Cipher suites - Troubleshooting
If you encounter issues with edge certificate cipher suites, refer to the following scenarios.
Compatibility with Minimum TLS Version
When you adjust the setting used for your domain’s Minimum TLS Version, your domain only allows HTTPS connections using that TLS protocol version.
This setting can cause issues if you are not supporting TLS 1.2 ciphers on your domain. If you experience issues, review your domain’s Minimum TLS Version setting and Cloudflare’s supported ciphers list.
Compatibility with certificate encryption
If you upload a custom certificate, make sure the certificate is compatible with the chosen cipher suites for your zone or hostname.
For example, if you upload an RSA certificate, your cipher suite selection cannot only support ECDSA certificates.
API requirements for custom hostname certificate
When using the Edit Custom Hostname endpoint, make sure to include
method within the
ssl object, as well as the
settings only will result in the error message
The SSL attribute is invalid. Please refer to the API documentation, check your input and try again.
TLS 1.3 settings
You cannot set specific TLS 1.3 ciphers.
Instead, you will need to enable TLS 1.3 for your entire domain and Cloudflare will use all applicable TLS 1.3 cipher suites.
In combination with this, you can still restrict specific ciphers for TLS 1.0-1.2.
SSL Labs weak ciphers report
If you try to disable all of the
WEAK cipher suites according to what is listed on a
Qualys SSL Labs report, you might notice that the naming conventions are not the same.
This is because SSL Labs follows RFC cipher naming convention while Cloudflare follows OpenSSL cipher naming convention. The cipher suite names list in the OpenSSL documentation may help you map the names.
Even though applications on Cloudflare are not vulnerable to CVE-2019-1559, some security scanners may flag your application erroneously.
To remove these warnings, refer to Customize cipher suites and exclude the following ciphers: