Customize cipher suites
With Advanced Certificate Manager or within Cloudflare for SaaS, you can restrict connections between Cloudflare and clients - such as your visitor’s browser - to specific cipher suites.
This process will not lead to any downtime in your SSL/TLS protection.
Setup
Custom cipher suites is a hostname-level setting, which implies that:
- When you customize cipher suites for a zone, this will affect all hostnames within that zone.
- The configuration is applicable to all edge certificates used to connect to the hostname(s), regardless of certificate type (universal, advanced, or custom).
- If you need to use a per-hostname cipher suite customization, you must ensure that the hostname is specified on the certificate.
Currently, you can only customize cipher suites when using the API:
- Zone (using
ciphers
as the setting name in the URI path) - Per-hostname (regular zones only)
- Custom hostname (Cloudflare for SaaS zones only)
Cipher suite selection
Cloudflare uses the hostname priority logic to determine which setting to apply.
ECDSA is prioritized over RSA and Cloudflare preserves the specified cipher suites in the order they are set. This means that, if both ECDSA and RSA are used, Cloudflare presents the ECDSA ciphers first - in the order they were set - and then the RSA ciphers, also in the order they were set.
Cipher suite values
TLS 1.2 or lower
To specify certain cipher suites, include an array of applicable cipher suites used for TLS 1.2 or lower in the value
field. Cloudflare offers a list of recommended ciphers by security requirements, but you can also refer to the full list of supported ciphers.
TLS 1.3
You cannot set specific TLS 1.3 ciphers.
Instead, you will need to enable TLS 1.3 for your entire domain and Cloudflare will use all applicable TLS 1.3 cipher suites.
In combination with this, you can still restrict specific ciphers for TLS 1.0-1.2.
Reset to default values
For zones and custom hostnames, to reset to the default cipher suites, send an empty array in the value
field.
For specific hostname settings, use the Delete TLS setting for hostname endpoint.