Cloudflare Gateway can perform in order to inspect HTTPS traffic for malware and other security risks. When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a .
Enable TLS decryption
Gateway does not support TLS decryption for applications which use:
Applications that use embedded certificates and mTLS authentication do not trust the Cloudflare certificate. For example, the vast majority of mobile applications use embedded certificates. Conversely, Cloudflare does not trust applications that use self-signed certificates instead of certificates signed by a public CA.
If you try to perform TLS decryption, these applications may not load or may return an error. You can resolve the issue by (if supported by the application) or by exempting the application from TLS decryption.
To bypass TLS decryption, add a HTTP policy for the application or domain. The HTTP policy builder provides a that are known to use embedded certificates. When accessing a Do Not Inspect site in the browser, you will see a Your connection is not private warning, which you can proceed through to connect.
ESNI and ECH
Websites that adhere to encrypt the Server Name Indicator (SNI) during the TLS handshake and are therefore incompatible with HTTP inspection. This is because Gateway relies on the SNI to match an HTTP request to a policy.
By default, TLS decryption can use both TLS version 1.2 and 1.3. However, some environments such as FedRAMP may require cipher suites and TLS versions compliant with FIPS 140-2. FIPS compliance currently requires TLS version 1.2.
FIPS-compliant traffic defaults to HTTP/3. Gateway does not inspect HTTP/3 traffic from most browsers, including Chrome, Firefox, and Safari. To enforce your HTTP policies for this HTTP/3 traffic, you must in your users’ browsers.
The following table lists the cipher suites Gateway uses for TLS decryption.