TLS 1.3
TLS 1.3 enables the latest version of the TLS protocol (when supported) for improved security and performance.
TLS 1.3 is the newest, fastest, and most secure version of the TLS protocol. SSL/TLS is the protocol that encrypts communication between users and your website. When web traffic is encrypted with TLS, users will see the green padlock in their browser window.
By turning on the TLS 1.3 feature, traffic to and from your website will be served over the TLS 1.3 protocol when supported by clients. TLS 1.3 protocol has improved latency over older versions, has several new features, and is currently supported in both Chrome (starting with release 66), Firefox (starting with release 60), and in development for Safari and Edge browsers.
Free | Pro | Business | Enterprise | |
---|---|---|---|---|
Availability | Yes | Yes | Yes | Yes |
TLS 1.3 requires a two-step activation: in the Cloudflare dashboard and in the browser.
To enable TLS 1.3 in the dashboard:
- Log in to your Cloudflare account ↗ and go to a specific domain.
- Go to SSL/TLS > Edge Certificates.
- For TLS 1.3, switch the toggle to On.
To adjust your TLS 1.3 settings with the API, send a PATCH
request with tls_1_3
as the setting name in the URI path, and set the value
parameter to your desired setting ("on"
or "off"
).
Chrome
- In the address bar, enter
chrome://flags
and press Enter. - Scroll to locate the TLS 1.3 Early Data entry, and set it to Enabled. A message saying that the change will take effect the next time you relaunch Chrome will appear.
- Select RELAUNCH NOW to restart Chrome.
After enabling TLS 1.3, visit a site with TLS 1.3 enabled over HTTPS. Then:
- Open Chrome Developer Tools.
- Select the Security tab.
- Reload the page (Command-R in macOS, Ctrl-R in Windows).
- Select the site under Main origin.
- Under Connection, confirm that the protocol is TLS 1.3.
Firefox
- In the address bar, enter
about:config
and select to accept the warranty warning. - Search for
security.tls.version.max
and change the value from3
(the default) to4
.
After enabling TLS 1.3, visit a site with TLS 1.3 enabled over HTTPS. Then:
- Select the lock icon in the address bar.
- Select Connection secure > More information.
- Under Technical Details, verify that the TLS version is TLS 1.3.
Since TLS 1.3 implementations are relatively new, some failures may occur. If you experience errors, submit a Cloudflare Support ticket with the following information:
- Steps to replicate the issue (if possible)
- Client build version
- Client diagnostic information
- Packet captures
Chrome users should submit a net-internals trace ↗ to Google. Firefox users should report bugs to Mozilla ↗.
You cannot set specific TLS 1.3 ciphers. Instead, you can enable TLS 1.3 for your entire zone and Cloudflare will use all applicable TLS 1.3 cipher suites. In combination with this, you can still disable weak cipher suites for TLS 1.0-1.2.