Specific Site for TLS 1.2

john.bair · February 11, 2021, 6:11am

We have an issue with a specific site in our domain. We need this site to only allow tls 1.2 and the ciphers suites. We have minimum version set to tls 1.2 and we allow tls 1.3 as that is better for security and other area’s. However we have one site that does not allow tls 1.3 and we get issues with things hitting that site as the don’t have a supported RSA cipher suite. Have looked into a worker to do this, but if 1.3 is tried we get failure. Any suggestions?

async function handleRequest(request) {
try {
const tlsVersion = request.cf.tlsVersion
// Allow only TLS versions 1.2 and 1.3
if (tlsVersion != “TLSv1.2”) {
return new Response(“Please use TLS version 1.2.”, {
status: 403,
})
}
return fetch(request)
}
catch (err) {
console.error(
“request.cf does not exist in the previewer, only in production”,
)
return new Response(“Error in workers script” + err.message, {
status: 500,
})
}
}
addEventListener(“fetch”, event => {
event.respondWith(handleRequest(event.request))
})

cscharff · February 17, 2021, 6:48pm

Cloudflare’s connection to the origin will be at whatever max level the origin server advertises, so if a connection to the Cloudflare edge is made with TLS 1.3 but the origin only supports TLS 1.2 the request to the origin would be at 1.2.

If there’s some custom application making the connection that can’t support TLS 1.3 the options would be to either reduce the TLS level to 1.2 for the zone or if you are an ENT customer the subdomain can be set up as it’s own zone with the TLS 1.2 level.

john.bair · February 17, 2021, 6:48pm

That is what we ended up doing. Just reducing the zone to TLS 1.2. This will work for now. Wish that you didn’t have to lower it for the entire zone.

system · February 18, 2021, 6:48pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.