latter case, which are TLS 1.2 connections still being accepted?

Cloudflare Pages uses SSL for SaaS under the hood (so you can use Pages custom domains without having your DNS on Cloudflare) which most likely overrules your own TLS settings in favour of it’s own.

1 Like

Does it matter if it’s orange-clouded or not? I would expect a grey-clouded Cloudflare Pages site to behave differently, but when orange-clouded I expected it to do the normal edge certificate thing such that the origin’s SSL configuration wouldn’t really be relevant to what I see from the edge side.

I don’t see how it would - orange cloud will take into consideration some of your zone settings (mostly speed related stuff like Polish and whatnot) but not everything.

That’s the thing with SSL for SaaS - the settings are dictated by the provider (in this case, Cloudflare Pages) rather than your Cloudflare account.

All of the cipher suites, TLS versions, which CA is used, etc - is determined on the custom hostname level of SSL for SaaS. Ref: Cloudflare API v4 Documentation

I don’t think you have access to change any of that yourself at the moment though.