Using TLS 1.3 between Cloudflare and the origin server

tls

#1

Hello everyone,

A friend of mine has a server that supports the final version of TLS 1.3. The problem is that Cloudflare doesn’t support it yet, so we’d like to know if that’s going to change soon?

This question is specifically to do with Cloudflare communicating with origin servers and not the options found in Cloudflare’s dashboard.

Thanks.


#2

I doubt it will change anytime soon, since TLS 1.3 just got ratified a month ago. Considering Cloudflare doesn’t even use HTTP/2 to the origin, I bet it’ll be a while.

I suspect Cloudflare goes with the latest fully-adopted protocol(s) when connecting to the origin. Otherwise, they’ll have to tailor each connection per domain, with strong potential for things to break because many customers won’t know which protocol(s) their origin server supports.


#3

Cloureflare’s making some changes in June but there’s no mention of TLS 1.3 being upgraded.

There’s a reason they don’t use HTTP/2, but TLS 1.3 makes sense. BoringSSL and OpenSSL both support the final version and Cloudflare’s normally quick to adopt things like this.

When Cloudflare added support for TLS 1.3 you needed to use Firefox Nightly. If you do that now then you’ll be reverted to TLS 1.2 because Firefox Nightly and the developer builds already support the final version of TLS 1.3.


#4

This is only related to their Dashboard TLS version support. There are no changes to user’s domains in any way.


#5

I know, but it’s a significant change and browsers are already starting to support the final version of TLS 1.3.

You said that there’s a potential for things to break, but that isn’t true. You can’t break something by adding “TLSv1.3” to a single line of a config. For example, with Nginx you’d use “ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;”.


#6

That was @sdayman, but still it could be true, because those are backend connections, they can highly optimize one single type of connection, plus TLSv1.2 is the standard now, there is no service/server that doesn’t support it if it supports TLSv1.3.


#7

Oops! My bad.

I don’t know how the Cloudflare backend works, but I know that TLS 1.3 is faster than TLS 1.2 even with various optimizations applied. It’s obviously not a standard yet, but that didn’t stop Cloudflare from supporting the early TLS 1.3 drafts.


#8

No worries!

I believe the user-facing support is to speed up adoption and allow to test things out while improving connection speed for users, on the backend it’s a different story. In addition TLSv1.3 is supported only on HTTP/2 which is not supported on that side.


#9

Yeah, that was me, and not the best thought out response. HTTP 1.1 and TLS 1.2 simplifies the connection issues they may face.

That being said, I do wish they’d use HTTP/2 and TLS 1.3 to my origin. It should make connections quicker and more robust.


#10

If they even just switched on HTTP/2 they could require all resources in parallel, in which the TLS would be done just once.


#11

That’s exactly why we’re asking about it. When it’s supported it’s going to make secure websites even faster.

I know that Cloudflare uses BoringSSL in their backend and that BoringSSL already supports the final version of TLS 1.3 and an older draft. I guess it’s not as simple as editing their config files though :slight_smile:


#12

Yeah, they would have to test and deploy it, while porting all of the features to it…


#13

Cloudflare Works with tls 1.3 on experimental mode but most browsers do not use tls 1.3 by default in my tests only chrome for android does this by default however it is possible to enable tls 1.3 in the browser with the guide of that link


#14

You are talking about user <-> Cloudflare, we were talking about Cloudflare <-> Origin…


#15

This topic was automatically closed after 14 days. New replies are no longer allowed.