1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 TLS1.2 + CloudFlare = fail?

Discussion in 'XenForo Questions and Support' started by CrispinP, Apr 17, 2016.

  1. CrispinP

    CrispinP Well-Known Member


    So in setting up my new forum using XF I noticed the your-server's-not-worthy banner in User Upgrades page.
    After reading Mike's two threads and some others around I decided I might as well tick it off now and be done with it.

    I've disabled TLS1.0, 1.1 on my server.

    However, it seems that me using CloudFlare in the mix is a show-stopper (for their continued use)
    My domain, https://www.landcruiserclub.net/community points to CF who then point on to me. Everything is encrypted from me to them (waste of money - I could have used an unsigned cert :( ) and from CF on to me is encrypted with their cert.

    The problem is that CF is still allowing 1.0+ as confirmed by online ssl tester. If you want to use TLS1.2 only then you need to be on their business plan which is USD200 a month. Gulp.

    I still see the banner in User Upgrades - I assume this is because it's querying the FQDN which is then going via CF.

    Is my understanding of all this correct?

  2. Chris D

    Chris D XenForo Developer Staff Member

    You don't need to disable TLS1.0 or 1.1.

    The message you're seeing on the User Upgrades page is about outgoing connections from your server to PayPal.

    If you're not using User Upgrades, you do not need to take any action.

    If you are, you just need to ensure that your server is capable of making outgoing connections using TLS 1.2. The fixes for this could be upgrading/configuring PHP, OpenSSL or cURL on the server.
  3. Jeremy P

    Jeremy P Well-Known Member

    I don't believe so. Paypal will require TLS 1.2, but as long as your server supports outgoing TLS 1.2 connections then it shouldn't be a problem (even if your server also supports earlier versions of TLS). I believe it has to do with software on your server (your SSL libraries and cURL) not supporting TLS 1.2.

    PS - https://letsencrypt.org will give you free signed certificates. I know it doesn't matter all that much when used in combination with CloudFlare, but it at least verifies that the server CF forwards to is valid.
  4. CrispinP

    CrispinP Well-Known Member

    ah, I see. It's not the inbound connections. Thanks for that!

    Everything is always up to date on my server so will check to see what I need to do. I've been looking in the wrong place.

  5. CrispinP

    CrispinP Well-Known Member

    Yup, I tried using them and it failed. Some pip compatibility I did not understand. After faffing around for an hour I figured the USD40 was better value for money. :) Then I realised CF can handle self-signed :(

    Live and learn :D
  6. CrispinP

    CrispinP Well-Known Member

  7. Mike

    Mike XenForo Developer Staff Member

    Can you send me a link to a PHP info file on your server?
  8. CrispinP

    CrispinP Well-Known Member

    It's literally just the example code fro the SO example:

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,'https://tlstest.paypal.com');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
    curl_setopt($ch, CURLOPT_FAILONERROR,true);
    curl_setopt($ch, CURLOPT_SSLVERSION,6);// CURL_SSLVERSION_TLSv1_2
    $result = curl_exec($ch);
    echo 'result = '.$result.'<br>';
    echo 'errno = '.curl_errno($ch).'<br>';
    echo 'error = '.curl_error($ch).'<br>';
    Called here: http://www.landcruiserclub.net/pptest.php
    I can't get to the file from work - can send it tonight though.

  9. Brogan

    Brogan XenForo Moderator Staff Member

    Mike means something like phpinfo.php - what you see at /admin.php?tools/phpinfo
  10. CrispinP

    CrispinP Well-Known Member

    Sorry, really not reading well this morning (need sleep). Will PM you the link to the file.
  11. CrispinP

    CrispinP Well-Known Member

    Coffee still waiting to kick in. I re-read it and realised :sleep:
  12. Brogan

    Brogan XenForo Moderator Staff Member

    The file you have provided is no good.

    Create a file with the following contents:


    Name it <something random>.php and upload it the domain root.

    Then PM the URL to Mike.
  13. CrispinP

    CrispinP Well-Known Member

    You referring to the file I just sent Mike? It's a file-save of the phpinfo in VB. I can't jump on the server from work to move it to a public place and it's behind the admincp in VB.

    Have our messages crossed?

    If you still need a real version of it on the server and not what I PMd Mike then let me know.

  14. Mike

    Mike XenForo Developer Staff Member

    For reference, I didn't get a PM, though Brogan has sent me the PHP info output.

    Can you confirm whether the PHP examples here work? https://github.com/paypal/TLS-update

    According to your version of cURL, CURLOPT_SSLVERSION = 6 doesn't exist internally (it doesn't exist until 7.34.0), so it shouldn't do anything. I don't see why this connection shouldn't be working though.
  15. CrispinP

    CrispinP Well-Known Member


    I've done it from my phone (SSH into server)

    I get a failure and with the var_dump I get bool(false)
    resource(4) of type (curl)

    If I change it to include the version then I get a success back.

    I've created a phpinfo file for you too if that is handy. will PM the details.
  16. CrispinP

    CrispinP Well-Known Member

    Hi Mike,

    Any info on this banner?

    Did you get the PM?

  17. Mike

    Mike XenForo Developer Staff Member

    Your library versions are similar to what we run here without the issue you're having, though we do have a newer version of PHP. I don't know why setting that CURLOPT_SSLVERSION value works, since as far as I understand, cURL doesn't actually know how to interpret it in the version in use on your server.

    Would it be possible to get FTP access to attempt some debugging?
  18. Gene Steinberg

    Gene Steinberg Well-Known Member

    I'm running into a rather different issue with CloudFlare, which is that I cannot use my own SSLs with the free package offered by a hosting provider. I get reverse proxy errors from CloudFlare.

    In my case, the certificate supposedly issued with the server is expired, even though I've only had the server four months. I cannot change it unless or until I go for a paid plan with CloudFlare starting at $20 per month for the first domain, $5 for each additional domain. In other words, it's bait and switch.

    Just FYI.
  19. Jeremy P

    Jeremy P Well-Known Member

    Not really related to the issue at hand, but it's almost certainly not CloudFlare doing a bait and switch. The public-facing free certificates are offered indefinitely (forever). You may have the SSL settings on "Strict" though, which enforces valid certificates on the connection between CloudFlare and your server... and your server certificates might be invalid for any number of reasons. Upgrading to a paid plan on CloudFlare wouldn't fix this problem.

    Either set the SSL settings on CloudFlare to "Full" or even "Flexible," or get a valid certificate for your server itself (which you would get through a domain registrar or others, and not CloudFlare).
  20. Gene Steinberg

    Gene Steinberg Well-Known Member

    There is no way to control the SSL setting with the configuration they saddled me with. So what I did was remove it from that account, establish a different account, and add the domain there as a free domain. No more SSL glitch.

Share This Page