What cipher suites does Cloudflare support for SSL/TLS?

For customers at a paid level of service

Cloudflare's server configuration for TLS cipher suites is set in nginx with the following configuration command:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
ssl_prefer_server_ciphers on;

We keep a public repository of our SSL configurations, with changes over time. Please note that Cloudflare no longer supports RC4 cipher suites.

The above configuration expands to the cipher suites listed in the table below.

OpenSSL Name TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256 ❌ 
AES128-SHA256 ❌ 
AES128-SHA ✅ 
ECDHE-ECDSA-AES256-GCM-SHA384 ❌ 
ECDHE-ECDSA-AES256-SHA384 ❌ 
ECDHE-RSA-AES256-GCM-SHA384 ❌ 
ECDHE-RSA-AES256-SHA384 ❌ 
ECDHE-RSA-AES256-SHA ✅ 
AES256-GCM-SHA384 ❌ 
AES256-SHA256 ❌ 
AES256-SHA ✅ 
DES-CBC3-SHA
AEAD-AES128-GCM-SHA256 **
AEAD-AES256-GCM-SHA384 **
AEAD-CHACHA20-POLY1305-SHA256 **

** Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, only specifying the symmetric ciphers, and cannot be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites cannot be used with TLS 1.3 (IETF TLS 1.3 draft 21). BoringSSL also hard-codes cipher preferences in this order for TLS 1.3.

For customers at the free level of service

Free sites using Universal SSL are issued SHA2+ECDSA certificates, which require clients that support elliptic curve cryptography (ECC) and SNI.

 

Note: SSLv3 is not supported due to security vulnerabilities.

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk