The main problem with whitelisting Tor is that you open the door to abuse.
Cloudflare is working on a new solution to this problem that allows us to differentiate between abusive visitors and legitimate users without de-anonymizing them.
If you’re a Cloudflare user and want to sign up for this feature, email onion-beta@cloudflare.com for details.
This is something more people should pay attention to when implementing forward secrecy. Session resumption counteracts forward secrecy when done incorrectly.
The key server only accepts mutually authenticated TLS 1.2 connections with a strong cipher suite. We also require both certificates to be signed by CloudFlare's internal Certificate Authority.