Customize cipher suites

With an Advanced Certificate Manager subscription, you can restrict connections between Cloudflare and clients — such as your visitor's browser — to specific cipher suites.

You may want to do this to follow specific recommendations, to disable weak cipher suites, or to comply with industry standards.

Customizing cipher suites will not lead to any downtime in your SSL/TLS protection.

How it works

Custom cipher suites is a hostname-level setting, which implies that:

When you customize cipher suites for a zone, this will affect all hostnames within that zone. If you are not familiar with what a Cloudflare zone is, refer to Fundamentals.
The configuration is applicable to all edge certificates used to connect to the hostname(s), regardless of the certificate type (universal, advanced, or custom).
If you need to use a per-hostname cipher suite customization, you must ensure that the hostname is specified on the certificate.

Scope

Currently, you have the following options:

Set custom cipher suites for a zone: either via API or on the dashboard.
Set custom cipher suites per-hostname: only available via API. Refer to the how-to for details.

Cloudflare for SaaS

If you are a SaaS provider looking to restrict cipher suites for connections to your custom hostnames, refer to TLS settings - Cloudflare for SaaS.

To restrict cipher suites for connections to your own zone, continue on this guide. In this case, you must also have purchased Advanced Certificate Manager.

Settings priority and ciphers order

Cloudflare uses the hostname priority logic to determine which setting to apply.

ECDSA cipher suites are prioritized over RSA, and Cloudflare preserves the specified cipher suites in the order they are set. This means that, if both ECDSA and RSA are used, Cloudflare presents the ECDSA ciphers first - in the order they were set - and then the RSA ciphers, also in the order they were set.