Skip to content

Cipher suites

Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake (and therefore separate from the SSL/TLS protocol).


This section covers cipher suites used in connections between clients -- such as your visitor's browser -- and the Cloudflare network. For information about cipher suites used between Cloudflare and your origin server, refer to Origin server > Cipher suites.

Cipher suites and edge certificates

While the cipher suites used by default for all Cloudflare domains/zones are meant to balance security and compatibility, some of them might be considered weak by third-party testing tools, such as the Qualys SSL Labs test.

If the default option (Legacy) does not meet your business requirements, you can purchase the Advanced Certificate Manager add-on to be able to specify more secure cipher suites.

Custom cipher suites is a hostname-level setting. Once specified, the configuration is applicable to all edge certificates used to connect to the hostname(s), regardless of certificate type (universal, advanced, or custom).

Although configured independently, cipher suites interact with other SSL/TLS settings.

Minimum TLS Version

You can specify a minimum TLS version that is required for a client to connect to your website or application.

For example, if TLS 1.1 is selected as the minimum, visitors attempting to connect using TLS 1.0 will be rejected while visitors attempting to connect using TLS 1.1, 1.2, or 1.3 (if enabled) will be allowed.

Each cipher suite relates to a specific minimum protocol that it supports. This means that if you use a higher security level for your cipher suites and stop supporting TLS 1.0, you should also adjust your minimum TLS version accordingly.

Compliance standards can also require you to up the minimum TLS version accepted in connections to your website or application.

TLS 1.3

You cannot set specific TLS 1.3 ciphers. Instead, you can enable TLS 1.3 for your entire zone and Cloudflare will use all applicable TLS 1.3 cipher suites. In combination with this, you can still disable weak cipher suites for TLS 1.0-1.2.

Cloudflare may return the following names for TLS 1.3 cipher suites. This is how they map to RFC 8446 names:

CloudflareRFC 8446
AEAD-AES128-GCM-SHA256TLS_AES_128_GCM_SHA256
AEAD-AES256-GCM-SHA384TLS_AES_256_GCM_SHA384
AEAD-CHACHA20-POLY1305-SHA256TLS_CHACHA20_POLY1305_SHA256

Resources

Limitations

It is not possible to configure cipher suites for Cloudflare Pages hostnames.