Cipher suites
Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake ↗ (and therefore separate from the SSL/TLS protocol).
This section covers cipher suites used in connections between clients — such as your visitor's browser — and the Cloudflare network. For information about cipher suites used between Cloudflare and your origin server, refer to Origin server > Cipher suites.
While the cipher suites used by default for all Cloudflare domains/zones are meant to balance security and compatibility, some of them might be considered weak by third-party testing tools, such as the Qualys SSL Labs test.
If the default option (Legacy) does not meet your business requirements, you can purchase the Advanced Certificate Manager add-on ↗ to be able to specify more secure cipher suites.
Custom cipher suites is a hostname-level setting. Once specified, the configuration is applicable to all edge certificates used to connect to the hostname(s), regardless of certificate type (universal, advanced, or custom).
Although configured independently, cipher suites interact with other SSL/TLS settings.
You can specify a minimum TLS version that is required for a client to connect to your website or application.
For example, if TLS 1.1 is selected as the minimum, visitors attempting to connect using TLS 1.0 will be rejected while visitors attempting to connect using TLS 1.1, 1.2, or 1.3 (if enabled) will be allowed.
Each cipher suite relates to a specific minimum protocol that it supports. This means that if you use a higher security level for your cipher suites and stop supporting TLS 1.0, you should also adjust your minimum TLS version accordingly.
Compliance standards can also require you to up the minimum TLS version accepted in connections to your website or application.
You cannot set specific TLS 1.3 ciphers. Instead, you can enable TLS 1.3 for your entire zone and Cloudflare will use all applicable TLS 1.3 cipher suites. In combination with this, you can still disable weak cipher suites for TLS 1.0-1.2.
Cloudflare may return the following names for TLS 1.3 cipher suites. This is how they map to RFC 8446 ↗ names:
| Cloudflare | RFC 8446 |
|---|---|
AEAD-AES128-GCM-SHA256 | TLS_AES_128_GCM_SHA256 |
AEAD-AES256-GCM-SHA384 | TLS_AES_256_GCM_SHA384 |
AEAD-CHACHA20-POLY1305-SHA256 | TLS_CHACHA20_POLY1305_SHA256 |
- Customize cipher suites
- Security levels
- Compliance standards
- Supported cipher suites
- Troubleshooting
It is not possible to configure cipher suites for Cloudflare Pages hostnames.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
