Turn off SNI?

@cloonan The ticket number is 1717603. Thanks in advance!

Perfect, thank you I see the ticket and will add myself to it.

Edit - I see the certificate on the origin and don’t see an issue that would cause it to lower priority.

Their Dedicated certificate is gone now. All that’s left is Universal. And it’s still forcing SNI. On a Pro Plan…right? According to an earlier post…

I think I know the solution!

Sometime ago Cloudflare started enabling free certificates with only the actual domain name of the user, he is using that certificate pipeline and it doesn’t issue or at least publicly supports non-SNI browsers. My website on the Pro plan on that pipeline suffers the same.

My business domain, on the same pipeline (or the same concept due to the next part of this paragraph) has an ssl*.Cloudflaressl.com Common Name on the cert as opposed to sni.Cloudflaressl.com. That supports SNI on the Universal cert.

@cloonan you know my domains and have access to my account, you can check internally?

Support answer:
… you will need to upgrade to a Business plan and upload your own certificate to support non-SNI client …

But that is not correct. I have a Business website, agreed, but the Universal one works fine without SNI.

It sounds like the No-SNI party is over for Paid Plans that get new certificates.

Yeah, they should update the pricing page…

Although support is at >99%…

https://caniuse.com/#feat=sni

@cloonan I’m kinda upset, because I’ve just updated to a Pro plan (which we planned to do anyways but…) which states a support for “All browsers” in the features list and we still get bug reports from customers with Chrome on Windows XP.
Do I understand correctly from the discussion that this system+browser combo is not supported anymore by Universal certificates and also not even by Dedicated certificates? The only way is to upload a Custom certificate (which is not auto-renewed by Cloudflare)?

The “no SNI” compatibility is tied to having a dedicated IP that specifically serves your certificate.

Windows XP had it’s EOL - end of life - in 2014. It’s a little silly to still worry about support for it when Microsoft themselves don’t push out updates anymore for it. If your customers are still on XP, it’s probably safe to say their machines are already infected with just how insecure it is. Not supporting XP may be saving you from having to deal with compromised accounts or sensitive account information being sent off to malicious actors.

2 Likes

@Judge: Its safe to say that members/developers on this Cloudflare forum you are aware of the state of windows XP. Unfortunately however, we have clients that use windows xp, and are losing money because of this issue. So we need to support it.

Our website is facing the same issue: we signed up 2 weeks ago to Cloudflare (with a pro plan) and straight away windows XP / chrome users are complaining that they cant get through to our site.

Can anyone confirm if switching to the business plan will fix this issue?

I just checked with Support, no way to enable it anymore unless you update to Business and upload a custom certificate that supports it and renew it manually. The new SSL pipeline for newly on-boarded and renewed domains doesn’t support it anymore.

I don’t know if maybe dedicated certificates (maybe only on business plans) do support it, don’t have any to test on unfortunately, but I doubt that.

Thanks for the reply @matteo . I submitted a support ticket a couple of minutes ago asking the same.

Pretty annoying that their website clearly states Pro plans support all browsers:

Yeah, this was a really recent change and for not all websites yet. Maybe @cloonan can get that fixed… Also SNI support is >99.95% for JS enabled browsers.

Also Chrome on XP supports it, Firefox too, Opera as well. It’s just IE that doesn’t.

2 Likes

Interesting response from Cloudflare support. They replied that we need to disable IPv6, and then windows XP should start working. I’ll be able to test on the windows XP Virtual Machine that we have in a few hours.

Here’s the response they gave, incase someone can test it before me:

Windows XP does not have IPv6 compatibility, which is likely why you are seeing these issues. The majority of the errors that we are seeing reported in our 1% log sample of errors are from IPv6 addresses. You can disable this through our Cloudflare API documented in our support KB here: https://support.cloudflare.com/hc/en-us/articles/200168746-How-do-I-turn-the-Cloudflare-IPv6-gateway-on-or-off-

Well that is a different issue that only they can at least see… it could be, but also why would there need a problem with IPv6 if it doesn’t support it? It shouldn’t really connect at all and not even get an IP. Maybe just try it, it won’t be too hard to try.

Well, the ipv6 issue didnt fix anything. After a bit of back and forth support has just confirmed that they no longer support WinXP IE8 & Chrome browsers, due to the cypher issue we are having, which is different to the issue in this thread:

And in turn they also confirmed they will not be fixing the SNI issue either.

So their advertising of ‘All browsers supported’ for security on pro plans is complete bullsh*t.

:frowning:

I’d understand if other sites didn’t support these browsers, but unfortunately 99% of websites work on WinXP / Chrome. Google, Microsoft, Facebook, Shopify, Amazon, Ebay, Cloudflares homepage, etc… all work. Really annoying considering the amount of development time we spent writing Cloudflare workers to get this integration working, and now we have to look at other options.

Final edit: Supports reply on fixing this is as follows:

Uploading your own certificate still supports non SNI requests at this time and this feature is available for Business plan domains.

As I expected above. The issue isn’t IPv6, in this specific case. There may be an issue there for IPv6 as well, but not for XP.

I can understand the frustration, but again, Chrome on Windows XP supports SNI. The only browsers that don’t are Safari (all versions that run on XP) and, of course, Internet Explorer (6, 7 and 8). Chrome on XP supports even HTTP/2 according to SSLLabs.

Also I know that my Business website works without SNI, even on the new pipeline. The Free and Pro plans don’t. I ave other issues connecting because I force TLS 1.2 or above, but that is another thing.

Same reply I got. I may believe after the additional tests I just did that maybe the custom upload isn’t needed.

2 posts were merged into an existing topic: My website respond error on Windows XP with old Chrome