Third Party SSL is only available to Business or Enterprise Plan Customers
For starters, unless a customer has the Business Plan of Cloudflare (starting at $200.00 USD/month), he/she CANNOT use any third party SSL on the Cloudflare server.
However, you can ALWAYS use your own SSL on your Origin Server, no matter what plan you are on.2 We will dive into this, along with other reasons why a customer would still want to use an SSL certificate from one of our world renowned brands below.
Cloudflare’s Universal SSL Has Limitations
If you are unfamiliar with Universal SSL from Cloudflare, please take a quick look at the figure below, which displays the three “modes” that SSL can operate with in Cloudflare:
In all the above “modes”, the connection between the Visitor and Cloudflare is protected by a free Trusted SSL certificate as part of Cloudflare’s Universal SSL.4 All Cloudflare users qualify for Universal SSL.
Cloudflare is a CDN (Content Delivery Network). It is NOT a webhost. This means that Cloudflare users still maintain their own webservers, referred to as “Origin Servers” in the above figure. The Origin Server is then cached or mirrored by Cloudflare’s network and servers. Currently, Universal SSL ONLY covers the connection between the Cloudflare servers and the user with a free Trusted CA-Issued SSL.
Cloudflare recently announced that they will be expanding the capabilities of their Universal SSL service by announcing plans to start an Internal CA which will issue free certificates.5 These certificates would be issued by Cloudflare to your server, for use between the Origin Server and Cloudflare. This feature is not yet available.
While this announcement makes Universal SSL more complete, it also increases reliance on Cloudflare and can result in a bad experience for end users. If, for some reason, Cloudflare needed to be turned off or wasn’t working, then everyone visiting your site would be presented with an un-trusted Cloudflare SSL. This would present users visiting your site with a full-page click-through warning. Users on the Cloudflare Free Plan have their pages cached much less frequently, which may create situations where you may need to turn off Cloudflare for proper performance. (If you are planning on using HSTS, this becomes a dire problem. Please see the below section, Cloudflare’s Internal CA is Incompatible with HSTS).
Remember that if there is no SSL on the Origin Server you are leaving a security hole that can expose your user’s information and you risk incurring legal consequences. Using anything less than “Strict” mode is not fully secured.
We recommend at least a DV certificate, such as a RapidSSL or a GeoTrust QuickSSL Premium, for the Origin Server in order to provide complete end-to-end SSL encryption.
Cloudflare Is Only For Web Traffic
Cloudflare is only intended for web traffic (HTTP/HTTPS), but many websites, especially corporate and ecommerce sites, handle more types of traffic than that. If your client is using mail (SMTP/IMAP), FTP, or SSH, they should not be routing this traffic through Cloudflare.
However it’s still critical to make sure access to these protocols are secure. For SSL, the most relevant of these will be any mail traffic being handled by the server. These users will want to continue to use SSL certificates from Trusted CAs such as Symantec and Comodo. This applies especially to users with a Windows Server (Exchange/IIS) because they often have special requirements (like a wildcard or multi-domain certificate).
Cloudflare’s Universal SSL is not True SSL
In its default “flexible” mode, the SSL connection is only established between the Visitor and Cloudflare. In the “Flexible” mode, the user is presented with the green padlock, but the connection is not actually encrypted at the origin. As stated above, this exposes user information and can put website owners at legal risk.
Cloudflare decrypt’s your SSL connection
This is simply the nature of all CDNs. They cannot cache/optimize your content if they cannot see it; and they cannot see it if the content is encrypted with SSL. This means that Cloudflare must have a copy of the private key for your certificates.8 However, there is also nothing to indicate that Cloudflare is untrustworthy. We have a very high opinion of Cloudflare and their services. Again, this is just simply the nature of all CDNs and something we felt we should mention so the end-user is completely clear on how their SSL works through Cloudflare.
Cloudflare’s SSL is only for First-Level Subdomains
Cloudflare does not issue SSL for any wildcards above first level. So, example.example.domain.com WOULDN’T be covered by them, and you would need to get SSL from another provider. However, you would need to be on the Business/Enterprise plan in order to use any third-party SSL.
Cloudflare’s Internal CA is Incompatible with HSTS
HSTS (Hypertext Strict Transport Security) is a great new feature that makes SSL even more secure. However, it does have potential downsides. Essentially, it is an indicator served in a websites header that tells a browser, “Hi, I ONLY want to use the HTTPS protocol for this connection AND future connections, and I want you to remember that.”
This effectively means that when someone visits an HSTS-enabled site, the browser will ONLY allow future connections to that site to be made with HTTPS, until the “Max Age” specified in the HSTS request expires. This behavior helps prevent various “downgrade” and MITM attacks that rely on circumnavigating the HTTPS protocol entirely.
Currently, a max-age of 6 months is being viewed as the standard. This means that the browser will only allow you to connect to the site via HTTPS for the next 6 months. If the website has a serious SSL configuration error, it will be impossible to connect to the website.
Cloudflare has recently given customers the option to turn on HSTS (and set their desired max-age). This is where the potential downsides emerge.
If they enable HSTS, and need to disable Cloudflare within the max-age period, visitors will be presented with the Origin Server certificate. If that Origin Server certificate is from Cloudflare’s Internal CA the browser WILL NOT connect, because this is not a trusted certificate (this is true for all self-signed or untrusted certificates). In this situation, the administrator would need to scramble to quickly get a Trusted SSL certificate installed on the site, which could keep an ecommerce site offline during important business hours.
This means that it’s not possible to use HSTS with Full (Strict) Mode – which is the only totally secure mode – is incompatible with Cloudflare’s Universal SSL when used in combination with their Internal CA for the Origin Server
So, just to be clear: You HAVE to have a Trusted SSL certificate (from a company such as Symantec or Comodo) to use
HSTS. You CANNOT use Cloudflare’s Internal CA.
Cloudflare’s Universal SSL Requires SNI Support
Due to the way Cloudflare implements their Universal SSL, it’s required for the client’s browser to support SNI (Server Name Indication). SNI allows a browser to specify the hostname when requesting a certificate. Because this feature is relatively new, if the browser is not “modern”, it will not have this feature, and will encounter a certificate name mismatch error.
Most users are on modern browsers which support SNI. The most popular browsers still in use that lack SNI support are all versions of Internet Explorer on Windows XP.11 You will want to discuss with your customer(s) to see if they believe a large number of their customer base will be impacted by this. Data suggests that Windows XP remains very prevalent in Asia.
Resources :
| 1 | https://www.cloudflare.com/plans |
| 2 | https://support.cloudflare.com/hc/en-us/articles/203055294-Can-I-use-FULL-or-FULL-STRICT-SSL-options-with-free-Universal-SSL- |
| 3 | Cloudflare announced their Universal SSL plan last year and brought some improvements to it this year during their “SSL Week” campaign |
- Cloudflare’s Universal SSL Certificates are provided via a partnership with Comodo and Globalsign
- https://blog.cloudflare.com/universal-ssl-encryption-all-the-way-to-the-origin-for-free/
- They will also be DV authenticated certificates (done automatically by Cloudflare because it controls your DNS), allowing the use of Strict SSL.
- “You should not enable CloudFlare for subdomains that handle non-web traffic, such as mail, ftp, and ssh.” https://support.cloudflare.com/hc/en-us/articles/200168476-Hosting-Partner-Frequently-Asked-Questions
- https://support.cloudflare.com/hc/en-us/articles/203242490-Who-cares-about-retaining-control-of-SSL-keys-
- https://support.cloudflare.com/hc/en-us/articles/200170566-My-SSL-isn-t-working-Why-not-
- https://support.cloudflare.com/hc/en-us/articles/203386804-Why-do-some-browsers-show-SSL-warnings-with-the-free-Universal-SSL-option-
- https://support.cloudflare.com/hc/en-us/articles/203041594-What-browsers-work-with-Universal-SSL-
- http://www.kaspersky.com/about/news/virus/2014/16-37-per-cent-Users-Still-Run-Windows-XP-Kaspersky-Lab-Statistics-Say, http://english.cntv.cn/2014/04/10/VIDE1397077802149966.shtml
