From 28f08fafb7447ed8bd658de85c8382c8b6989407 Mon Sep 17 00:00:00 2001 From: Michiel Appelman Date: Wed, 12 Feb 2025 14:15:12 +0100 Subject: [PATCH 1/2] [Gateway] TLS decryption does not happen with DNI Issue #13929 mentioned that TLS decryption still happens with DNI enabled, which led to #17266 to reflect that. This is incorrect: Do Not Inspect (DNI) will not cause TLS decryption, otherwise we wouldn't be able to support Certificate Pinning applications. --- .../policies/gateway/http-policies/tls-decryption.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx index af6cb0f7528bb7c..9f74482100df79e 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx @@ -17,7 +17,7 @@ import { Cloudflare Gateway can perform [SSL/TLS decryption](https://www.cloudflare.com/learning/security/what-is-https-inspection/) in order to inspect HTTPS traffic for malware and other security risks. -When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a [user-side certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/). Gateway will decrypt and re-encrypt traffic regardless of HTTP policy action, including [Do Not Inspect](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect). +When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a [user-side certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/). Cloudflare prevents interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/). From db44704aa1404096717ca00c99f53357d64f1368 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 12 Feb 2025 12:21:27 -0500 Subject: [PATCH 2/2] Update src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx --- .../policies/gateway/http-policies/tls-decryption.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx index 9f74482100df79e..1633b33ea1f45f2 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx @@ -17,7 +17,7 @@ import { Cloudflare Gateway can perform [SSL/TLS decryption](https://www.cloudflare.com/learning/security/what-is-https-inspection/) in order to inspect HTTPS traffic for malware and other security risks. -When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a [user-side certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/). +When you turn on TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a [user-side certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/). Cloudflare prevents interference by decrypting, inspecting, and re-encrypting HTTPS requests in its data centers in memory only. Gateway only stores eligible cache content at rest. All cache disks are encrypted at rest. You can configure where TLS decryption takes place with [Regional Services](/data-localization/regional-services/) in the [Cloudflare Data Localization Suite (DLS)](/data-localization/).