21
Cloudflare enables TLS 1.3 communication with origin back ends
source link: https://www.tuicool.com/articles/hit/7veURrr
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Cloudflare Enables HTTPS TLS 1.3 Backend Origin Communication
Cloudflare just announced they have officially enabled HTTPS TLS .13 backend origin communication with origin web servers which have HTTP/2 HTTPS TLS 1.3 enabled i.e. Cloudflare Strict SSL mode. Prior to this announcement, Cloudflare edge servers would communicate with your site's origin web server (Centmin Mod Nginx) using TLS 1.2 even if your origin web server supported TLS 1.3. Now with this change, you can speed up your page load speeds slightly as TLS 1.3 saves one round trip time (RTT) on the connection Centmin Mod 123.09beta01 and newer Nginx builds support HTTP/2 HTTPS TLS 1.3 out of the box now via either OpenSSL 1.1.1 branch (default) or optionally viaBoringSSL. Details at Centmin Mod Nginx HTTP/2 HTTPS TLS 1.3 Support . So when you create a new Nginx HTTP/2 HTTPS site with Centmin Mod Nginx, it automatically now has TLS 1.3 enabledI can verify that Cloudflare is communicating with my Centmin Mod Nginx origin servers over TLS 1.3 protocol now using custom Cloudflare nginx logging I setup on my servers behind Cloudflare.
For my cfssl-access.log log I can see TLS v1.3 being used for connection now with TLS_AES_256_GCM_SHA384 ssl cipher.
Code (Text):
tail -1 cfssl-access.log 54.36.148.175 - - [05/Mar/2019:21:32:04 +0000] GET /threads/gcc-7-3-1-update.14858/ HTTP/1.1 "200" 97042 "-" "Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)" "54.36.148.175" "-" "421824" "1" "0.400" 4b2f334b8bfb9cb3-AMS TLSv1.3 TLS_AES_256_GCM_SHA384
Code (Text):
pzcat -f cfssl-access.log{,-*} | grep -v 'SERVER_IP' | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
299930 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
191033 TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
173484 TLSv1.3 TLS_AES_256_GCM_SHA384
43 - -
35 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
Been waiting for ages for TLS 1.3 support on origin connections with Cloudflare, so glad to finally see it happen. Though, TLS 1.3 0-RTT early data will not be supported .
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK