Customizing cipher suites will not lead to any downtime in your SSL/TLS protection.
How it works
Custom cipher suites is a hostname-level setting, which implies that:
When you customize cipher suites for a zone, this will affect all hostnames within that zone.
The configuration is applicable to all edge certificates used to connect to the hostname(s), regardless of certificate type (universal, advanced, or custom).
If you need to use a per-hostname cipher suite customization, you must ensure that the hostname is specified on the certificate.
Scope
Currently, you can only customize cipher suites when using the API:
Zone (using ciphers as the setting name in the URI path)
ECDSA cipher suites are prioritized over RSA, and Cloudflare preserves the specified cipher suites in the order they are set. This means that, if both ECDSA and RSA are used, Cloudflare presents the ECDSA ciphers first - in the order they were set - and then the RSA ciphers, also in the order they were set.
Set up
Before you begin
Note that:
Cipher suites are used in combination with other SSL/TLS settings.
You cannot set specific TLS 1.3 ciphers. Instead, you can enable TLS 1.3 for your entire zone and Cloudflare will use all applicable TLS 1.3 cipher suites.
Each cipher suite also supports a specific algorithm (RSA or ECDSA) so you should consider the algorithms in use by your edge certificates when making your ciphers selection. You can find this information under each certificate listed in SSL/TLS > Edge Certificates ↗.
It is not possible to configure minimum TLS version nor cipher suites for Cloudflare Pages hostnames.
Decide which cipher suites you want to specify and which ones you want to disable (meaning they will not be included in your selection).
Below you will find samples covering the recommended ciphers by security level and compliance standards, but you can also refer to the full list of supported ciphers and customize your choice.
Get the Zone ID from the Overview page ↗ of the domain you want to specify cipher suites for.
Make an API call to either the Edit zone setting endpoint or the Edit TLS setting for hostname endpoint, specifying ciphers in the URL. List your array of chosen cipher suites in the value field.
modern
compatible
pci dss
fips-140-2
Make the following API call with the appropriate {zone_id}, <EMAIL>, and <API_KEY>.
If you choose to use a token, you will not need an email nor an API key. You will instead replace the X-Auth-Email and X-Auth-Key headers by --header "Authorization: Bearer <API_TOKEN>" \.
# To configure cipher suites per hostname, replace the first two lines by the following
To reset to the default cipher suites at zone level, use the Edit zone setting endpoint, specifying ciphers as the setting name in the URL, and send an empty array in the value field.
Go to Local Computer Policy > Computer Configuration > Administrative Template > Network > SSL Configuration Settings > SSL Cipher Suite Order. Set option Enabled. Edit SSL Cipher Suites in the line. Press OK to apply changes.
Select the Windows Start button. Enter netsh in Search, and select Enter. Replace the certhash value with the certificate thumbprint value without the spaces. Modify the ipport value if you want to use a port other than the default port (443).
In cryptography, a cipher is an algorithm that lays out the general principles of securing a network through TLS (the security protocol used by modern SSL certificates). A cipher suite comprises several ciphers working together, each having a different cryptographic function, such as key generation and authentication.
Do the following to specify the allowed cipher suites: Open regedit.exe and go to:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002. Edit the Functions key, and set its value to the list of Cipher Suites that you want to allow.
It's recommended to support AES-CBC and GCM cipher suites, and both 128 and 256 key variants. The order you prefer depends. It is common to set a preference in this order: AES-GCM-128, AES-GCM-256, AES-CBC-128, and AES-CBC-256.
Transport Layer Security (TLS) is the upgraded version of SSL that fixes existing SSL vulnerabilities. TLS authenticates more efficiently and continues to support encrypted communication channels.
SSL/TLS stands for secure sockets layer and transport layer security. It is a protocol or communication rule that allows computer systems to talk to each other on the internet safely. SSL/TLS certificates allow web browsers to identify and establish encrypted network connections to web sites using the SSL/TLS protocol.
The cipher you're using is probably the fastest you're going to get on a modern machine using the common ciphers in TLS. There are cipher suites using a variety of symmetric cipher options: AES-GCM is the fastest on machines that support AES and carryless multiplication acceleration, like modern Intel chips.
From the Secure+ Admin Tool Main Screen, type U next to the node to update.On the Create/Update Panel, select the Cipher Suites field and press Enter to display the Update Cipher Suites panel. The list on the left side contains all available cipher suites.
Examples of PFS cipher suites include those using ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) and DHE (Diffie-Hellman Ephemeral) key exchange. Here are cipher suites examples: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
Backup your ssl.conf. Connect to your server and make a copy of your ssl.conf incase you need to revert it: cp /etc/nginx/common/ssl.conf /etc/nginx/common/ssl.conf.backup.
Introduction: My name is Francesca Jacobs Ret, I am a innocent, super, beautiful, charming, lucky, gentle, clever person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
