Troubleshooting

If you encounter issues with edge certificate cipher suites, refer to the following scenarios.

Compatibility with Minimum TLS Version

When you adjust the setting used for your domain's Minimum TLS Version, your domain only allows HTTPS connections using that TLS protocol version. As explained in About cipher suites, although configured independently, cipher suites and TLS versions are closely related.

Minimum TLS Version can cause issues if you are not supporting TLS 1.2 ciphers on your domain. If you experience issues, review your domain's Minimum TLS Version setting and Cloudflare's supported ciphers list.

Testing Minimum TLS version with curl

To test supported TLS versions, attempt a request to your website or application while specifying a TLS version.

For example, to test TLS 1.1, use the curl command below. Replace www.example.com with your Cloudflare domain and hostname.

curl https://www.example.com -svo /dev/null --tls-max 1.1

If the TLS version you are testing is blocked by Cloudflare, the TLS handshake is not completed and returns an error:

* error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert

Note

Local VPN or a device security client may prevent insecure connections using legacy protocols like TLS 1.0. Make sure to disable such network or security client before running the test on your device.

Compatibility with certificate encryption

If you upload a custom certificate, make sure the certificate is compatible with the chosen cipher suites for your zone or hostname.

For example, if you upload an RSA certificate, your cipher suite selection cannot only support ECDSA certificates.

Compatibility with Cloudflare Pages

It is not possible to configure minimum TLS version nor cipher suites for Cloudflare Pages hostnames.

API requirements for custom hostname certificate

When using the Edit Custom Hostname endpoint, make sure to include type and method within the ssl object, as well as the settings specifications.

Including the settings only will result in the error message The SSL attribute is invalid. Please refer to the API documentation, check your input and try again.

TLS 1.3 settings

You cannot set specific TLS 1.3 ciphers. Instead, you can enable TLS 1.3 for your entire zone and Cloudflare will use all applicable TLS 1.3 cipher suites. In combination with this, you can still disable weak cipher suites for TLS 1.0-1.2.

SSL Labs weak ciphers report

If you try to disable all of the WEAK cipher suites according to what is listed on a Qualys SSL Labs ↗ report, you might notice that the naming conventions are not the same.

This is because SSL Labs follows RFC cipher naming convention while Cloudflare follows OpenSSL cipher naming convention. The cipher suite names list in the OpenSSL documentation ↗ may help you map the names.

Warnings related to CVE-2019-1559

Even though applications on Cloudflare are not vulnerable to CVE-2019-1559, some security scanners may flag your application erroneously.

To remove these warnings, refer to Customize cipher suites and exclude the following ciphers:

• ECDHE-ECDSA-AES256-SHA384
• ECDHE-ECDSA-AES128-SHA256
• ECDHE-RSA-AES256-SHA384