Please actually compare the certificate when connecting to your server directly (bypassing Cloudflare) and connecting via Cloudflare. An easy way to do this is with openssl CLI:
Replace your-domain-here.org with your domain and your-ip-here with your actual server IP, but also do it with the Cloudflare IP.
The section about the “Full (strict)” / “Full” is referring to how Cloudflare verifies the certificate (or not in the case of Flexible and off) between your origin server and Cloudflare – this is not with respect to the client and Cloudflare. The Custom origin certificates are also with respect to Cloudflare and your server (has no impact on certificate used between the client and Cloudflare). Cloudflare still uses a separate certificate that they have issued to themselves and hold the private key to use for the client.
If you pay extra for their “Advanced Certificate Manager”, this allows you to upload a custom certificate to be used between the client and Cloudflare, but you have to provide the private key to Cloudflare because they still terminate SSL/TLS at their servers. Even their “Total TLS” service (part of ACM and the word “Total” could be mistaken to be “total” as in from client all the way to your origin server) does not provide E2EE.
I may be unaware of a newer service offering, but the only way that I’m aware of to get true E2EE is on their Enterprise plan (Keyless TLS). I have a lot of experience with Cloudflare for both personal and Enterprise plan (I was the technical person in charge of the account and configuring and such). Granted, I’ve not been dealing with CF enterprise for a few years now and they may have a new service offering outside of enterprise that I’m not familiar with, but my quick look around still looks like everything aside from Keyless TLS requires either giving them the key (in the case of ACM custom certificates) or they use their own certificate for client <-> Cloudflare. When I did manage the enterprise plan, we actually didn’t use Keyless TLS because we used features that required them to terminate TLS anyway, so I can’t speak to the specifics of it.
I hope I’m wrong though. I’d love to have true E2EE while still getting the DDoS protection on my personal stuff.
Yeah, I did ultimately realize this, maybe I should have written a bit more in my edit earlier but it’s a bit embarrassing tbh, I had come to some wrong conclusions. I think what I’m going to do is simply stop using Cloudflare for anything that does not have an extra layer of encryption on top of https, or that isn’t just a static, public webpage with no interactivity.
Please actually compare the certificate when connecting to your server directly (bypassing Cloudflare) and connecting via Cloudflare. An easy way to do this is with openssl CLI:
openssl s_client -servername your-domain-here.org -connect your-ip-here:443 < /dev/null 2>/dev/null | openssl x509 -text -nooutReplace
your-domain-here.orgwith your domain andyour-ip-herewith your actual server IP, but also do it with the Cloudflare IP.The section about the “Full (strict)” / “Full” is referring to how Cloudflare verifies the certificate (or not in the case of Flexible and off) between your origin server and Cloudflare – this is not with respect to the client and Cloudflare. The Custom origin certificates are also with respect to Cloudflare and your server (has no impact on certificate used between the client and Cloudflare). Cloudflare still uses a separate certificate that they have issued to themselves and hold the private key to use for the client.
If you pay extra for their “Advanced Certificate Manager”, this allows you to upload a custom certificate to be used between the client and Cloudflare, but you have to provide the private key to Cloudflare because they still terminate SSL/TLS at their servers. Even their “Total TLS” service (part of ACM and the word “Total” could be mistaken to be “total” as in from client all the way to your origin server) does not provide E2EE.
I may be unaware of a newer service offering, but the only way that I’m aware of to get true E2EE is on their Enterprise plan (Keyless TLS). I have a lot of experience with Cloudflare for both personal and Enterprise plan (I was the technical person in charge of the account and configuring and such). Granted, I’ve not been dealing with CF enterprise for a few years now and they may have a new service offering outside of enterprise that I’m not familiar with, but my quick look around still looks like everything aside from Keyless TLS requires either giving them the key (in the case of ACM custom certificates) or they use their own certificate for client <-> Cloudflare. When I did manage the enterprise plan, we actually didn’t use Keyless TLS because we used features that required them to terminate TLS anyway, so I can’t speak to the specifics of it.
I hope I’m wrong though. I’d love to have true E2EE while still getting the DDoS protection on my personal stuff.
Yeah, I did ultimately realize this, maybe I should have written a bit more in my edit earlier but it’s a bit embarrassing tbh, I had come to some wrong conclusions. I think what I’m going to do is simply stop using Cloudflare for anything that does not have an extra layer of encryption on top of https, or that isn’t just a static, public webpage with no interactivity.