I’m trying to implement mTLS and so far it’s being a total disaster… I’m not sure if I’m doing something wrong or what.
The issue I’m having is that I can basically use a revoked certificate or even use a certificate that was issued for another domain!
The issue is similar to this one A revoked Client Certificate still passes `cf.tls_client_auth.cert_verified` firewall rule that didn’t get any answer on how to solve it.
I have 2 domains set up in my Cloudflare account. I created a mTLS certificate in one domain, created the firewall rule to validate it and it does validate and blocks the access if I do not PROVIDE the certificate.
If I provide the certificate, then it works as it should. However, if I revoke the certificate, it remains working!
Even worst, I set up mTLS in my second domain and it behaves the same, but this time, if I use a REVOKED certificate issued for my first domain, it also works!
I’m afraid that it may work even if I issue a certificate from a totally different account…
Just for context, I created the cerfificates using the dashboard: SSL/TLS > Client Certificates > Create Certificate
then I selected: Generate private key and CSR with Cloudflare and RSA (2048), validity of 15 years.
I also tried it using “Use my private key and CSR” and then I provided my own CSR, but there’s no difference… It behaves the same.
It seems like it just check whether a certificate was provided and that’s it, it doesn’t seem to care if the certificate is genuine…
I’m testing it with Postman (adding the certificate and key using the Settings menu).
Has anyone managed to get this to work properly?