Inquiry about using LE with CloudFlare and Windows XP


#1

Dear community,

I have been using LE for my sites for months now, hosted DigitalOcean. I recently started using CloudFlare for DNS and I have set the SSL settings to “Full”, now when I visit my site, it serves on SSL (very well), but when I inspect the SSL issuer I see CloudFlare.

The question is, I have known CloudFlare’s free SSL will break the site on outdated OS e.g Windows XP, so when I try my site on XP now will it be secured with LE certificate instead of CF’s?

Thank you very much,
Samuel


#2

Hi Samuel,

In most CloudFlare configurations you only have the option to use their certificate, not a certificate that you’ve provisioned yourself for your site. I believe only some of their paid products will let you choose what certificate is used. So, I believe that Windows XP users will also see the CloudFlare-issued certificate instead of the Let’s Encrypt one.

Feel free to ask CloudFlare support if this interpretation is correct.


#3

TYVM Seth!
I will test out very soon on XP to find out.

Have a good day!
Samuel


#4

the problem is less CF’s certs rather than the fact that IE on XP cant do SNI meaning if you run multiple certs on one IP the server wont know which one to throw,´, forcing the server to throw the default, giving you a cert error unless you try to use one of the domains on the default cert.

the problem can be solved with using a better browser (for example firefox, which also has up to date TLS stuff, meaning you can use EC certs and AES and all the good stuff)


#5

hi my1

run your site throgh ssllabs.com

The compatibilty issues with XP and older browsers can arise from several issues

A) TLS cipher selection
B) Protocol versions
C) Advanced features such as SNI

You can configure your servers to support older OS and Browsers however this increases your security holes

Mozilla has a list of configurations you can refer to here:

https://wiki.mozilla.org/Security/Server_Side_TLS


#6

this question is specifically about cloudflare’s free SSL and just saying that with cloudflare that SNI is probably the highest problem.

I dont run my sites directly through cloufdlare I just use it as a nice DNS Provider which also does DNSSec, so in my case SNI wouldnt even be a problem for most cases.

well that wou can punch hooles in your TLS (security, performance or otherwise) to support XP and older is something I know and where I am happy that I dont have to deal with that.

but as soon as you happen to have a host that runs multiple domains where at least some of them are outside of your control, you are pretty much bound to run into SNI issues.

and I know SSL Labs for a long time (although I prefer the comodo checker, it doesnt care about ports or iirc even IPs and it’s way quicker showing me the results I care for.


#7

hi my1

once again you need to look at cloudflare much like a server

i believe you are able to turn of for example SNI or you can get cloudflare to pass the traffic through (no interference) and let your own servers configurations take over


#8

well when you let your traffic go through cloudflare’s servers (cloud icon in DNS manager is orange) and if you are a free user it wont work because SNI they literally tell you that on their support page:

BUT: when you let the traffic go around cloudflare (cloud icon grey) it just acts as DNS and the traffic wont even be seen by cloudflare because they tell the client (by DNS) “go there” and obviously if your own server doesnt need SNI then it will work with XP.

but if you want the DDoS protection or whatever of cloudflare you will have to go paid to use non-SNI Clients.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.