Disabling Weak Cipher Suites
Problem
Some Cipher Suites are listed as weak in third-party testing tools.
Root Cause
Cipher Suites is a combination of ciphers used to negotiate security settings during the SSL/TLS handshake and not directly related to TLS version.
The default Cipher Suites provided with Universal SSL certificates are meant for a balance of security and compatibility. Some of which, are deemed weak by third-party testing tools such as SSL Labs’s SSL Server Test. You can find the list of Cloudflare-supported Cipher Suites
Solution
If the Universal SSL does not meet your business requirements, I would recommend you to use our Advanced Certificate Manager. For example, use the Advanced Certificate Manager to cover more than one level of subdomain, remove Cloudflare branding from the Universal certificate, or adjust the shortest certificate lifespan.
You could restrict the Cipher Suites used for TLS using our Advanced Certificate Manager. After you subscribed to Advance Certificate Manager for your domain, you can restrict Cipher Suites at the Zone-level requests via the API. Currently, restricting cipher suites could only be done via API and not available via Cloudflare Dashboard. Assuming this is just a one-time change, you could trigger the API call using curl. Step-by-step guide:
- Get/view Global API Key (or create Token) from: https://dash.cloudflare.com/profile/api-tokens
- Get Zone ID from the bottom right of Overview page for your domain in Cloudflare Dashboard.
- Decide which Cipher Suites you would like to allow from the list.
Here is an example value (list of cipher suites) which you can use to replace <cipher_suites> in the commands below:
["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384"]
Run the command to do the API call with the appropriate <zone_id>, <auth_email>, <auth_key>, and <cipher_suites>:
curl -X PATCH \ "https://api.cloudflare.com/client/v4/zones/<zone_id>/settings/ciphers" \ -H "X-Auth-Email: <auth_email>" \ -H "X-Auth-Key: <auth_key>" \ -H "Content-Type: application/json" \ --data '{"value": <cipher_suites>}'
If you choose to use a token, you will not need <auth_email> nor <auth_key>. You would instead need <api_token> and the command will look like this:
curl -X PATCH \ "https://api.cloudflare.com/client/v4/zones/<zone_id>/settings/ciphers" \ -H "Authorization: Bearer <api_token>" \ -H "Content-Type: application/json" \ --data '{"value": <cipher_suites>}'
To revert to the default Cipher Suites, you can send an empty array as the value, like:
--data '{"value": []}'
Learn more about API Tokens and Keys here: Managing API Tokens and Keys