XF 1.5 TLS1.2 + CloudFlare = fail?

[CrispinP]

Folks,

So in setting up my new forum using XF I noticed the your-server's-not-worthy banner in User Upgrades page.
After reading Mike's two threads and some others around I decided I might as well tick it off now and be done with it.

I've disabled TLS1.0, 1.1 on my server.

However, it seems that me using CloudFlare in the mix is a show-stopper (for their continued use)
My domain, https://www.landcruiserclub.net/community points to CF who then point on to me. Everything is encrypted from me to them (waste of money - I could have used an unsigned cert ) and from CF on to me is encrypted with their cert.

The problem is that CF is still allowing 1.0+ as confirmed by online ssl tester. If you want to use TLS1.2 only then you need to be on their business plan which is USD200 a month. Gulp.

I still see the banner in User Upgrades - I assume this is because it's querying the FQDN which is then going via CF.

Is my understanding of all this correct?

Thanks
Crispin

 

[Chris D]

You don't need to disable TLS1.0 or 1.1.

The message you're seeing on the User Upgrades page is about outgoing connections from your server to PayPal.

If you're not using User Upgrades, you do not need to take any action.

If you are, you just need to ensure that your server is capable of making outgoing connections using TLS 1.2. The fixes for this could be upgrading/configuring PHP, OpenSSL or cURL on the server.

 

[Jeremy P]

I don't believe so. Paypal will require TLS 1.2, but as long as your server supports outgoing TLS 1.2 connections then it shouldn't be a problem (even if your server also supports earlier versions of TLS). I believe it has to do with software on your server (your SSL libraries and cURL) not supporting TLS 1.2.

Everything is encrypted from me to them (waste of money - I could have used an unsigned cert )

PS - https://letsencrypt.org will give you free signed certificates. I know it doesn't matter all that much when used in combination with CloudFlare, but it at least verifies that the server CF forwards to is valid.

 

[CrispinP]

ah, I see. It's not the inbound connections. Thanks for that!

Everything is always up to date on my server so will check to see what I need to do. I've been looking in the wrong place.

Thanks
Crispin

 

[CrispinP]

I don't believe so. Paypal will require TLS 1.2, but as long as your server supports TLS 1.2 connections then it shouldn't be a problem (even if your server also supports earlier versions of TLS). I believe it has to do with software on your server (your SSL libraries and cURL) not supporting TLS 1.2.


PS - https://letsencrypt.org will give you free signed certificates. I know it doesn't matter all that much when used in combination with CloudFlare, but it at least verifies that the server CF forwards to is valid.

Yup, I tried using them and it failed. Some pip compatibility I did not understand. After faffing around for an hour I figured the USD40 was better value for money. Then I realised CF can handle self-signed

Live and learn

 

[CrispinP]

Ok, so I can make TLS1.2 requests to the paypal test page using curl - both from ssh and from php - but I still get the banner in the control panel saying I have a problem.

Here is my test: http://www.landcruiserclub.net/pptest.php
I'm using this sample code in that file: http://stackoverflow.com/questions/35042765/paypal-tls-test-url-php-curl-ssl-protocol-error

My openssl (on centos 6.5) is
OpenSSL 1.0.1g 7 Apr 2014

Should I be worried about the message?


Thanks
Crispin

 

[Mike]

Can you send me a link to a PHP info file on your server?

 

[CrispinP]

It's literally just the example code fro the SO example:

<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,'https://tlstest.paypal.com');
curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch, CURLOPT_FAILONERROR,true);
curl_setopt($ch, CURLOPT_SSLVERSION,6);// CURL_SSLVERSION_TLSv1_2
$result = curl_exec($ch);
echo 'result = '.$result.'<br>';
echo 'errno = '.curl_errno($ch).'<br>';
echo 'error = '.curl_error($ch).'<br>';
curl_close($ch);
?>
​

Called here: http://www.landcruiserclub.net/pptest.php
I can't get to the file from work - can send it tonight though.


C

 

[Paul B]

Mike means something like phpinfo.php - what you see at /admin.php?tools/phpinfo

 

[CrispinP]

Sorry, really not reading well this morning (need sleep). Will PM you the link to the file.

 

[CrispinP]

Mike means something like phpinfo.php - what you see at /admin.php?tools/phpinfo

Coffee still waiting to kick in. I re-read it and realised

 

[Paul B]

The file you have provided is no good.

Create a file with the following contents:

<?php

phpinfo();

?>

Name it <something random>.php and upload it the domain root.

Then PM the URL to Mike.

 

[CrispinP]

You referring to the file I just sent Mike? It's a file-save of the phpinfo in VB. I can't jump on the server from work to move it to a public place and it's behind the admincp in VB.

Have our messages crossed?

If you still need a real version of it on the server and not what I PMd Mike then let me know.

C

 

[Mike]

For reference, I didn't get a PM, though Brogan has sent me the PHP info output.

Can you confirm whether the PHP examples here work? https://github.com/paypal/TLS-update

According to your version of cURL, CURLOPT_SSLVERSION = 6 doesn't exist internally (it doesn't exist until 7.34.0), so it shouldn't do anything. I don't see why this connection shouldn't be working though.

 

[CrispinP]

Mike,

I've done it from my phone (SSH into server)

I get a failure and with the var_dump I get bool(false)
resource(4) of type (curl)

If I change it to include the version then I get a success back.

I've created a phpinfo file for you too if that is handy. will PM the details.

 

[CrispinP]

Hi Mike,

Any info on this banner?

Did you get the PM?

Thanks
Crispin

 

[Mike]

Your library versions are similar to what we run here without the issue you're having, though we do have a newer version of PHP. I don't know why setting that CURLOPT_SSLVERSION value works, since as far as I understand, cURL doesn't actually know how to interpret it in the version in use on your server.

Would it be possible to get FTP access to attempt some debugging?

 

[Gene Steinberg]

I'm running into a rather different issue with CloudFlare, which is that I cannot use my own SSLs with the free package offered by a hosting provider. I get reverse proxy errors from CloudFlare.

In my case, the certificate supposedly issued with the server is expired, even though I've only had the server four months. I cannot change it unless or until I go for a paid plan with CloudFlare starting at $20 per month for the first domain, $5 for each additional domain. In other words, it's bait and switch.

Just FYI.

 

[Jeremy P]

Not really related to the issue at hand, but it's almost certainly not CloudFlare doing a bait and switch. The public-facing free certificates are offered indefinitely (forever). You may have the SSL settings on "Strict" though, which enforces valid certificates on the connection between CloudFlare and your server... and your server certificates might be invalid for any number of reasons. Upgrading to a paid plan on CloudFlare wouldn't fix this problem.

Either set the SSL settings on CloudFlare to "Full" or even "Flexible," or get a valid certificate for your server itself (which you would get through a domain registrar or others, and not CloudFlare).

 

[Gene Steinberg]

There is no way to control the SSL setting with the configuration they saddled me with. So what I did was remove it from that account, establish a different account, and add the domain there as a free domain. No more SSL glitch.