SSL handshake failed for "flexible" tunnel

I get an SSL handshake error for some connections to an nginx webserver behind a Cloudflare Tunnel. The connection type is “flexible”, i.e. traffic between the tunnel and nginx is not encrypted. Am I correct that in this case nginx (and its configuration) is not causing the error and it therefore has to occur between the browser and the tunnel connector?

Some connections do work, others fail:

  • chrome & curl to … work fine
  • apache web bench ab -n 1 -v 3 ... reports
Benchmarking ... (be patient)...INFO: GET header == 
---
GET / HTTP/1.0
Host: ...
User-Agent: ApacheBench/2.3
Accept: */*


---
SSL/TLS Handshake [Start] before connect initialization
SSL handshake failed (1).
7987469376:error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/4e1473ee-9f66-11ee-8daf-cedaeb4cabe2/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:129:SSL alert number 70
..done
  • on some systems python/requests.get does work, not others it does not. Could it be due to a lack of ciphers? How would I diagnose this and what ciphers are required an where?

You should have it full strict. Cloudflare will handle the connection to the tunnel as part of it. You can configure HTTP in the tunnel with full strict mode.

Can you share your domain and the full commands you are running?

2 Likes

Domain is https://web.leaf49.org.

The full command I am using is

ab -n 1 -v 3 https://web.leaf49.org/

Output:

This is ApacheBench, Version 2.3 <$Revision: 1903618 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking web.leaf49.org (be patient)...INFO: GET header == 
---
GET / HTTP/1.0
Host: web.leaf49.org
User-Agent: ApacheBench/2.3
Accept: */*


---
SSL/TLS Handshake [Start] before connect initialization
SSL handshake failed (1).
7987469376:error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/4e1473ee-9f66-11ee-8daf-cedaeb4cabe2/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:129:SSL alert number 70
..done


Server Software:        
Server Hostname:        web.leaf49.org
Server Port:            443
TLS Server Name:        web.leaf49.org

Document Path:          /
Document Length:        0 bytes

Concurrency Level:      1
Time taken for tests:   0.050 seconds
Complete requests:      1
Failed requests:        0
Total transferred:      0 bytes
HTML transferred:       0 bytes
Requests per second:    20.08 [#/sec] (mean)
Time per request:       49.803 [ms] (mean)
Time per request:       49.803 [ms] (mean, across all concurrent requests)
Transfer rate:          0.00 [Kbytes/sec] received

I did change to “full strict”. Tunnel still working (without installing certificates on my end), but I also still get the same error.

The documentation for Full (strict) confused me:

Encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server

I assumed I needed to install certificates for nginx (or whatever is running on the server). Apparently with a tunnel the tunnel connector uses the certificate and installation is transparent.

Anyway, my problem is that while GET requests are successful from Python running on the host (macos), they fail on a microcontroller using the MBED TLS stack (error MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE).

Apache bench is just used to diagnose (?) the issue.