Minimum TLS Version and Solarwinds Pingdom

I noticed that when switching the Minimum TLS Version to 1.3 sites like Solarwinds’ Pingdom (tools section to test performance) will not be able to connect to your site. It also happens on a few other testing websites, for example for SEO checks.

Google Pagespeed and GTMetrix have no issue. When I check the Pingdom website they say they can handle TLS 1.3. When I turn it off in the CF dashboard for a site, it works…

I wonder, if this happens at a well known analytics site as Pingdom won’t it happen to many visitors and customers trying to visit websites also? On the other side, if I have it turned off I loos my 100% score at internet.nl (Dutch government backed security check for websites).

So, is this an error in the CF setup somehow or Solarwinds Pingdom? Any ideas or suggestions?

You should set the minimum TLS version to v1.2. You will cut off a substantial number of users if you set the minimum to TLS v1.3.

The issue is the default cipher set that I deployed at Cloudflares Edge. You can still get 100% on internet.nl by subscribing to Cloudflare Advanced Certificate Manager, and setting a custom set of cipher suites.

Yeah if i switch to 1.2 it says:

Verdict:

Your web server supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficiently secure.

Technical details:

Web server IP address Affected ciphers Status
2a06:98c1:3120:: ECDHE-ECDSA-CHACHA20-POLY1305-OLD phase out
188.114.97.0 ECDHE-ECDSA-CHACHA20-POLY1305-OLD phase out

So if you use a default cipher set that is marked as having a “phase out” status, why not update it? This way many website owners have an issue without knowing.

What issue? At the moment they are still deemed to be secure. The internet.nl test is based on the Dutch IT Security Guidelines for TLS, which state the following for Phase Out status items:

compatibility requirements for some applications may require their support until client support improves

Android 5 and 6 support those pre-RFC versions of ChaCha20-Poly1305, but not the RFC version. So removing them would have a significant performance impact on those devices as they do not have good hardware support for other ciphers. So you cannot really remove them until client support improves, and they do not currently represent a real risk (just a potential risk). Once they represent a real risk they will be moved to the Insufficient list, and likely removed from the default Cloudflare configuration.

1 Like

Android 5 was EOL in Nov 2014 Android 6 has been EOL since Oct 2015.
Should one really want to be compatible with stuff that outdated?

Anyway – internet.nl’s test punishes websites with < 100% score using CF. And as I’ve said “many website owners have an issue without knowing” because most of them hardly ever test their websites on systems like pingdom (I did because I made some major changes to one of my sites).

So yeah, that’s my issue at the moment… and probably an issue many others might have, not knowing they do.

Personally, I don’t. But it depends on your audience. Currently my primary account sees about 17% TLS v1.2, so that is too high to turn off. But you can use ACM to remove any ciphers that you no longer need.

I have plenty of CF zones that score 100% on internet.nl, and still have some phase out ciphers enabled.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.