SSL cipher error when turning on Proxy mode?

robertt · August 6, 2024, 2:27am

What is the name of the domain?

companyA [dot] com

What is the error number?

What is the error message?

unsupported protocol, SSL version or cipher mismatch

What is the issue you’re encountering

Hi, we are trying to resolve an SSL issue (cipher related) when we put a host into Proxy mode (everything works in DNS mode only). All certificates used in this scenario are valid and externally signed by trusted CA. The host (endpoint [dot] companyA [dot] com) we are trying to turn on Proxy mode for in CF is a CNAME record to another external domain (not controlled by us and hosted in Route53) - xyz [dot] companyB [dot] com. So the flow is xyz [dot] companyB [dot] com >> endpoint [dot] companyA [dot] com which then points to >> azure traffic manager >>load balance across 2 IIS servers. The IIS servers host the actual xyz [dot] companyB [dot] com website. We have our certificate *.companyA [dot] com in CF and also the same wildcard cert + the certificate for xyz [dot] companyB [dot] com on the 2 IIS servers. When we turn on proxy mode, we get SSL cipher mismatch error. Tried a few things like adding a routing rule in CF to relax the SSL configuration to flexible, that didn’t work, so we are following a few leads. One of which is to put the certificate for xyz [dot] companyB [dot] com in CF, but do we need to bind it to the specific DNS entry? (i.e. bind to endpoint [dot] companyA [dot] com, is that even possible?). Another possible solution we are thinking about is to put a origin server certificate on the 2 IIS server and create a routing rule in CF for endpoint [dot] companyA [dot] com that’ll change the SSL mode from current FULL mode to FULL Strict mode. Not sure if either solution will work, or am I thinking about this all wrong?

What steps have you taken to resolve the issue?

Applied routing rule for the DNS endpoint to downgrade SSL to flexible and none mode. Did not work.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

Turn on proxy mode, browse to the url and error occurs.

Lili84 · August 9, 2024, 12:47pm

Hi,

Thank you for reaching out to us. I’m sorry that you’re experiencing issues. Can you provide us with the domain you’re having issues with? Also, you may check some troubleshooting steps you can follow here: Troubleshooting Cloudflare 5XX errors · Cloudflare Support docs

Kindly,

system · August 24, 2024, 12:47pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Proxy issue and cipher_mismatch Website, Application, Performance	2	19	January 9, 2025
Error certificate service (Code: 1403) & ERR SSL_VERSION_OR_CIPHER_MISMATCH Security	10	3349	August 17, 2021
Err ssl version 09/10/23 CIPHER_MISMATCH Security	1	568	October 24, 2023
I'm getting CIPHER_MISMATCH on one of identical domains Security	4	2334	December 15, 2021
ERR SSL VERSION OR CIPHER MISMATCH on second level wildcard certificate at origin Security	4	3672	August 7, 2021