My site shows as accepting TLS 1.0

#1

This is a new phenomenon, as recently checked by Qualys. My site, since joining Cloudflare on the Free Plan - now on Pro Plan - has only ever accepted 1.2 & 1.3. 1.1 is not accepted either, still, yet 1.0 is. Why? / Need help resolving this as it depreciates certain security compliance / rating requirements. Thank-you,

#2

Have you tested with your browser or using online test tools to validate cypher?

curl --tlsv1.0 -I --url https://domain.com/
curl --tlsv1.1 -I --url https://domain.com/
curl --tlsv1.2 -I --url https://domain.com/
2 Likes
#3

I bet you’ve already checked your Crypto settings to make sure the Minimum TLS version is 1.2…but give it a look just to be sure. You can also try setting it to 1.0 for ten minutes, then set it back to 1.2.

I just checked one of my free plans and Qualys still shows 1.2 and 1.3 only.

1 Like
#4

Also remember, can’t search for the discussion now, that for a while it had a bug where it showed TLS 1.0 while actually not available.

1 Like
#5

Hello,

I just did but using — get due to needing to let —head commands from my IP. tlsv1.0 & 1.1 threw errors. tlsv1.2 returned my html. tlsv1.3 claimed to be unsupported via curl yet it’s specifically listed as a supported protocol within curl itself. Once I wake up further, I’ll be on the forum. Thank-you all for your suggestions. curl was the simplest for me to do at the moment. Peace.

(Attachment publicKey - [email protected] - ca04f762bf69348d05e30d2bde125b4e2d10e361.asc is missing)

2 Likes
#6

Yes, from reading through past discussions, I had come accross this issue. And I’d easily let it go at that but Cloudflare itself has incoming requests via TLSv1.0 logged.

#8

I’ve finallly did as you suggest. I’m going to have a look at the Cloudflare logs again tomorrw to see the TLSv.(n)'s being accepted as requests. I’ll report back with my findings. Thank-you to all for the help!

2 Likes
#9

Well, the connections to my site via TLSv1.0 has increased. See attached screenshot. Now, a semi-separate topic: regarding SSL certs, I’ve noticed that the sslxx… prefixed cert from Cloudflare has been active on my domain as of late. It’s a new phenomena that I recall reading about soon after I began using Cloudflare. I was unaffected by it since I joined after the period when they were issued. And I never saw one throughout my Free Plan and throughout most of my Pro Plan. So, any ideas how / why I’d have this appearing as in use for my domain? Also, I’ve just upgraded my regular Dedicated SSL to the wildcard Dedicated SSL as I’m planning on implementing some subs sometime in the future and want to be prepared when I do. Is removing the Universal SSL feasible at this point and would you think doing so may help mitigate my TLSv1.0 problem? Thanks for your time, again!

  • intr0
#10

  • Okay. So far so good, and now I can comfortably say Qualys has an issue. Mozilla, cert.sh, Htbridge, & Hardenize all agree. So unless Qualys knows something they do not, all’s quiet on the SSL cert front.

  • I’m going to leave this as “unsolved” for now, though I’ll close it as solved in another 24-48 hours if my Cloudflare logs continue to not show any TLSv1.0 requests and Qualys continues to be outvoted by other good sources. However, I do believe the issue has been quashed. :slightly_smiling_face:

2 Likes
#11

Well, in the past 24 hours, my logs show one connection via TLSv1.0. Why this is, at this point, I’ve no idea, though perhaps I should contact support so they may dig into my set-up more deeply. I’m happy to listen to any advice not yet given as well, too. Id love to support only TLSv1.3 even for a day or two and obverse what happens, though (quite unfortunately) said protocol isn’t supported as widely as it, in my opinion, should be since it’s currently the only protocol that has no known security flaws.

#12

I’ve disabled the Universal SSL cert. it worked, I can now mark this as solved. Thank-you to everyone’s help! :v:t3: Fantastic community!

1 Like
closed #13

This topic was automatically closed after 30 days. New replies are no longer allowed.