SSL/TLS configuration

Is it a good idea to leave my site like this with this configuration or do I have to enable strict ?

Full (Strict) is more secure since it requires that a trusted (or Cloudflare Origin CA) certificate is present on the origin as opposed to trusting any self-signed certificate.

https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/#use-when-3

If you’re going to switch, make sure your origin has a trusted certificate - or, alternatively, generate & use a Cloudflare Origin CA certificate. https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/

1 Like

Thank you :slight_smile:

Then is it necessary to disable Cloudflare’s universal ssl certificate?

No - and if you do, you’ll likely break your site.

The SSL modes you’re looking at relate to how Cloudflare talks to your origin whereas the Universal SSL is the edge certificate which relates to how users talk to Cloudflare.

User <- Universal SSL Edge Certificate -> Cloudflare <- Full (Strict) Trusted Certificate -> Origin

When we already have our own certificate installed on our server, it is necessary to have this option “Authenticated extractions of origin” enabled.

That’s a method where you can verify that Cloudflare is the one fetching your origin - it verifies the certificate presented by Cloudflare matches the one that you (during Authenticated Origin Pull setup) downloaded onto your server.

It is separate to the Edge Certificate & Origin Certificates we’ve spoken about - but rather refers to verifying the certificate presented by Cloudflare. https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/

Could you provide us with a guide to correctly check our SLL configuration on our websites? thank you

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.