Welcome to Centmin Mod Community
Become a Member

SSL Cloudflare Cloudflare Enables HTTPS TLS 1.3 Backend Origin Communication

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Mar 6, 2019.

  1. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Cloudflare Enables HTTPS TLS 1.3 Backend Origin Communication



    Cloudflare just announced they have officially enabled HTTPS TLS v1.3 backend origin communication with origin web servers which have HTTP/2 HTTPS TLS 1.3 enabled i.e. Cloudflare Strict SSL mode. Prior to this announcement, Cloudflare edge servers would communicate with your site's origin web server (Centmin Mod Nginx) using TLS 1.2 even if your origin web server supported TLS 1.3. Now with this change, you can speed up your page load speeds slightly as TLS 1.3 saves one round trip time (RTT) on the connection :)

    Centmin Mod 123.09beta01 and newer Nginx builds support HTTP/2 HTTPS TLS 1.3 out of the box now via either OpenSSL 1.1.1 branch (default) or optionally via BoringSSL. Details at Centmin Mod Nginx HTTP/2 HTTPS TLS 1.3 Support. So when you create a new Nginx HTTP/2 HTTPS site with Centmin Mod Nginx, it automatically now has TLS 1.3 enabled :)


    I can verify that Cloudflare is communicating with my Centmin Mod Nginx origin servers over TLS 1.3 protocol now using custom Cloudflare nginx logging I setup on my servers behind Cloudflare.

    For my cfssl-access.log log I can see TLS v1.3 being used for connection now with TLS_AES_256_GCM_SHA384 ssl cipher.
    Code (Text):
    tail -1 cfssl-access.log
    
    54.36.148.175 - - [05/Mar/2019:21:32:04 +0000] GET /threads/gcc-7-3-1-update.14858/ HTTP/1.1 "200" 97042 "-" "Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)" "54.36.148.175" "-" "421824" "1" "0.400" 4b2f334b8bfb9cb3-AMS TLSv1.3 TLS_AES_256_GCM_SHA384
    


    Looking through my cfssl-access rotated logs, the earliest sighting for TLSv1.3 communication between Cloudflare and my origin was on February 26th, 2019
    Code (Text):
    pzcat -f cfssl-access.log-* | grep 'TLSv1.3' | head -n1
    52.53.xxx.xxx - - [26/Feb/2019:06:12:33 +0000] GET / HTTP/1.1 "200" 114552 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" "-" "-" "1080738" "1" "0.100" - TLSv1.3 TLS_AES_256_GCM_SHA384
    

    Server runs UTC timezone - my mytimes output
    Code (Text):
    mytimes
    Thu Mar  7 12:22:07 UTC 2019    [UTC]
    Thu Mar  7 22:22:07 AEST 2019   [Australia/Brisbane]
    Thu Mar  7 04:22:07 PST 2019    [America/Los_Angeles]
    Thu Mar  7 06:22:07 CST 2019    [America/Chicago]
    Thu Mar  7 07:22:07 EST 2019    [America/New_York]
    Thu Mar  7 12:22:07 GMT 2019    [Europe/London]
    

    TLS protocol and cipher stats - TLSv1.3 is starting to show up using ssl cipher, TLS_AES_256_GCM_SHA384 :D
    Code (Text):
    pzcat -f cfssl-access.log{,-*} | grep -v 'SERVER_IP' | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
    299930  TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
    191033  TLSv1.2  ECDHE-ECDSA-CHACHA20-POLY1305
    173484  TLSv1.3  TLS_AES_256_GCM_SHA384
    43      -        -
    35      TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256
    

    Been waiting for ages for TLS 1.3 support on origin connections with Cloudflare, so glad to finally see it happen. Though, TLS 1.3 0-RTT early data will not be supported.
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  3. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    5:34 PM
    1.9.10
    10.1.11
  4. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    that issue with with your visitor's anti-virus software at the time not supporting TLS 1.3 final rfc versions and only support older TLS 1.3 drafts. Those anti-virus companies should have updated their software to support final TLS 1.3 rfc version by now. But if they haven't updated then your visitors will still have issues. But if you Centmin Mod Nginx origin has HTTP/2 HTTPS TLS 1.3 then Cloudflare can talk to your Centmin Mod via TLS 1.3 while visitors talk to Cloudflare with TLS 1.2 (if CF TLS 1.3 is disabled on frontend).
     
  5. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    5:34 PM
    1.9.10
    10.1.11
    Yes, my configuration support TLS 1.3
    Code (Text):
    [12:00][root@server log]# nginx -V
    nginx version: nginx/1.15.8 (291218-011710)
    built by gcc 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC)
    built with OpenSSL 1.1.1a  20 Nov 2018
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=291218-011710 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../incubator-pagespeed-ngx-1.13.35.2-stable --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.5 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.0 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1a --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3'


    However, i think it was not related with antivirus software @eva2000 Because, i've tried disable completely the antivirus software also windows firewall etc, but issue was still same. I was fix the problem only with disable the TLS 1.3 support in cloudflare panel.
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    But do you have problems on this forum ? As I have Cloudflare with TLS 1.3 here too :)
     
  7. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    5:34 PM
    1.9.10
    10.1.11
    Didn't tried.

    Actually, i have never seen any problem on any website on my Mac (chrome, safari, firefox etc)
    But my friend's computer was windows 7 and tried before chrome + explorer both, so it was problem when tls 1.3 enabled on cloudflare.

    I've enabled the tls 1.3 now and will be try as soon as possible.

    Thanks
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  9. Matt

    Matt Well-Known Member

    929
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    3:34 PM
    1.5.15
    MariaDB 10.2
    Not working with Railgun yet. I've tested by disabling it, and get TLS1.3 from Cloudflare, but enabling Railgun only presents TLS1.2
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Interesting, might explain why my nginx origin logs show mix of TLSv1.3 and TLSv1.2 connections from Cloudflare as I also have Cloudflare Railgun enabled :) Railgun only applies to uncacheable requests.
    Code (Text):
    pzcat -f cfssl-access.log{,-*} | grep -v 'SERVER_IP' | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
    250241  TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
    246797  TLSv1.3  TLS_AES_256_GCM_SHA384
    185128  TLSv1.2  ECDHE-ECDSA-CHACHA20-POLY1305
    45      -        -
    37      TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256
    1       TLSv1    ECDHE-ECDSA-AES128-SHA
    1       TLSv1.1  ECDHE-ECDSA-AES128-SHA
    
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Latest stats show TLS v1.3 communication has increased to the greatest portion for TLS protocols for Cloudflare to origin Nginx connections :cool:
    Code (Text):
    pzcat -f cfssl-access.log{,-*} | grep -v 'SERVER_IP' | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
    263331  TLSv1.3  TLS_AES_256_GCM_SHA384
    169944  TLSv1.2  ECDHE-ECDSA-CHACHA20-POLY1305
    159605  TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
    359     -        -
    66      TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256
    3       TLSv1    ECDHE-ECDSA-AES128-SHA
    3       TLSv1.1  ECDHE-ECDSA-AES128-SHA
    
     
  12. jeparamedia

    jeparamedia Member

    32
    10
    8
    May 9, 2019
    Ratings:
    +17
    Local Time:
    10:34 PM
    1.15.12
    MariaDB 10.3.15
    i don't have this log:
    command: tail -1 cfssl-access.log

    result:
    tail: cannot open ‘cfssl-access.log’ for reading: No such file or directory

    ==========================

    I used last CMM with lets encrypt install and it's working.
    now my site jeparamedia.com i add in CF with SSL- FULL.

    btw, I have some website all in CF with SSL Flexible
    (server: in my easyengine server, default site http wordpress)

    where is the best way to install WP in 22 menu with lets encrypt?
    1. my site already putt in CF with flexible SSL then I install WP?
    or
    2. my site in dns.he.net then install with 22 menu + lets encrypt, after done I add to CF with Full SSL?

    thanks you
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you need to configure that extra logging via https://community.centminmod.com/threads/cloudflare-custom-nginx-logging.14790/
    for that start a new thread in forum at https://community.centminmod.com/forums/domains-dns-email-ssl-certificates.44/
     
  14. jeparamedia

    jeparamedia Member

    32
    10
    8
    May 9, 2019
    Ratings:
    +17
    Local Time:
    10:34 PM
    1.15.12
    MariaDB 10.3.15
  15. Alex Morco

    Alex Morco New Member

    2
    1
    3
    May 9, 2019
    Ratings:
    +2
    Local Time:
    8:34 PM
    Configuring HTTPS with 1.3 TLs is not having an issue with me on Cloudways platform, I am using WordPress SSL certificate and made is HTTPS secured.
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,106
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    1:34 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    latest logged output shows TLS 1.3 the top TLS protocol served now :)
    Code (Text):
    pzcat -f cfssl-access.log{,-*} | grep -v 'SERVER_IP' | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
    383306  TLSv1.3  TLS_AES_256_GCM_SHA384
    265773  TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
    167832  TLSv1.2  ECDHE-ECDSA-CHACHA20-POLY1305
    72      -        -
    53      TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256
    2       TLSv1    ECDHE-ECDSA-AES128-SHA