This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

cloudflare + apigee = mutual tls issue

Posted on 07-14-2021 07:23 PM
sunapi
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Anyone out there use cloudflare ?     We running into issue whereby cloudflare is rejecting our mutual-tls connection.  Unfortunately, this is owned by a third-party, which we do have purview.   We have configured the keystore & target server (clientauth = true), always get a 401 response.     We've integrated numerous vendors with mtls. 

 

Scenario:   client -> apigee (mtls latest 4.50 opdk) -> cloudflare (bad / 401 response) -> Client (not reachable)

 

Fails with in opdk 4.50 (fresh provision) and apigee-saas (apigee.com)   

 

Strange: 

curl (with mtls options) -> cloudflare = works

postman (with mtls options + p12 + password) -> cloudflare = works

 

Options: 

- enable debug in MP and record the SSL handshake.  compare with curl/postman SSL context

- contact vendor to review cloudflare logs

 

Solved Solved
0 3 445
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Show your SSLInfo element, please?

If I were debugging this I would:

verify that the SSLInfo is correct and complete.

Verify that the KeyStore contains the expected key. (and show that if you can)

Verify that the Truststore contains the cert to verify the cloudflare endpoint. 

Have you successfully configured 2-way TLS between Apigee and  peers other than Cloudflare? (I mean: is it an issue with the Apigee+Cloudflare?  Or is it an issue of Apigee mTLS to anything?)

 

View solution in original post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sunapi
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Closing the loop --     The 3rd party vendor misconfigured the cloudflare endpoint - didn't add cert.   

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Show your SSLInfo element, please?

If I were debugging this I would:

verify that the SSLInfo is correct and complete.

Verify that the KeyStore contains the expected key. (and show that if you can)

Verify that the Truststore contains the cert to verify the cloudflare endpoint. 

Have you successfully configured 2-way TLS between Apigee and  peers other than Cloudflare? (I mean: is it an issue with the Apigee+Cloudflare?  Or is it an issue of Apigee mTLS to anything?)

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Denis_KALITVI
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

if the curl works, I should check if all the certificates used in curl (including chain check), used in the Apigee call. Without seeing SSL conf. block like Dino asked, we cannot guess. 

Most common error here that invalid or not relevant TLS reference used in SSL block. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sunapi
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Closing the loop --     The 3rd party vendor misconfigured the cloudflare endpoint - didn't add cert.   

Jump to Solution
0 Likes