2

I'm setting up a free cloudflare account and i'm unsure what this means (for Full SSL):

"You will need to have an SSL certificate on your server. However, CloudFlare will not attempt to validate the certificate (certificates may be self-signed). [The difference between Full and Full (Strict) is that Full (Strict) checks for a valid certificate on your origin server, whereas Full checks for any certificate.]"

i don't know exactly what they mean by "You will need to have an SSL certificate on your server." i'm on a shared hosting plan, not in control of the server. will CloudFlare look for a (any) cert that the host has on the server and that will suffice? a little unsure what to look for or ask.

wazz
  • 129
  • 3
  • 1
    i love the downvoting on these sites. really helpful. – wazz Sep 01 '16 at 07:08
  • You don't need to use SSL between CloudFlare and your server, just use "flexible" or "off". Full is if you want end to end SSL, which is great if it's financial or personal data, but may not be necessary for all information. – Tim Sep 01 '16 at 07:24

2 Answers2

4

Full

Any certificate will work. This means a self-signed certificate can be used. If you're running a Certificate Authority, a certificate would work from there as well. This approach will encrypt all traffic between Cloudflare and your server however there will be no validation. Meaning there will be no checks to ensure it is communicating directly with your server nor will Revocation Lists be checked. This will leave the connection vulnerable to MitM.

Full (Strict)

The certificate on your server will need to be from a trusted Certificate Authority. This is because Cloudflare will validate the certificate to ensure it is communicating with your server directly and that the certificate is still valid.

Cloudflare Blog

The following entry does a great job explaining this in detail.

Introducing Strict SSL: Protecting Against a Man-in-the-Middle Attack on Origin Traffic

user2320464
  • 789
  • 5
  • 14
2

I haven't used cloudfare so I couldn't be 100% sure, but on other shared hosting platforms I've used you are able to upload the required cert files to root directory of the site.

What it is saying is that you either must use the "full" mode with any certificate (e.g self singed) or you must get a certificate from a proper certificate authority like start ssl or something along those lines to use the "full (strict)" mode.

If you made a self signed certificate, uploaded it and then tried to use "full (strict)" it would fail as your PC isn't a legitimate certificate authority

Dan
  • 121
  • 5
  • i found a place on the CF site where i can "Generate a free TLS certificate signed by CloudFlare to install on your origin server." i guess this would do it. (? i wish they would say "This is what you need for Full SSL!) but looking at their instructions on how to put it on the server, i have to first "Copy the key and cert pair to the desktop of your origin server." i can't do that can i? (IIS7.) i've used IIS7 manager but it sounds like i need real access to the server. – wazz Sep 01 '16 at 06:39
  • You'd be better off using a free Let's Encrypt certificate on the server. You're right that you should use "full" rather than "full strict" if you're using a self signed certificate. SSL needs to be configured correctly on the server. – Tim Sep 01 '16 at 07:23
  • Could you provide a link to the instructions you are following! Are you hosting the website on your own server or using cloud fare ? – Dan Sep 01 '16 at 07:33