I have a monitoring job designed to inform me if Cloudflare changes its TLS protocols and ciphers.
I use the following command ‘nmap --script ssl-enum-ciphers -p 443 site.domain.com’
The results of this command have historically returned TLS1.3 ciphers. But beginning Monday morning, the command frequently does not include any TLS1.3 ciphers.
Might there be some Cloudflare resources that are not serving TLS1.3 and my script is finding those resources periodically?
I’m not sure if this will tell us anything interesting, but do you get the same results if you use an online tool like ssllabs.com?
I have run SSL labs a few times, and it does indicate that TLS1.3 ciphers are being offered. Just like most of my nmap commands do. The ‘issue’ is sporatic and does not always come back without any TLS1.3 responses.
I’m not able to reproduce it here… But given that it is intermittent we can probably rule out configuration on your site specifically, and it is entirely possible I haven’t checked enough or haven’t otherwise triggered the right conditions.
It does cross my mind that since this is not disruptive to most users, I wonder if Cloudflare is testing something and have intentionally configured some subset of servers (or some percentage of connections) to respond differently?
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.