disable weak CBC cipher at origin server
I have disabled weak cipher at the origin server
When I test internally using the below command (resolve to internal IP address)
openssl s_client -cipher 'AES256-SHA' -connect xxx.xxx.xxx:443 -tls1_2
It showed fail to connect
However, when test externally, it still connects successfully and it also showed the connection is using the certificate of origin server
May I know if it is because the ssl handshake will follow cloudflare ciphersuites instead, even the certificate in use is the one of the origin server ? Thanks
We are using cloudflare and the website is prooxied
3 Replies
Yes. The cipher suites that uses see are from their connection to Cloudflare. If you need to customize cipher suites then you need to purchase Advanced Certificate Manager.
Cloudflare Docs
Customize cipher suites · Cloudflare SSL/TLS docs
With Advanced Certificate Manager or within Cloudflare for SaaS, you can restrict connections between Cloudflare and clients - such as your visitor’s …
Thanks for your information! 😊