mTLS client certificate revoked

This question is similar to others however they are closed and none were answered.

I am testing the implementation of mtls using Cloudflare.

  1. I created a client certificate
  2. enabled MTLS on api.XXXXXX
  3. Did a rule on WAF as per documentation which state: (http.host in {“api.XXXXXXX”}) and (not cf.tls_client_auth.cert_verified or cf.tls_client_auth.cert_revoked) Block
  4. Did a test as follows:

i) Called api without client certificate - As expected Cloudflare blocked it
ii) Called api with client certificate created in 1 - As expected Cloudflare allowed the api
iii) revoked the certificate in 1) - Cloudflare allowed the api even though the certificate is revoked. This is strange because the rule is exactly as listed in documentation.

Can anyone shed some light?

1 Like

Did anyone manage to deploy a successful rule to block revoked certificates?

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.