Cloudflare SSL cipher, browser, and protocol support

Avatar
Jeremy L Pugh
Follow

Understand which TLS ciphers and protocols are supported by Cloudflare. Learn which browsers Cloudflare SSL certificates support and which intermediate and root certificates are used to sign Cloudflare certificates.

Cloudflare TLS/SSL cipher support

Since traffic encryption occurs either between website visitors and Cloudflare or between Cloudflare and your origin web server, Cloudflare distinguishes between:

Origin web server TLS/SSL ciphers supported by Cloudflare

Depending on the SSL option specified in the Cloudflare Crypto app, Cloudflare either connects to an origin web server over HTTP or HTTPS. Below is the list of origin server SSL ciphers that Cloudflare supports for TLS 1.3, TLS 1.2, and earlier TLS versions when connecting to your origin web server over HTTPS:


TLS 1.2 and earlier TLS versions:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA
  • AES128-GCM-SHA256
  • AES128-SHA
  • ECDHE-RSA-AES256-SHA384
  • AES256-SHA
  • DES-CBC3-SHA

TLS 1.3:

Cipher Suite Name (IANA)

Cipher Suite (Octal Value)

TLS_AES_128_GCM_SHA256

{0x13,0x01}

TLS_AES_256_GCM_SHA384

{0x13,0x02}

TLS_CHACHA20_POLY1305_SHA256

{0x13,0x03}

 

Cloudflare TLS/SSL ciphers

The configuration of both the client browser and the web server determine the cipher suite used, not the SSL certificate. When a browser initiates an HTTPS connection, it sends a list of cipher suites it supports. The web server then picks the one it wants to use.

Cloudflare currently prefers to negotiate a connection using AES128. To use AES256, a client’s browser must enforce a 256 bit cipher suite. Our preference to use AES128 may change in the future.

Below is the list of SSL ciphers that Cloudflare supports for TLS 1.3 and TLS 1.2 and older for customer’s on paid plans:

 

OpenSSL Name

TLS 1.0

TLS 1.1

TLS 1.2

TLS 1.3

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-CHACHA20-POLY1305

ECDHE-ECDSA-AES128-SHA256

ECDHE-ECDSA-AES128-SHA

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES128-SHA

AES128-GCM-SHA256

AES128-SHA256

AES128-SHA

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

AES256-GCM-SHA384

AES256-SHA256

AES256-SHA

DES-CBC3-SHA

AEAD-AES128-GCM-SHA256 

AEAD-AES256-GCM-SHA384 

AEAD-CHACHA20-POLY1305-SHA256

For the most current details on Cloudflare’s SSL configuration, see our public repository of SSL configurations.

Cloudflare does not support RC4 cipher suites.
Free domains using Universal SSL are issued SHA2+ECDSA certificates. This requires client browsers that support elliptic curve cryptography (ECC) and SNI.

Cloudflare TLS/SSL protocol support

Cloudflare only uses TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 to establish SSL connections between the visitor and Cloudflare.

TLS 1.2 became the industry standard in 2008. Both the Payment Cards Industry Security Standards Council (PCI SSC) and the National Institute of Standards and Technology (NIST) endorse TLS 1.2 for tighter security on the web.

SSLv3 is not supported due to security vulnerabilities. TLS Version 1.0 is considered insecure due to its vulnerability to attacks such as BEAST and POODLE.

Cloudflare TLS/SSL browser support

Cloudflare deploys additional SSL certificates for paid plans than compared to Free plans. This allows paid plans to support certain older devices. For information on what SSL protocols and ciphers your current browser supports, visit https://www.ssllabs.com/ssltest/viewMyClient.html.

Modern browser support for domains on paid Cloudflare plans

Cloudflare SSL certificates utilize the Subject Alternative Names (SAN) extension to support multiple domains on the same SSL certificate.  Additionally, Dedicated Certificates and Universal SSL certificates use Server Name Indication (SNI) with Elliptic Curve Digital Signature Algorithm (ECDSA). SNI and ECDSA certificates work with the following modern browsers:

Desktop Browsers installed on Windows Vista or OS X 10.6 or later:

  • Internet Explorer 7
  • Firefox 2
  • Opera 8 (with TLS 1.1 enabled)
  • Google Chrome v5.0.342.0
  • Safari 2.1

Mobile Browsers:

  • Mobile Safari for iOS 4.0
  • Android 3.0 (Honeycomb) and later
  • Windows Phone 7

Modern browser support on Free Cloudflare domains

Due to fewer SSL certificates provided for Cloudflare domains on Free plans, SSL browser support for Free domains is limited to slightly newer browsers:

Minimum supported desktop browsers:

  • Firefox 2
  • Internet Explorer 7 on Windows Vista
  • Windows Vista or OS X 10.6 with:
    • Chrome 5.0.342.0
    • Opera 14
    • Safari 4

Minimum supported mobile browsers:

  • Mobile Safari on iOS 4.0
  • Android 4.0 ("Ice Cream Sandwich")
  • Windows Phone 7

SSL intermediates and roots used to sign Cloudflare certificates

Universal SSL certificates are issued by Sectigo or Digicert. Dedicated SSL and SSL for SaaS certificates are issued by Digicert.

Sectigo

Click to expand the collapsed content below for details on the root and intermediate certificates used to sign the following Cloudflare certificates:

SHA-256 ECDSA Certificate Chain

Level

Common Name

Serial

SHA-1 Fingerprint

Download

Root

AddTrust External CA Root

1

02FAF3E291435468607857694DF5E45B68851868

https://crt.sh/?d=1

Intermediate 1

Sectigo ECC Certification Authority

4352023FFAA8901F139FE3F4E5C1444E

AE223CBF20191B40D7FFB4EA5701B65FDC68A1CA

https://crt.sh/?d=2818753

Intermediate 2

Sectigo ECC Domain Validation Secure Server CA 2

5B25CE6907C4265566D3390C99A954AD

75CFD9BC5CEFA104ECC1082D77E63392CCBA5291

https://crt.sh/?d=5097306
SHA-256 RSA Certificate Chain

Level

Common Name

Serial

SHA-1 Fingerprint

Download

 Root

 AddTrust External CA Root

1

 02FAF3E291435468607857694DF5E45B68851868

https://crt.sh/?d=1

Intermediate 1

Sectigo RSA Certification Authority

2766EE56EB49F38EABD770A2FC84DE22

F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0

https://crt.sh/?d=1044348

Intermediate 2

Sectigo RSA Domain Validation Secure Server CA 2

0BA2D01DCBCB7776E8AC65097AC12541

0BC249478F120F146D5714970A088A3A30C9ED07

https://crt.sh/?d=9767399

Digicert

Click to expand the collapsed content below for details on the root and intermediate certificates used to sign the following Cloudflare certificates:

SHA-256 ECDSA Certificate Chain

Level

Common Name

Serial

SHA-1 Fingerprint

Download

Root

Baltimore CyberTrust Root

33554617

D4DE20D05E66FC53FE1A50882C78DB2852CAE474

https://crt.sh/?d=76

Intermediate

CloudFlare Inc ECC CA-2

0FF3E61639AA3D1A1265F41F8B34E5B6

6B53C3B358CEF368201F8741B9C5AEDEEA3861FA

https://crt.sh/?d=12715854
SHA-256 RSA Certificate Chain

Level

Common Name

Serial

SHA-1 Fingerprint

Download

Root

Baltimore CyberTrust Root

33554617

D4DE20D05E66FC53FE1A50882C78DB2852CAE474

https://crt.sh/?d=76

Intermediate

CloudFlare Inc RSA CA-1

060DD6C1D067901B5475FCFFC29E3137

2AA2B8A223DA08798599B54DE4121757ABA33341

https://crt.sh/?d=12716191

Related resources

Was this article helpful?
12 out of 36 found this helpful
Not finding what you need?
Ask the Community   Submit a request

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Popular questions: Why is my site slow, 522 errors, I'm expecting a spike in traffic

Powered by Zendesk