cloudflared icon indicating copy to clipboard operation
cloudflared copied to clipboard

Published 20 hours ago ā€¢ verified publisher icon cloudflare

šŸ›Unicode Domain tunnel doesn't work the same as a non-unicode domain tunnel.

Open robotarmy opened this issue 6 months ago ā€¢ 0 comments

Describe the bug I have a unicode domain and a set of non-unicode domains.

The unicode domain has a puny code. The puny code domain is set in the host header of the public hostname for the tunnels additionally TLS verify is turned off.

The punicode domain does not function.

The host configuration inside the cloudflared logs makes reference to the Punicode with a different format "test.E5889DE<...>.net" instead of xn-<...>.net

For my non-unicode domains I have the setting TLS verify is turned off. ( this must be off or he service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: cannot validate certificate for 172.17.0.200 because it doesn't contain any IP SANs" (I'm not sure why the IP SANS information isn't getting propigated.)

172.17.0.200 is a HAPROXY with seperate front-end and backends for 443 and 80 respectively.

note the error appears to be the same as when I setup a CNAME "test" and point it at the root domain ( which as a tunnel ) and expect to process the test "CNAME" at the haproxy side . I don't know why but it looks like the same issue. Which makes me think that this hostname should actually be a punicode hostname in the config and not the wierd hexidecimal(?) looking string.

To Reproduce Steps to reproduce the behavior:

  1. Configure cloudflared on host
  2. Access ( zero-trust access portal)
  3. set up tunnel
  4. add public hostname for a unicode domain.
  5. foward https
  6. get SSL Error (* LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure)

Expected behavior

Should work same as other standard hosts that are not unicode.

Environment and versions

  • OS: Docker/ RouterOS ARM64
  • Architecture: [e.g., ARM]
  • Version: Version 2025.4.2 (Checksum b1ac33cda3705e8bac2c627dfd95070cb6811024e7263d4a554060d3d8561b33)

Logs and errors

  • ALPN: curl offers h2,http/1.1
  • (304) (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/cert.pem
  • CApath: none
  • LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
  • Closing connection curl: (35) LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure

C09EE3EF01000000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:ssl/record/rec_layer_s3.c:908:SSL alert number 40

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 258 bytes Verification: OK

New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation.

robotarmy avatar May 15 '25 03:05 robotarmy