How to use Cloudflare's Require Modern TLS Feature

What are TLS 1.2 and TLS 1.3?
TLS 1.2 is the current version of the TLS protocol used for HTTPS access to websites. TLS 1.3 is a draft version with additional security and performance improvements. TLS is the protocol that encrypts communication between users and your website. When web traffic is encrypted with TLS, users will see the green padlock in their browser window.

Who can use Require Modern TLS?
Require Modern TLS is available to use with certificates that are unique to your domain. This includes Cloudflare Business and Enterprise customers with custom certificates. Free and Pro customers must  upgrade to use this feature and provision a custom certificate. 

What does Require Modern TLS do?
With the Require Modern TLS feature enabled, traffic to and from your website will only be served over the TLS 1.2 and, if it is enabled, TLS 1.3.

This functionality is specifically for client web browser to Cloudflare connections, and is independent of Cloudflare to origin connections.

Why should I enable Require Modern TLS?
TLS 1.2 includes fixes for known vulnerabilities in older TLS versions, and will eventually be required for PCI compliance. While this requirement is not yet in force, customers may want to migrate in advance of the hard requirement.

Why should I not enable Require Modern TLS?
Older browsers do not support TLS 1.2. Turning on this feature may restrict users with older browsers from accessing your website. Browsers which do not support TLS 1.2 out-of-the-box include Android versions before 5.0 and MS Internet Explorer before version 11. Historical information about web browser TLS support is available from Wikipedia.

What should I do?
For sites with a narrow userbase (e.g. internal applications or business/productivity applications), or with either high security requirements or PCI compliance requirements, we recommend enabling Require Modern TLS. You may wish to delay enabling this feature until your users have upgraded to TLS 1.2 supporting web browsers.

For sites with a broad, consumer userbase, particularly non-transaction-processing sites, we recommend against enabling Require Modern TLS. While TLS 1.2 is better than TLS 1.0 and TLS 1.1, TLS 1.0 is still better than no TLS.

We expect browser support for TLS 1.2 to continue to improve as more and more sites disable TLS 1.0 and TLS 1.1 support across the Internet.

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk