WebSockets proxy not working for 4th level domains

Hi all,

I’m experiencing a weird SSL/TLS handshake failure issue when using CloudFlare as a reverse proxy for my WebSockets server.

I’ve got websocat/laravel-websockets services running on AWS EC2 behind AWS Elastic Load Balancing, which helps handle SSL/TLS. After adding the ELB to CloudFlare with reverse proxy turned on, the entire traffic flow looks like:

client -(WebSockets)-> CloudFlare -(WebSockets)-> AWS ELB -(WebSocket)-> EC2
               project.example.com:8443  project.elb.amazonaws.com:8443  X.X.X.X

Everything worked smoothly until I I tried to change project.example.com to ws.project.example.com and it started throwing SSL handshake failures.

$ websocat wss://ws.project.example.com
websocat: WebSocketError: TLS failure
websocat: error running

$ curl -lk https://project.example.com:8443
Only WebSocket connections are welcome here

$ curl -lkv https://ws.project.example.com:8443
* Rebuilt URL to: https://ws.project.example.com:8443/
*   Trying 104.27.X.X...
* Connected to ws.project.example.com (104.27.X.X) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure

I’m using ‘Full’ SSL setting in CloudFlare so the certificate in ELB shouldn’t be a problem (it’s issued to project.example.com FYI) and actually I can have whatever.example.com pointed to project.elb.amazonaws.com in CloudFlare to make WebSockets work without any hiccups. However, whenever I switch to a 4th level domain, i.e. foo.project.example.com, it starts to give me handshake failures.

To make things even weirder, I can actually tweak WebSocket proxy to work by adding a page rule:

ws.project.example.com:8080/*    SSL: Off

and forward project.elb.amazonaws.com:8080 to my EC2 as well.

I wonder whether there’s some sort of limitation in CloudFlare which restricts WebSockets proxy to 3rd (and 2nd?) level domains?

Please help. Thanks.

It is not websocket related. Cloudflare’s certificates do not support anything more than one level down the actual domain. If you want to cover such hostnames you will need to purchase a $10/month dedicated certificate from Cloudflare, where you can define such hostnames.

1 Like

Ah, thanks, didn’t know about that.

And for googlers who’ve got here: it’s documented in section ‘Hostname coverage’ of https://support.cloudflare.com/hc/en-us/articles/204151138#h_408802647171549663799400

1 Like