Cloudflare Docs
SSL/TLS
SSL/TLS
Edit this page on GitHub
Set theme to dark (⇧+D)

Cipher suites - Troubleshooting

If you encounter issues with edge certificate cipher suites, refer to the following scenarios.

​​ Compatibility with Minimum TLS Version

When you adjust the setting used for your domain’s Minimum TLS Version, your domain only allows HTTPS connections using that TLS protocol version.

This setting can cause issues if you are not supporting TLS 1.2 ciphers on your domain. If you experience issues, review your domain’s Minimum TLS Version setting and Cloudflare’s supported ciphers list.

​​ Compatibility with certificate encryption

If you upload a custom certificate, make sure the certificate is compatible with the chosen cipher suites for your zone or hostname.

For example, if you upload an RSA certificate, your cipher suite selection cannot only support ECDSA certificates.

​​ API requirements for custom hostname certificate

When using the Edit Custom Hostname endpoint, make sure to include type and method within the ssl object, as well as the settings specifications.

Including the settings only will result in the error message The SSL attribute is invalid. Please refer to the API documentation, check your input and try again.

​​ TLS 1.3 settings

You cannot set specific TLS 1.3 ciphers.

Instead, you will need to enable TLS 1.3 for your entire domain and Cloudflare will use all applicable TLS 1.3 cipher suites.

In combination with this, you can still restrict specific ciphers for TLS 1.0-1.2.

​​ SSL Labs weak ciphers report

If you try to disable all of the WEAK cipher suites according to what is listed on a  Qualys SSL Labs report, you might notice that the naming conventions are not the same.

This is because SSL Labs follows RFC cipher naming convention while Cloudflare follows OpenSSL cipher naming convention. The cipher suite names list in the OpenSSL documentation may help you map the names.

Even though applications on Cloudflare are not vulnerable to CVE-2019-1559, some security scanners may flag your application erroneously.

To remove these warnings, refer to Customize cipher suites and exclude the following ciphers:

  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384