TLS decryption
Cloudflare Gateway can perform SSL/TLS decryption in order to inspect HTTPS traffic for malware and other security risks. When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a user-side certificate.
Enable TLS decryption
- In Zero Trust, go to Settings > Network.
- Turn on TLS decryption.
Limitations
Gateway does not support TLS decryption for applications which use:
- Embedded certificates
- Self-signed certificates
- Mutual TLS (mTLS) authentication
- ESNI and ECH handshake encryption
- Automatic HTTPS upgrades
Incompatible certificates
Applications that use embedded certificates and mTLS authentication do not trust the Cloudflare certificate. For example, the vast majority of mobile applications use embedded certificates. Conversely, Cloudflare does not trust applications that use self-signed certificates instead of certificates signed by a public CA.
If you try to perform TLS decryption, these applications may not load or may return an error. You can resolve the issue by adding the Cloudflare certificate to the application (if supported by the application) or by exempting the application from TLS decryption.
To allow HTTP filtering while accessing a site with an insecure certificate, set your Untrusted certificate action to Pass through.
To bypass TLS decryption, add a Do Not Inspect HTTP policy for the application or domain. The HTTP policy builder provides a list of trusted applications that are known to use embedded certificates. When accessing a Do Not Inspect site in the browser, you will see a Your connection is not private warning, which you can proceed through to connect.
HTTPS traffic from Do Not Inspect applications will not be intercepted by Gateway or subject to your HTTP policies. You can, however, still apply network policies to these applications.
Google Chrome automatic HTTPS upgrades
Google Chrome can automatically upgrade HTTP requests to HTTPS requests, even when you select a link that explicitly declares http://. When you use Gateway to proxy and filter your traffic, this upgrade can interrupt the connection between your Zero Trust users and Gateway.
To disable automatic HTTPS upgrades in Chrome, go to Chrome flags and turn HTTPS Upgrades off. Chrome Enterprise users can turn off automatic HTTPS upgrades with a management policy.
ESNI and ECH
Websites that adhere to ESNI or ECH standards encrypt the Server Name Indicator (SNI) during the TLS handshake and are therefore incompatible with HTTP inspection. This is because Gateway relies on the SNI to match an HTTP request to a policy.
You can still apply all network policy filters except for SNI and SNI Domain. To restrict ESNI and ECH traffic, an option is to filter out all port 80 and 443 traffic that does not include an SNI header.
FIPS compliance
By default, TLS decryption can use both TLS version 1.2 and 1.3. However, some environments such as FedRAMP may require cipher suites and TLS versions compliant with FIPS 140-2. FIPS compliance currently requires TLS version 1.2.
Enable FIPS compliance
- In Zero Trust, go to Settings > Network.
- Turn on TLS decryption.
Limitations
When FIPS compliance is enabled, Gateway will only choose FIPS-compliant cipher suites when connecting to the origin. If the origin does not support FIPS-compliant ciphers, the request will fail.
FIPS-compliant traffic defaults to HTTP/3. Gateway does not inspect HTTP/3 traffic from most browsers, including Chrome, Firefox, and Safari. To enforce your HTTP policies for this HTTP/3 traffic, you must disable QUIC in your users’ browsers.
Cipher suites
A cipher suite is a set of encryption algorithms for establishing a secure communications connection. There are several cipher suites in wide use, and a client and server agree on the cipher suite to use when establishing the TLS connection. Support of multiple cipher suites allows compatibility across various clients.
The following table lists the default cipher suites Gateway uses for TLS decryption.
| Name (OpenSSL) | Name (IANA) | FIPS-compliant |
|---|---|---|
| ECDHE-ECDSA-AES128-GCM-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ✅ |
| ECDHE-ECDSA-AES256-GCM-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ✅ |
| ECDHE-RSA-AES128-GCM-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ✅ |
| ECDHE-RSA-AES256-GCM-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ✅ |
| ECDHE-RSA-AES128-SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ❌ |
| ECDHE-RSA-AES256-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ✅ |
| AES128-GCM-SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | ✅ |
| AES256-GCM-SHA384 | TLS_RSA_WITH_AES_256_GCM_SHA384 | ✅ |
| AES128-SHA | TLS_RSA_WITH_AES_128_CBC_SHA | ❌ |
| AES256-SHA | TLS_RSA_WITH_AES_256_CBC_SHA | ❌ |
For more information on cipher suites, refer to Cipher suites.