Learn about Centmin Mod LEMP Stack today
Register Now

SSL Cloudflare Cloudflare Enables HTTPS TLS 1.3 Backend Origin Communication

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Mar 6, 2019.

  1. eva2000

    eva2000 Administrator Staff Member

    41,998
    9,473
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,577
    Local Time:
    9:32 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x

    Cloudflare Enables HTTPS TLS 1.3 Backend Origin Communication



    Cloudflare just announced they have officially enabled HTTPS TLS v1.3 backend origin communication with origin web servers which have HTTP/2 HTTPS TLS 1.3 enabled i.e. Cloudflare Strict SSL mode. Prior to this announcement, Cloudflare edge servers would communicate with your site's origin web server (Centmin Mod Nginx) using TLS 1.2 even if your origin web server supported TLS 1.3. Now with this change, you can speed up your page load speeds slightly as TLS 1.3 saves one round trip time (RTT) on the connection :)

    Centmin Mod 123.09beta01 and newer Nginx builds support HTTP/2 HTTPS TLS 1.3 out of the box now via either OpenSSL 1.1.1 branch (default) or optionally via BoringSSL. Details at Centmin Mod Nginx HTTP/2 HTTPS TLS 1.3 Support. So when you create a new Nginx HTTP/2 HTTPS site with Centmin Mod Nginx, it automatically now has TLS 1.3 enabled :)

    I can verify that Cloudflare is communicating with my Centmin Mod Nginx origin servers over TLS 1.3 protocol now using custom Cloudflare nginx logging I setup on my servers behind Cloudflare.

    For my cfssl-access.log log I can see TLS v1.3 being used for connection now with TLS_AES_256_GCM_SHA384 ssl cipher.
    Code (Text):
    tail -1 cfssl-access.log
    
    54.36.148.175 - - [05/Mar/2019:21:32:04 +0000] GET /threads/gcc-7-3-1-update.14858/ HTTP/1.1 "200" 97042 "-" "Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)" "54.36.148.175" "-" "421824" "1" "0.400" 4b2f334b8bfb9cb3-AMS TLSv1.3 TLS_AES_256_GCM_SHA384
    


    Looking through my cfssl-access rotated logs, the earliest sighting for TLSv1.3 communication between Cloudflare and my origin was on February 26th, 2019
    Code (Text):
    pzcat -f cfssl-access.log-* | grep 'TLSv1.3' | head -n1
    52.53.xxx.xxx - - [26/Feb/2019:06:12:33 +0000] GET / HTTP/1.1 "200" 114552 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" "-" "-" "1080738" "1" "0.100" - TLSv1.3 TLS_AES_256_GCM_SHA384
    

    Server runs UTC timezone - my mytimes output
    Code (Text):
    mytimes
    Thu Mar  7 12:22:07 UTC 2019    [UTC]
    Thu Mar  7 22:22:07 AEST 2019   [Australia/Brisbane]
    Thu Mar  7 04:22:07 PST 2019    [America/Los_Angeles]
    Thu Mar  7 06:22:07 CST 2019    [America/Chicago]
    Thu Mar  7 07:22:07 EST 2019    [America/New_York]
    Thu Mar  7 12:22:07 GMT 2019    [Europe/London]
    

    TLS protocol and cipher stats - TLSv1.3 is starting to show up using ssl cipher, TLS_AES_256_GCM_SHA384 :D
    Code (Text):
    pzcat -f cfssl-access.log{,-*} | grep -v 'SERVER_IP' | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
    299930  TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
    191033  TLSv1.2  ECDHE-ECDSA-CHACHA20-POLY1305
    173484  TLSv1.3  TLS_AES_256_GCM_SHA384
    43      -        -
    35      TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256
    

    Been waiting for ages for TLS 1.3 support on origin connections with Cloudflare, so glad to finally see it happen. Though, TLS 1.3 0-RTT early data will not be supported.
     
    • Like Like x 3
  2. eva2000

    eva2000 Administrator Staff Member

    41,998
    9,473
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,577
    Local Time:
    9:32 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  3. negative

    negative Active Member

    348
    39
    28
    Apr 11, 2015
    Ratings:
    +81
    Local Time:
    1:32 AM
    1.9.10
    10.1.11
  4. eva2000

    eva2000 Administrator Staff Member

    41,998
    9,473
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,577
    Local Time:
    9:32 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    that issue with with your visitor's anti-virus software at the time not supporting TLS 1.3 final rfc versions and only support older TLS 1.3 drafts. Those anti-virus companies should have updated their software to support final TLS 1.3 rfc version by now. But if they haven't updated then your visitors will still have issues. But if you Centmin Mod Nginx origin has HTTP/2 HTTPS TLS 1.3 then Cloudflare can talk to your Centmin Mod via TLS 1.3 while visitors talk to Cloudflare with TLS 1.2 (if CF TLS 1.3 is disabled on frontend).
     
  5. negative

    negative Active Member

    348
    39
    28
    Apr 11, 2015
    Ratings:
    +81
    Local Time:
    1:32 AM
    1.9.10
    10.1.11
    Yes, my configuration support TLS 1.3
    Code (Text):
    [12:00][[email protected] log]# nginx -V
    nginx version: nginx/1.15.8 (291218-011710)
    built by gcc 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC)
    built with OpenSSL 1.1.1a  20 Nov 2018
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=291218-011710 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../incubator-pagespeed-ngx-1.13.35.2-stable --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.5 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.0 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1a --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3'


    However, i think it was not related with antivirus software @eva2000 Because, i've tried disable completely the antivirus software also windows firewall etc, but issue was still same. I was fix the problem only with disable the TLS 1.3 support in cloudflare panel.
     
  6. eva2000

    eva2000 Administrator Staff Member

    41,998
    9,473
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,577
    Local Time:
    9:32 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    But do you have problems on this forum ? As I have Cloudflare with TLS 1.3 here too :)
     
  7. negative

    negative Active Member

    348
    39
    28
    Apr 11, 2015
    Ratings:
    +81
    Local Time:
    1:32 AM
    1.9.10
    10.1.11
    Didn't tried.

    Actually, i have never seen any problem on any website on my Mac (chrome, safari, firefox etc)
    But my friend's computer was windows 7 and tried before chrome + explorer both, so it was problem when tls 1.3 enabled on cloudflare.

    I've enabled the tls 1.3 now and will be try as soon as possible.

    Thanks
     
    • Like Like x 1
  8. eva2000

    eva2000 Administrator Staff Member

    41,998
    9,473
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,577
    Local Time:
    9:32 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  9. Matt

    Matt Moderator Staff Member

    848
    372
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +579
    Local Time:
    11:32 PM
    1.5.15
    MariaDB 10.2
    Not working with Railgun yet. I've tested by disabling it, and get TLS1.3 from Cloudflare, but enabling Railgun only presents TLS1.2
     
  10. eva2000

    eva2000 Administrator Staff Member

    41,998
    9,473
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,577
    Local Time:
    9:32 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Interesting, might explain why my nginx origin logs show mix of TLSv1.3 and TLSv1.2 connections from Cloudflare as I also have Cloudflare Railgun enabled :) Railgun only applies to uncacheable requests.
    Code (Text):
    pzcat -f cfssl-access.log{,-*} | grep -v 'SERVER_IP' | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
    250241  TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
    246797  TLSv1.3  TLS_AES_256_GCM_SHA384
    185128  TLSv1.2  ECDHE-ECDSA-CHACHA20-POLY1305
    45      -        -
    37      TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256
    1       TLSv1    ECDHE-ECDSA-AES128-SHA
    1       TLSv1.1  ECDHE-ECDSA-AES128-SHA
    
     
  11. eva2000

    eva2000 Administrator Staff Member

    41,998
    9,473
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,577
    Local Time:
    9:32 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Latest stats show TLS v1.3 communication has increased to the greatest portion for TLS protocols for Cloudflare to origin Nginx connections :cool:
    Code (Text):
    pzcat -f cfssl-access.log{,-*} | grep -v 'SERVER_IP' | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
    263331  TLSv1.3  TLS_AES_256_GCM_SHA384
    169944  TLSv1.2  ECDHE-ECDSA-CHACHA20-POLY1305
    159605  TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
    359     -        -
    66      TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256
    3       TLSv1    ECDHE-ECDSA-AES128-SHA
    3       TLSv1.1  ECDHE-ECDSA-AES128-SHA
    
     
    • Like Like x 1
    • Informative Informative x 1
  12. jeparamedia

    jeparamedia New Member

    20
    7
    3
    May 9, 2019
    Ratings:
    +10
    Local Time:
    6:32 AM
    1.15.12
    MariaDB 10.3.15
    i don't have this log:
    command: tail -1 cfssl-access.log

    result:
    tail: cannot open ‘cfssl-access.log’ for reading: No such file or directory

    ==========================

    I used last CMM with lets encrypt install and it's working.
    now my site jeparamedia.com i add in CF with SSL- FULL.

    btw, I have some website all in CF with SSL Flexible
    (server: in my easyengine server, default site http wordpress)

    where is the best way to install WP in 22 menu with lets encrypt?
    1. my site already putt in CF with flexible SSL then I install WP?
    or
    2. my site in dns.he.net then install with 22 menu + lets encrypt, after done I add to CF with Full SSL?

    thanks you
     
  13. eva2000

    eva2000 Administrator Staff Member

    41,998
    9,473
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,577
    Local Time:
    9:32 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you need to configure that extra logging via https://community.centminmod.com/threads/cloudflare-custom-nginx-logging.14790/
    for that start a new thread in forum at https://community.centminmod.com/forums/domains-dns-email-ssl-certificates.44/
     
    • Like Like x 1
  14. jeparamedia

    jeparamedia New Member

    20
    7
    3
    May 9, 2019
    Ratings:
    +10
    Local Time:
    6:32 AM
    1.15.12
    MariaDB 10.3.15
  15. Alex Morco

    Alex Morco New Member

    2
    1
    3
    May 9, 2019
    Ratings:
    +2
    Local Time:
    4:32 AM
    Configuring HTTPS with 1.3 TLs is not having an issue with me on Cloudways platform, I am using WordPress SSL certificate and made is HTTPS secured.
     
    • Like Like x 1
    • Informative Informative x 1
  16. eva2000

    eva2000 Administrator Staff Member

    41,998
    9,473
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,577
    Local Time:
    9:32 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    latest logged output shows TLS 1.3 the top TLS protocol served now :)
    Code (Text):
    pzcat -f cfssl-access.log{,-*} | grep -v 'SERVER_IP' | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
    383306  TLSv1.3  TLS_AES_256_GCM_SHA384
    265773  TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
    167832  TLSv1.2  ECDHE-ECDSA-CHACHA20-POLY1305
    72      -        -
    53      TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256
    2       TLSv1    ECDHE-ECDSA-AES128-SHA