Cloudflare Docs
SSL/TLS
Cloudflare Docs
SSL/TLS
GitHub icon
Edit this page on GitHub
Set theme to dark (⇧+D)
  1. Products
  2. SSL/TLS
  3. Edge certificates
  4. Disable weak cipher suites

Disable weak cipher suites

Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake (and therefore separate from the SSL/TLS protocol).

Refer to the sections below to understand how cipher suites work with the different Cloudflare edge certificates. For more details and reference content, refer to Cipher suites.

​​ Cipher suites and edge certificates

While the default cipher suites provided with Universal SSL certificates are meant for a balance of security and compatibility, some of them might be considered weak by third-party testing tools, such as the Qualys SSL Labs test.

If the Universal SSL offering does not meet your business requirements, you can use Cloudflare Advanced Certificate Manager to restrict the cipher suites used in connections between Cloudflare and your visitor’s browser.

After you subscribed to Advance Certificate Manager for your domain, you can  restrict Cipher Suites at the Zone-level requests via the API.

​​ Setup

Assuming this is just a one-time change, you can trigger the API call using curl.

  1. Get/view Global API Key (or create Token) from:  https://dash.cloudflare.com/profile/api-tokens
  2. Get Zone ID from the bottom right of Overview page for your domain in Cloudflare Dashboard.
  3. Decide which cipher suites you would like to allow from the list.

Here is an example value (list of cipher suites) which you can use to replace <cipher_suites> in the commands below:

["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384"]

Run the command to make the API call with the appropriate <zone_id>, <auth_email>, <auth_key>, and <cipher_suites>:

curl -X PATCH \
  "https://api.cloudflare.com/client/v4/zones/<zone_id>/settings/ciphers" \
  -H "X-Auth-Email: <auth_email>" \
  -H "X-Auth-Key: <auth_key>" \
  -H "Content-Type: application/json" \
  --data '{"value": <cipher_suites>}'

If you choose to use a token, you will not need <auth_email> nor <auth_key>. You would instead need <api_token> and the command will look like this:

curl -X PATCH \
  "https://api.cloudflare.com/client/v4/zones/<zone_id>/settings/ciphers" \
  -H "Authorization: Bearer <api_token>" \
  -H "Content-Type: application/json" \
  --data '{"value": <cipher_suites>}'

To revert to the default cipher suites, you can send an empty array as the value, as in the following example.

  --data '{"value": []}'

Refer to Managing API Tokens and Keys to learn more about API tokens and keys.

​​ Additional Resources