Minimum TLS Version not working

ostara · November 5, 2023, 11:46am

I tried to set a global minimum TLS version to 1.2 (under SSL/TLS → Edge Certificates). Unfortunately, this had no effect. I tested it according to Cloudflare docs. What am I doing wrong?
(my clouds at DNS-Records are orange)

Cyb3r-Jak3 · November 5, 2023, 1:24pm

How are you testing? What is your domain?

ostara · November 5, 2023, 4:40pm

I am testing with curls as described in the docs:
curl “domain” -svo /dev/null --tls-max 1.0

Domain is:
galvita. + com
(can’t post urls here)

Laudian · November 5, 2023, 4:45pm

Seems to work just fine:

curl https://galvita.com --tls-max 1.0
curl: (35) error:0A0000BF:SSL routines::no protocols available

curl https://galvita.com --tls-max 1.1
curl: (35) error:0A0000BF:SSL routines::no protocols available

curl https://galvita.com --tls-max 1.2
<!DOCTYPE html>

ostara · November 5, 2023, 5:06pm

Wow… yess now it works for me too.
Thanks!

ostara · November 5, 2023, 5:21pm

No… sorry still not working!
try with “/” at the end of the url and TLS1.1
I get still the whole html

Laudian · November 5, 2023, 5:32pm

curl https://galvita.com/ --tls-max 1.0
curl: (35) error:0A0000BF:SSL routines::no protocols available

curl https://galvita.com/ --tls-max 1.1
curl: (35) error:0A0000BF:SSL routines::no protocols available

curl https://galvita.com/ --tls-max 1.2
<!DOCTYPE html>

Exactly the same. Did you maybe forget to put https:// at the front?

ostara · November 5, 2023, 5:46pm

No… I get this:

curl https://galvita.com/ --tls-max 1.1
<!DOCTYPE html>

Laudian · November 5, 2023, 5:52pm

Can you show the output of dig +short galvita.com?

ostara · November 5, 2023, 5:54pm

dig +short galvita.com
188.114.96.12
188.114.97.12

sjr · November 5, 2023, 6:28pm

It does look like a Cloudflare issue, I am getting a variety of results from different devices I try on. By querying the trace you can see that sometimes CF is accepting TLSv1.1 and other times not. Seems consistent on each machine I try, but changes between machines…

curl -vv https://galvita.com/cdn-cgi/trace --tls-max 1.1
*   Trying 104.21.69.141:443...
* Connected to galvita.com (104.21.69.141) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.1 (IN), TLS handshake, Certificate (11):
* TLSv1.1 (IN), TLS handshake, Server key exchange (12):
* TLSv1.1 (IN), TLS handshake, Server finished (14):
* TLSv1.1 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.1 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.1 (OUT), TLS handshake, Finished (20):
* TLSv1.1 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.1 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.1 / ECDHE-RSA-AES128-SHA
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=galvita.com
*  start date: Oct 21 16:28:11 2023 GMT
*  expire date: Jan 19 16:28:10 2024 GMT
*  subjectAltName: host "galvita.com" matched cert's "galvita.com"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1P5
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: galvita.com]
* h2 [:path: /cdn-cgi/trace]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x7fd5c600fc00)
> GET /cdn-cgi/trace HTTP/2
> Host: galvita.com
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/2 200
< date: Sun, 05 Nov 2023 18:22:55 GMT
< content-type: text/plain
< access-control-allow-origin: *
< server: cloudflare
< cf-ray: 82171ffc7ed05328-LHR
< x-frame-options: DENY
< x-content-type-options: nosniff
< expires: Thu, 01 Jan 1970 00:00:01 GMT
< cache-control: no-cache
<
fl=21f943
h=galvita.com
ip=[redacted]
ts=1699208575.433
visit_scheme=https
uag=curl/8.1.2
colo=LHR
sliver=none
http=http/2
loc=GB
tls=TLSv1.1
sni=plaintext
warp=off
gateway=off
rbi=off
kex=X25519
* Connection #0 to host galvita.com left intact

 curl -4 -vv https://galvita.com/cdn-cgi/trace --tls-max 1.1
*   Trying 104.21.69.141:443...
* Connected to galvita.com (104.21.69.141) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS alert, protocol version (582):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* OpenSSL/3.0.9: error:0A0000BF:SSL routines::no protocols available
* Closing connection 0
curl: (35) OpenSSL/3.0.9: error:0A0000BF:SSL routines::no protocols available

ostara · November 5, 2023, 6:40pm

Thank you for your testing sjr,
What can I do now?
What’s the best way to report this error?

sjr · November 5, 2023, 6:40pm

Clearly a lot of odd behaviour since the outage, almost as if settings haven’t or aren’t syncing to all nodes.

Have you tried changing the TLS setting up and down to see if that makes everything sync up?

ostara · November 5, 2023, 6:41pm

Yes i tried that already.

Cyb3r-Jak3 · November 5, 2023, 8:11pm

I’m not able to see the same behavior. Testing from 9 servers I have and all report
curl: (35) error:0A0000BF:SSL routines::no protocols available

ostara · November 5, 2023, 9:17pm

I am still experiencing the same issue… very strange.

curl https://galvita.com/ --tls-max 1.1
<!DOCTYPE html>

Cyb3r-Jak3 · November 5, 2023, 10:10pm

Weird. I’ve raised it to the team so they can take a look

eva2000 · November 5, 2023, 11:17pm

What version of curl are you using

curl --version

sjr · November 6, 2023, 7:15am

I too had wondered if the curl version was an issue, but ruled it out as testing against some of my Cloudflare domains didn’t show this behaviour (that is, TLSv1.1 was always refused).

Just gone through a few versions on the same machine…
v8.0.1 - correct behaviour (as in refuses the TLSv1.1. connection)
v8.1.2 - says a TLSv1.1 connection has been allowed
v8.4.0 - correct behaviour (connection refused)

I’m seeing odd behaviour across domains in another Cloudflare account, but need to confirm the settings on those first.

ostara · November 6, 2023, 3:42pm

I use curl 8.1.2