Cipher suites

Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake ↗ (and therefore separate from the SSL/TLS protocol).

This section covers cipher suites used in connections between clients — such as your visitor’s browser — and the Cloudflare network. For information about cipher suites used between Cloudflare and your origin server, refer to Origin server > Cipher suites.

Note

Cloudflare maintains a public repository of our SSL/TLS configurations ↗ on GitHub, where you can find changes in the commit history.

RC4 cipher suites ↗ or SSLv3 ↗ are no longer supported.

Cipher suites and edge certificates

While the cipher suites used by default for all Cloudflare domains/zones are meant to balance security and compatibility, some of them might be considered weak by third-party testing tools, such as the Qualys SSL Labs test.

If the default option (Legacy) does not meet your business requirements, you can purchase the Advanced Certificate Manager add-on ↗ to be able to specify more secure cipher suites.

Custom cipher suites is a hostname-level setting. Once specified, the configuration is applicable to all edge certificates used to connect to the hostname(s), regardless of certificate type (universal, advanced, or custom).

Related SSL/TLS settings

Although configured independently, cipher suites interact with other SSL/TLS settings.

Minimum TLS Version

You can specify a minimum TLS version that is required for a client to connect to your website or application.

For example, if TLS 1.1 is selected as the minimum, visitors attempting to connect using TLS 1.0 will be rejected while visitors attempting to connect using TLS 1.1, 1.2, or 1.3 (if enabled) will be allowed.

Each cipher suite relates to a specific minimum protocol that it supports. This means that if you use a higher security level for your cipher suites and stop supporting TLS 1.0, you should also adjust your minimum TLS version accordingly.

Compliance standards can also require you to up the minimum TLS version accepted in connections to your website or application.

TLS 1.3

You cannot set specific TLS 1.3 ciphers. Instead, you can enable TLS 1.3 for your entire zone and Cloudflare will use all applicable TLS 1.3 cipher suites.

In combination with this, you can still disable weak cipher suites for TLS 1.0-1.2.

Resources

• Customize cipher suites
• Recommendations
• Compliance standards
• Supported cipher suites
• Troubleshooting

Limitations

It is not possible to configure cipher suites for Cloudflare Pages hostnames.