cloudflare + apigee = mutual tls issue

Anyone out there use cloudflare ? We running into issue whereby cloudflare is rejecting our mutual-tls connection. Unfortunately, this is owned by a third-party, which we do have purview. We have configured the keystore & target server (clientauth = true), always get a 401 response. We’ve integrated numerous vendors with mtls.

Scenario: client → apigee (mtls latest 4.50 opdk) → cloudflare (bad / 401 response) → Client (not reachable)

Fails with in opdk 4.50 (fresh provision) and apigee-saas (apigee.com)

Strange:

curl (with mtls options) → cloudflare = works

postman (with mtls options + p12 + password) → cloudflare = works

Options:

• enable debug in MP and record the SSL handshake. compare with curl/postman SSL context

• contact vendor to review cloudflare logs

Show your SSLInfo element, please?

If I were debugging this I would:

verify that the SSLInfo is correct and complete.

Verify that the KeyStore contains the expected key. (and show that if you can)

Verify that the Truststore contains the cert to verify the cloudflare endpoint.

Have you successfully configured 2-way TLS between Apigee and peers other than Cloudflare? (I mean: is it an issue with the Apigee+Cloudflare? Or is it an issue of Apigee mTLS to anything?)

if the curl works, I should check if all the certificates used in curl (including chain check), used in the Apigee call. Without seeing SSL conf. block like Dino asked, we cannot guess.

Most common error here that invalid or not relevant TLS reference used in SSL block.

Closing the loop – The 3rd party vendor misconfigured the cloudflare endpoint - didn’t add cert.