Trouble with mTLS client certificate in Windows

Website, Application, Performance Security
1

What is the name of the domain?

dbarn.io

What is the error message?

Sorry, you have been blocked

What is the issue you’re encountering

Cannot pass mTLS rule from Windows or Android

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

  1. CF dashboard > SSL/TLS > Client Certificates > Hosts > enable for mTLS for my domain, then click Create Certificate
  2. Download PEM copy of certificate and private key
  3. CF dashboard > Security > WAF > Custom rules > Create rule >
    (not cf.tls_client_auth.cert_verified and http.request.full_uri wildcard r"https://dbarn.io/protected/*")
  4. In Chrome, go to that protected URL and confirm that I am now blocked, as expected.
  5. Convert PEM copy of certificate and private key to a pcks12 using openssl:
    openssl pkcs12 -export -out cloudflare-mtls-client-cert.p12 -inkey cloudflare-mtls-client-key.pem -in cloudflare-mtls-client-cert.pem
    Enter password for .p12 file when prompted
  6. On Windows 10 machine, double-click the .p12 file > Certificate Import Wizard
    • Store Location: Current User
    • Enter password to import
    • Import options: Include all extended properties
    • Place all certificates in the following store: Personal
  7. Open Google Chrome. Go to the protected URL
  8. Continue to receive “Sorry, you have been blocked” from Cloudflare, even after Shift+F5 refresh.
  9. Confirm that Chrome can see and has imported the certificate:
    chrome://certificate-manager/clientcerts > View imported certificates from Windows > “Cloudflare” is the only one listed
  10. Now confused what to try next, install the Cloudflare root certificate into trusted authorities:
    • CF dashboard > Zero Trust > Settings > Resources > Cloudflare certificates > Manage > there are 2 listed, select the one marked as “AVAILABLE” and “IN USE” > Download .crt
    • Double-click Cloudflare_CA.crt > Install certificate… > Store Location: Current User > Place all certificates in the following store: Trusted Root Certificate Authorities
  11. Back in Chrome, try again
  12. Same error: “Sorry, you have been blocked”
2

I am able to successfully access my URL using curl on Windows, and supplying the client certificate on the command line:

curl -v --cert CurrentUser\MY<thumbprint> https://dbarn.io/protected/

This returns the expected response. So the problem seems to be Chrome and Edge web browsers, which are both still getting blocked by Cloudflare.

3

You should not do this. This is unsafe.

I don’t get an mTLS prompt when I try to open your site. Can you confirm that your domain is actually on the lists of mTLS hosts?

4

Ok, I’ve removed this.

Are you saying that even access my root domain https://dbarn.io/ should prompt for a certificate even if I don’t have a WAF rule set up to require one at that path? Have you tried accessing https://dbarn.io/protected/ ? That is the path with the mTLS rule.

This is what it shows in the Client Certificate section of my dashboard. Is there anything more I need to do?

Screenshot 2025-01-07 125727
Screenshot 2025-01-07 1257271054×374 17.3 KB

5

The mTLS prompt should be for the entire hostname. Not selecting one would only block you from the specific page for which you created a rule, though.

Do you see a prompt on test.laudian.de?

6

No, I don’t get a prompt when I load that website. I tried in both Chrome and Edge.

Do you get a prompt? For either test.laudian.de or dbarn.io/protected?

7

image
image535×309 8.38 KB

You only get this prompt if you have a Client Certificate in your truststore. You can also see the page without one, except for test.laudian.de/mtls, for which I have created a block rule.

For dbarn.io/protected, I neither get a prompt nor am I blocked from entering the site.

1 Like
8

Sorry, my WAF rule is dumb and actually matches against /protected/ so make sure you have the trailing slash when you try it.

Oh… ok. In that case, I’m not sure what can be learned by us testing against one another’s sites, if we don’t have Client Certificates for each other’s domains then we’re never going to see a prompt then, right? Or does this somehow help diagnose whether mTLS has been configured properly?

9

I thought I’d see the prompt anyway, but apparently I was wrong and the server actually gives a list of accepted certificate authorities, so I wouldn’t see the prompt for your site.

I can actually see that your page requests an mTLS cert via curl:

curl -svo /dev/null https://dbarn.io

...

* TLSv1.3 (IN), TLS handshake, Request CERT (13):
{ [382 bytes data]

...

Are you maybe using a local firewall or something like that that might intercept the TLS handshake? What certificate do you see for your site in your browser?

10

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.