TLS 1.2 vs TLS 1.3

user3011 · May 15, 2019, 10:47am

Hi,

We get almost 99% of our user above TLS 1.2. But when user reach via TLS 1.3 page view ratio is 40-50% more than when user reaches via TLS 1.2.

TLS 1.2 is not that slow to have such a drastic effect on pageview ratio. Is there any known issue in Cloudflare. Can you please check your own stats and see if chrome above 70 version and less than 70 version has different page view ratio in Google Analytics Stats?

Judge · May 16, 2019, 1:06am

This may be a form of “selection bias”, I would bet most crawlers don’t use TLS 1.3 yet, but Chrome updates are fast-tracked so more real users will visit with the newer protocol.

user3011 · May 16, 2019, 1:23am

Thats ok to use TLS 1.2 but do not understand the difference in page view ratio.

eva2000 · May 16, 2019, 1:27am

Have you checked the break down stats for browser user agent vs ssl protocol (TLS 1.2 vs TLS 1.3) as Chrome isn’t the only web browser that now supports TLS 1.2/TLS 1.3 also check breakdown stats for device connection i.e. desktop vs mobile/tablet and your page speed metrics like domcontent loaded and dom interactive and average page load times. You may find that the more pageviews per user ratio are over higher speed connections where page load speed metrics are faster too.

But TLS 1.3 does save 1-RTT round trip time so is faster so faster page views lead to probably more user activity. Also if your origin web server supports TLS 1.3, that’s another 1-RTT saved for CF to origin connections as CF now supports connecting to your origin over TLS 1.3 too if your origin supports TLS 1.3.

user3011 · August 27, 2019, 5:13pm

Hi,

Last I checked Cloudflare does not support TLS 1.3 from Cloudflare to Origin. They are stuck at TLS 1.2.

Enabling TLS 1.3 via Cloudflare does not require your origin web server to support TLS 1.3. Furthermore, Cloudflare does not currently support TLS 1.3 from our edge to origins.

Source - https://support.Cloudflare.com/hc/en-us/articles/227172348-Understanding-TLS-1-3

Cloudflare doesn’t even support HTTP 2 from edge to origin yet.

eva2000 · August 27, 2019, 5:13pm

that article needs updating - paging @cloonan as CF does now speak TLS 1.3 with origins if origin server supports TLS 1.3 final RFC revision https://community.centminmod.com/threads/16795/

from my Nginx logged ssl protocol/cipher stats filtered to exclude known bots I can see all my CF to origin Nginx connections communicating over TLS 1.3

pzcat -f /home/nginx/domains/$domain/log/sslstats-agent-nobots.log* | awk '$6 == '200' {print $5, $1, $2, $7, $8, $9, $10, $17, $18, $19}' | sort | uniq -c | sort -rn | grep -v 'Mozilla\/4.0' | head -n20
    770 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (Windows NT 10.0; Chrome/74.0.3729.131 Safari/537.36 
    369 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (Windows NT 10.0;   
    224 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (Macintosh; Intel Mac Gecko) Chrome/74.0.3729.131 Safari/537.36
    204 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (X11; Linux x86_64)   
    175 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (Windows NT 10.0; Chrome/73.0.3683.103 Safari/537.36 
    171 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (compatible; Cloudflare-AlwaysOnline/1.0; +http://www.Cloudflare.com/always-online)   
    150 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (Windows NT 6.1;   
    109 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (X11; Linux x86_64;   
    107 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (X11; Ubuntu; Linux   
     98 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (Macintosh; Intel Mac Gecko) Version/12.1 Safari/605.1.15
     91 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (Windows NT 6.1; Chrome/74.0.3729.131 Safari/537.36 
     86 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (iPhone; CPU iPhone AppleWebKit/605.1.15 (KHTML, like
     81 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (Macintosh; Intel Mac Gecko) Chrome/73.0.3683.103 Safari/537.36
     72 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (Macintosh; Intel Mac   
     71 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (Windows NT 10.0; Chrome/73.0.3683.103 Safari/537.36 OPR/60.0.3255.70
     62 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (Windows NT 6.1)   
     56 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (Windows NT 6.3; Chrome/74.0.3729.131 Safari/537.36 
     50 HTTP/1.1 - - Mozilla/5.0 (compatible; Cloudflare-AlwaysOnline/1.0; +http://www.Cloudflare.com/always-online)   
     37 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (X11; Fedora; Linux   
     30 HTTP/1.1 TLSv1.3 TLS_AES_256_GCM_SHA384 Mozilla/5.0 (Linux; Android 9; Mobile Safari/537.36

user3011 · August 27, 2019, 5:13pm

eva2000,

I just ask this from Cloudflare support about 7 days back. They told me that they do not support TLS 1.3 yet from edge to origin.

eva2000 · May 16, 2019, 1:49am

Definitely wrong there as from above post stats you can clearly see when my Nginx server supports TLS 1.3 - which it does https://community.centminmod.com/threads/centmin-mod-nginx-http-2-https-tls-1-3-support.15537/, then CF edge speaks to my origin via TLS 1.3

user3011 · May 16, 2019, 1:50am

Does this support HTTP 2 from edge to origin as well?

eva2000 · May 16, 2019, 1:52am

I you can see from my above logged stats no, CF edge to origin is over HTTP/1.1 but supports TLS 1.3 if your origin server supports TLS 1.3 final RFC revision and not the older TLS 1.3 drafts.

system · June 14, 2019, 10:47am

This topic was automatically closed after 30 days. New replies are no longer allowed.