Cipher suites

Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake ↗ (and therefore separate from the SSL/TLS protocol).

This section covers cipher suites used in connections between visitors and the Cloudflare network. Cipher suites used between Cloudflare and your origin server are configured separately — refer to Origin server > Cipher suites.

Compliance standards such as PCI DSS may require specific cipher suites or prohibit older ones, and security testing tools like Qualys SSL Labs may flag Cloudflare's default configuration.

Note

Cloudflare maintains a public repository of our SSL/TLS configurations ↗ on GitHub, where you can find changes in the commit history.

RC4 cipher suites ↗ or SSLv3 ↗ are no longer supported.

Cipher suites and edge certificates

Cloudflare's default cipher suites (Legacy) balance security and compatibility, which means they include older algorithms that security testing tools may flag.

If the default configuration does not meet your requirements, you can purchase the Advanced Certificate Manager add-on ↗ to specify more secure cipher suites.

Cipher suite customization is a hostname-level setting. Once specified, the configuration applies to all edge certificates serving that hostname, regardless of certificate type (universal, advanced, or custom).

Related SSL/TLS settings

Although configured independently, cipher suites interact with other SSL/TLS settings.

Minimum TLS Version

You can specify a minimum TLS version that is required for a client to connect to your website or application.

For example, if TLS 1.1 is selected as the minimum, visitors attempting to connect using TLS 1.0 will be rejected while visitors attempting to connect using TLS 1.1, 1.2, or 1.3 (if enabled) will be allowed.

Certain cipher suites are only available in specific TLS versions. If you restrict cipher suites to a higher security level that excludes older algorithms, you should also adjust your minimum TLS version to match.

Compliance standards may also require you to increase the minimum TLS version accepted in connections to your website or application.

TLS 1.3

You cannot set specific TLS 1.3 ciphers. Instead, you can enable TLS 1.3 for your entire zone and Cloudflare will use all applicable TLS 1.3 cipher suites. In combination with this, you can still disable weak cipher suites for TLS 1.0-1.2.

Cloudflare may return the following names for TLS 1.3 cipher suites. This is how they map to RFC 8446 ↗ names:

Cloudflare	RFC 8446
AEAD-AES128-GCM-SHA256	TLS_AES_128_GCM_SHA256
AEAD-AES256-GCM-SHA384	TLS_AES_256_GCM_SHA384
AEAD-CHACHA20-POLY1305-SHA256	TLS_CHACHA20_POLY1305_SHA256

Resources

• Customize cipher suites
• Security levels
• Compliance standards
• Supported cipher suites
• Troubleshooting

Limitations

It is not possible to configure cipher suites for Cloudflare Pages hostnames.