What cipher suites does Cloudflare use for SSL?

For customers at a paid level of service

Cloudflare's server configuration for TLS cipher suites is set in nginx (which we use extensively) with the following configuration command:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
ssl_prefer_server_ciphers on;

We keep a public repository of our SSL configurations, with changes over time. Please note that Cloudflare no longer supports RC4 cipher suites.

For customers at the free level of service

Free sites using Universal SSL are issued SHA2+ECDSA certificates, which require clients that support elliptic curve cryptography (ECC) and SNI.


Note: SSLv3 is now disabled by default due to a security vulnerability. More about opting in to use SSLv3 is available here.

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk