Cloudflare recently introduced new Automatic SSL/TLS settings to simplify the provider's encryption modes for communication with origin servers. This feature offers automatic configuration, ensuring security without risking site downtime.
Automatic SSL/TLS strengthens the encryption modes between Cloudflare and origin servers by utilizing the Cloudflare SSL/TLS Recommender. This recommender automatically performs a series of requests from Cloudflare to the customer’s origin(s) with different SSL/TLS settings to determine if the backend communication can be upgraded beyond the current configuration. Alex Krivit, product manager at Cloudflare, Suleman Ahmad, software research engineer at Cloudflare, J Evans, software engineer at Cloudflare, and Yawar Jamal, system engineer at Cloudflare, explain why this feature is important:
Ensuring certificates are configured appropriately on origin servers and informing Cloudflare about how we should communicate with origins can be anxiety-inducing because misconfiguration can lead to downtime if something isn’t deployed or configured correctly.
While Cloudflare already offers various technologies—such as Authenticated Origin Pulls, Cloudflare Tunnels, and a certificate authority—to help customers configure communication with origin servers, these options still require manual configuration changes both on the origin server and within Cloudflare settings.
Source: Cloudflare Blog
Cloudflare provides five options for SSL/TLS connections with origin servers: Off, Flexible, Full, Full (Strict), and Strict. In the Strict mode, all traffic from the browser to Cloudflare, whether HTTP or HTTPS, will always be connected to the origin over HTTPS, with the origin server’s certificate being validated.
Cloudflare introduced Universal SSL a decade ago and, in 2022, pledged to provide customers with "the most secure connection from Cloudflare to their origin servers automatically," while explaining the challenges of configuring origin SSL at scale. The provider now acknowledges that rolling out this feature took longer than anticipated. Krivit, Ahmad, Evans, and Jamal add:
Taking this additional time allowed us to balance enhanced security with seamless site functionality, especially since origin server security configuration and capabilities are beyond Cloudflare's direct control.
Because Cloudflare acts as an intermediary between the client and the customer’s origin server, two separate TLS connections are established: one between the user’s browser and the Cloudflare network, and another between the Cloudflare network and the origin server. Unlike securing connections between clients and Cloudflare, managing the security capabilities of origin servers is more challenging. In a popular Hacker News thread, user amluto comments:
Cloudflare is talking about the security benefits of Cloudflare Tunnels. They may well be fairly secure, but I would love to see Cloudflare clean up their configuration system so that the configuration actually matches the behavior. Setting up a mapping from DNS name to route should not be called DNS and should absolutely not pretend to be a CNAME.
Other users discuss the usability of the Zero Trust portal and express concerns about the growing number of available options. User LinuxBender adds:
Since this takes human operations out of the loop on the origin for certs I could see an opportunity to add one more privacy step until Encrypted Client Hello (ECH) is universally supported on all the things.
The cloud provider has already begun rolling out the feature to customers with SSL/TLS Recommender enabled. Remaining Free and Pro customers are expected to be enrolled starting September 16th, with Business and Enterprise customers to follow.