I’m experiencing a weird SSL/TLS handshake failure issue when using CloudFlare as a reverse proxy for my WebSockets server.
I’ve got websocat/laravel-websockets services running on AWS EC2 behind AWS Elastic Load Balancing, which helps handle SSL/TLS. After adding the ELB to CloudFlare with reverse proxy turned on, the entire traffic flow looks like:
client -(WebSockets)-> CloudFlare -(WebSockets)-> AWS ELB -(WebSocket)-> EC2 project.example.com:8443 project.elb.amazonaws.com:8443 X.X.X.X
Everything worked smoothly until I I tried to change
ws.project.example.com and it started throwing SSL handshake failures.
$ websocat wss://ws.project.example.com websocat: WebSocketError: TLS failure websocat: error running $ curl -lk https://project.example.com:8443 Only WebSocket connections are welcome here $ curl -lkv https://ws.project.example.com:8443 * Rebuilt URL to: https://ws.project.example.com:8443/ * Trying 104.27.X.X... * TCP_NODELAY set * Connected to ws.project.example.com (104.27.X.X) port 8443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS alert, Server hello (2): * error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure * stopped the pause stream! * Closing connection 0 curl: (35) error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
I’m using ‘Full’ SSL setting in CloudFlare so the certificate in ELB shouldn’t be a problem (it’s issued to
project.example.com FYI) and actually I can have
whatever.example.com pointed to
project.elb.amazonaws.com in CloudFlare to make WebSockets work without any hiccups. However, whenever I switch to a 4th level domain, i.e.
foo.project.example.com, it starts to give me handshake failures.
To make things even weirder, I can actually tweak WebSocket proxy to work by adding a page rule:
ws.project.example.com:8080/* SSL: Off
project.elb.amazonaws.com:8080 to my EC2 as well.
I wonder whether there’s some sort of limitation in CloudFlare which restricts WebSockets proxy to 3rd (and 2nd?) level domains?
Please help. Thanks.