TLS 1.3 from browser to edge

I think I know the answer to this but I thought I would check incase there is some way to do what I want…

I have an a particular origin that only supports TLS 1.2.

Ideally, I want to have the browser-to-edge connection enforce TLS 1.3.
I would then want to have the edge-to-origin connection established with the best provided by the origin, in this case TLS 1.2

Are there any solutions to this?

IIRC you don’t control the SSL connections between Cloudflare and your origin.

You would be able to set the minimum TLS version to TLS 1.3 and that would require all visitors use it.

Hm, doesn’t Cloudflare sends cipher list to the origin?, and if they match with your origin’s ones for example if you allow only “medium” ones for the TLS 1.2 (not lower than that, but also higher up to TLS 1.3) or only “higher” TLS 1.3, I think it uses and respects that kind of a TLS version connection?

Tricky one to set and restrict your visitors only to TLS v1.3, but if really needed, okay.

Therefore, in Cloudflare is option to support TLS v1.3 (if for example minimum set to TLS v1.2) - for the end visitors if their Web browser supports it.

Else you would get some error about cipher not supported / not match, if I remember.

Could be I am wrong about it.

Either about TLS v1.3, I believe it is applicable for TLS v1.2 too:

Similar or exact as your case here where origin is at TLS v1.2 while Edge at TLS v1.3:

Since my origin only supports TLS 1.2, setting the minimum TLS version to TLS 1.3 results in the browser failing to establish a connection.

May I ask which Web browser are you using and which version, if so? Also, does it support TLS v1.3?

It is not recommended to set the minimum TLS to 1.3, unless there is a specific use case, as this will likely cause issues with search engine crawlers and certain browsers.

Exact as:

See below link for more information:

@fritex, you have confirmed most of the things I was able to research on my own.

I didn’t know about the ability to restrict cipher suites. Unfortunately, I only have a Pro subscription so that feature is not available to me.

I have been testing with versions of Chrome and Safari browsers that are all TLS 1.3 capable.

Anyway, I think my suspicions have confirmed…the TLS version must be supported end-to-end, from client all the way to the origin.

This is not true.

There are two separate connections involved here, and each is negotiated separately. In a standard proxy configuration, the two connections can be totally different.

I my case, I have TLSv1.3 enabled, and the minimum version set to v1.2. My origin only supports TLS 1.2.

The majority of my traffic is TLS 1.3, and my Origin doesn’t even know or care.

You are aware that this will cut off a large amount of standard users, and at present there is no known security issue with TLS 1.2.

Not sure this needs a solution. Configure your Origin with whatever TLS settings you like, provided they are compatible with Cloudflare. Then configure the Cloudflare edge to set the minimum TLS to whatever you need.

2 Likes

@michael, you are right!

After reading your post I re-examined my configuration and found a issue around my naming of the DNS entry for the origin that meant I was not getting the benefit of the Universal SSL (my subdomain was too many levels).

Once I made the DNS name a single level subdomain, the TLS 1.3 connections to my origin worked as I wanted.

I now successfully get client-to-edge TLS 1.3 and edge-to-origin TLS 1.2.

Thanks so much.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.