CloudFlare's "Universal SSL" Initiative

Chris.M

Member
(Not sure if this is more "The Lounge" worthy.)

CloudFlare today announced that customers using their free offering will now have the ability to encrypt their connection by default (functionality that was initially only available on higher-tier plans). They're referring to this upgrade as "Universal SSL" and are rolling it out to all users throughout the day. A much more detailed explanation of what they're doing can be found here, on their blog.

I'm an advocate of using encryption whenever and wherever possible, and as such I think this is a huge step in the right direction. This being said, I'm confused as to what's being offered here. Are they encrypting by way of auto-provisioning SSL certificates for every customer's connection? Or are they simply enabling any given customer to purchase an SSL certificate and use it with their CloudFlare-protected websites? I have not used CloudFlare in a while and their service has evolved pretty quickly. From the blog entry linked above, they make it sound as if they're automatically securing their customers connections with some sort of certificate that has been developed for "mass use." Bottom line: my understanding of how they're doing this is incredibly limited.

Thoughts? I'm genuinely interested in seeing how this pans out for them.
 

KH-DavidL

Abuse & Documentation Specialist
Staff member
Hey Chris,

Thanks for the share.

Quoting that blog post:
How does it work?
For all customers, we will now automatically provision a SSL certificate on CloudFlare's network that will accept HTTPS connections for a customer's domain and subdomains. Those certificates include an entry for the root domain (e.g., example.com) as well as a wildcard entry for all first-level subdomains (e.g., www.example.com, blog.example.com, etc.).

For a site that did not have SSL before, we will default to our Flexible SSL mode, which means traffic from browsers to CloudFlare will be encrypted, but traffic from CloudFlare to a site's origin server will not. We strongly recommend site owners install a certificate on their web servers so we can encrypt traffic to the origin. Later today we'll be publishing a blog with instructions on how to do that at no cost. Once you've installed a certificate on your web server, you can enable the Full or Strict SSL modes which encrypt origin traffic and provide a higher level of security.
To me, (i may be misinterpreting), this means that site's need to have their own SSL Certificate already installed. This allows for non"mixed" insecure content between your server and CloudFlare's cached content that is actually served to the customer.

Also to keep in mind, their statement here:
These challenges required that, for free customers, we limit Universal SSL support to modern browsers.
However, that's not really limiting anyone out =P
 

Chris.M

Member
To me, (i may be misinterpreting), this means that site's need to have their own SSL Certificate already installed. This allows for non"mixed" insecure content between your server and CloudFlare's cached content that is actually served to the customer.
That's exactly how I interpreted it, and I'm assuming it's the most likely. I couldn't imagine them issuing a literal certificate for each customer, regardless of whether or not the customer has one already. I'm viewing it as a step that will make encryption more enticing to both their existing customer base and definitely potential new customers. No extra charge, happy people.

Some customers, at least from comments, seem to think that their connections will magically become encrypted with a free SSL certificate provided by CloudFlare. Maybe this is the case. Maybe they're also planning to offer free ponies, too. We'll have to see. :p
 

KH-Jared

Sysadmin
Staff member
I'm very interested in this but I actually haven't used CloudFlare personally before. So to test this, I've already created a new CloudFlare account. I won't be able to report anything until tomorrow, unfortunately.
If you're a new customer, note that it will take up to 24 hours from when you sign up to provision SSL for our free service (and, again, if you're in a hurry, it's still instant for all paid plans).
But it looks interesting already. I'm not sure what's going to be different on their backend between now and tomorrow, but right now, I can't pick between the three SSL options, which are Flexible, Full, and Full (strict). It tells me those are premium options only. We'll see if this changes in 24 hours.

My test domain does seem to use their certificate already.
{Domain} uses an invalid security certificate. The certificate is only valid for the following names: ssl2000.cloudflare.com, cloudflare.com, *.cloudflare.com
It looks to already be using either Full or Strict because it is giving defaultwebpage.cgi, which it would do if I tried to connect to any of my other domains using https right now.
 

Chris.M

Member
@KH-Jared I'm really looking forward to hearing your thoughts on this. I don't think they're being very clear in terms of wording. The general consensus seems to be that the connection is indeed encrypted, by way of a certificate on their end, automatically - without an existing certificate on the user's end. If this is the case, man oh man. They must be doing something crafty (not saying this negatively) in order to pull this off for such a sizable user population.

Edit: It took me all of a minute to realize what they're doing: encrypted connection from browser to CloudFlare by default, but an encrypted connection from CloudFlare to a user's server would require a certificate installed on the user's server. Thank you, Dave, for providing the above quote... which I apparently disregarded earlier. Oy.

I still think this is going to confuse more than a few people.
 
Last edited:

KH-Jared

Sysadmin
Staff member
@Chris.M There is definitely plenty to be confused about. What has got me the most confused is this bit which certainly makes it sound like 'Free SSL certificate on our servers.'
Free plan SSL service will utilize Elliptic Curve Digital Signature Algorithm (ECDSA) certificates from Comodo or GlobalSign. These certificates will cover both your root domain and first-level subdomains through the use of a wildcard.
Right now I'm able to pick between Flexible, Full, and Full (strict). I've gone with Flexible just to test for the time being and it loads my site but with the same warning as before. They have not hid the fact that for free accounts they are taking their time so I'll check back again this evening and in the morning to see if they get a certificate that legitimately covers my domain, as the above seems to imply, or if they are trying to say that their certificate cover's your domain and gets it a secured connection.

If it is the latter, then its not wrong, but its just as secured as a self-signed certificate. It'll give you a secured connection but browsers won't trust it. It'll also be much less useful than it sounds, especially since they restrict custom SSL certificates to the paid plans.
 

Chris.M

Member
Jared, apologies for the delayed response on my part!

Thanks for testing this out and getting back to me with the results. They're clearly inundated with new signups and getting this rolled out for existing folks... so who knows if things are working correctly. Honestly, I'd like to see them rephrase their entire explanation of what they're hoping to achieve with this. It's great in theory, but whether or not it ends up working out is another story altogether. They do recommend that users have a valid certificate installed on their end to ensure a fully encrypted connection, but it's mentioned almost as if it's an afterthought.

Keep me posted if anything changes. If I were to use CloudFlare again, I'd likely opt for their Pro plan from the get-go... but I'm curious to see how this ends up rolling out.
 

KH-Jared

Sysadmin
Staff member
Absolutely no problem. Currently, its still showing their certificate. I still can not supply my own certificate. I'm thinking of trying the full option but I'm going to hold off until tomorrow just to make sure I provide them enough time. If its secured just with their certificate and there's no way to provide your own, then its not really that much of a help, since anyone who is going to want an SSL certificate will not want their user's browsers giving them a warning every time they visit.
 

Chris.M

Member
@KH-DavidL Yep, it does. At this point, I'm more interested in the implementation and seeing how it's actually working (versus how they envisioned it to). Seems like a big undertaking.
 

KH-DavidL

Abuse & Documentation Specialist
Staff member
Well, like @KH-Jared, I've decided to take on some testing of my own. I've got a brand new domain, with valid SSL Certificate setup on CloudFlare, all the DNS is swapped over. Experiencing the same as previously mentioned. Visiting the domain provides the certificate for "ssl2000.cloudflare.com" rather than the actual domain. I'll be curious to see if anything changes after the 24 hour period that the disclaimer references.
 

KH-DavidL

Abuse & Documentation Specialist
Staff member
Quick update on this and my progress with CloudFlare.

Thus far, I've continued experiencing the same issues previously described. So, I went ahead and switch over my SSL Settings to use the Full Strict option. The admin panel suggests that it should take no longer than 5 minutes to process and be set in place. After waiting around 30 minutes and continuing to experience the same configuration and issues, I opened a ticket! :eek:

My Ticket to CloudFlare:
Good Evening Team,

I imagine you are quite inundated at the moment, so I sincerely appreciate you taking the time to review this ticket and get back with me! I've configured my account under 'Settings > SSL' to use the 'Full SSL Strict' option. However, after changing to this setting, I have not noticed any difference (even after the specified 5+ minutes). When visiting the domain via SSL ( https://[removed].org ) the SSL certificate for ssl2000.cloudflare.com is presented, rather than the SSL certificate for [removed].org that is installed on the server ( 204.[removed] ). Output provided here should be of benefit: http://paste.servergur.us/neyesuvaca.xml

Sincerely,
David L.
After ~25 minutes (not bad, but certainly not KnownHost timing), I received an update to my inquiry. While not unique to my specific ticket, nor detailing my exact information/request(s), I was provided with some informative documentation.

My Reply from CloudFlare:
Certificate issuance for free domains is taking longer than expected, at first.

We expect to be caught up by Thursday 2 October 0700 UTC but read the details about how to check your domains here: https://blog.cloudflare.com/universal-ssl-be-just-a-bit-more-patient/

So, if you're seeing an SSL error for your free domain this will clear in time.


In advance of SSL going live for your website, some recommended reading:
https://blog.cloudflare.com/introducing-universal-ssl/

As default your domain will be enabled with the "Flexible SSL" setting - this is the most compatible option, but for increased security you might want to consider Full or Full Strict. To learn more about these options, take a look at a recent blog post from our Security Engineer Nick Sullivan:

https://blog.cloudflare.com/origin-server-connection-security-with-universal-ssl/

More information about those choices here:
https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-Off-Flexible-SSL-Full-SSL-Full-SSL-Strict-mean-

Your plan level (Enterprise, Business, Pro, or Free) doesn't affect your SSL choice of Flexible, Full, or Full Strict.

To have your site display correctly when using SSL, you want to ensure links to assets like images, CSS & Javascript in your code are correct to avoid "mixed content" issues as these will display a warning in most browsers:

https://support.cloudflare.com/hc/en-us/articles/200170476-How-do-I-fix-the-SSL-Mixed-Content-Error-Message-

Finally, some other articles about SSL issues that might be useful:

https://support.cloudflare.com/hc/en-us/articles/200170566-My-SSL-isn-t-working-Why-not-
https://support.cloudflare.com/hc/en-us/articles/200170616-Why-am-I-getting-a-SSL-mismatch-error-

[removed] | Support Engineer | CloudFlare
Already passing the 0700 UTC mark, I'm not noticing any differences yet!
 

KH-DavidL

Abuse & Documentation Specialist
Staff member
Additional Note:

Just logged into my CloudFlare admin panel to see if any changes or updates were made there. Check this out:
aimg.knownhost.com_file_thumbnail_2014_10_02_f4a0dd85099b5b0165fcc33799829739.png

A SSL issuance status has been added. Mine, still stating that it's currently in the process of being issued. However, another interesting observation is that my selected option from the drop down box no longer is "Full SSL Strict", as I originally chose. It now shows "Full SSL" as my selected option. Hm..

Will continue the updates.
 

Chris.M

Member
David, your updates are both riveting and informative as usual. :D

Seems like the response you received from them is canned, and more or less saying, "Hey! Here's some reading material for you as we continue fix our issues." I think they were being a tad too optimistic by saying the new system would hopefully be rolled out to all customers by the end of business on the first day (... I think they said this, could be wrong). "Hopefully" being the key word here.

Again, this must be a massive undertaking. Massive. I'm sure they'll work out the kinks, but I imagine it'll take them a hell of a lot longer than a few days to smooth everything out.
 

KH-DavidL

Abuse & Documentation Specialist
Staff member
David, your updates are both riveting and informative as usual. :D
Awe, *blushing*. Thanks!

Seems like the response you received from them is canned, and more or less saying, "Hey! Here's some reading material for you as we continue fix our issues." I think they were being a tad too optimistic by saying the new system would hopefully be rolled out to all customers by the end of business on the first day (... I think they said this, could be wrong). "Hopefully" being the key word here.
Pretty much what I expected, just like I stated in the ticket opener, "I imagine you are quite inundated at the moment, so I sincerely appreciate you taking the time to review this ticket and get back with me!" That being said, even just a "Hey David, check out these links: [...] Let me know if you have any more questions! Thanks" would have been nice, instead of mass-canned. I can certainly imagine the load they're receiving right now though.

Again, this must be a massive undertaking. Massive. I'm sure they'll work out the kinks, but I imagine it'll take them a hell of a lot longer than a few days to smooth everything out.
Agreed, however in my eyes (disclaimer: 2c here) owning up to 'mistakes' or 'misleading' information solidifies a companies reputation. Everyone makes mistakes, just be honest about it.
 

Chris.M

Member
I agree with you entirely. Something still tells me that this offering will be difficult to sustain, at least for the free-tier percentage of folks. We'll see! I hope (and like) to be surprised. Let's see how this works for both yourself and @KH-Jared.

In the meantime, I'll wait for KnownHostFlare.
 

KH-DavidL

Abuse & Documentation Specialist
Staff member
Well,

That was quick.
Code:
$ dig NS [removed].org +short
jeff.ns.cloudflare.com.
dorthy.ns.cloudflare.com.
Code:
$ openssl s_client -showcerts -connect [removed].org:443 |grep Domain
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=[removed].org
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=[removed].org
aimg.knownhost.com_file_thumbnail_2014_10_02_c486ad88443e3e6c64e4750cdeaafe54.png

It's working with no issues for me at this point. However, the CloudFlare admin panel still shows "Issuing".
 

KH-Jared

Sysadmin
Staff member
@KH-DavidL Obviously they like you more than me :oops:
Mine is still showing their certificate, and SSL issuing, so I suppose its still in progress. I'm curious if this is due to Flexible vs Full or just a traffic difference since they've even said they're doing highest traffic first. I know they said 0700 UTC this morning but I'll give it more time before I open another ticket.
 

KH-DavidL

Abuse & Documentation Specialist
Staff member
@KH-DavidL Obviously they like you more than me :oops:
[...] but I'll give it more time before I open another ticket.
I believe I was wrong here. Looks like CF is having some issues right now. The domain was constantly flipping between my primary IP address and theirs, even while using their correct name servers. Apparently, even pro accounts are experiencing issues right now. Heh.
 

KH-Jonathan

Director of Managed Services
Staff member
Our (KH's) account is a pro and our stuff that runs through them was most definitely affected...at least for about 5 mins before I re-routed our traffic around them :D
 
Top