Legacy Browser Support allows website owners with a paid Cloudflare plan to continue provide a secure connection for visitors with an older operating system or browser.
When a visitor connects to a website behind Cloudflare we automatically determine the optimal certificate to present the browser and then serve it during the SSL/TLS handshake:
- If the user agent supports modern encryption, such as Elliptic Curve Cryptography (ECC) and SHA-2 signatures, we will present an ECDSA SHA-256 certificate.
- If the UA supports SHA-256 but not ECC, we will present an RSA SHA-256 certificate.
- Lastly, if it supports neither of those two options, we will serve an RSA SHA-1 certificate.
- Examples of user agents that do not support SHA-256 signatures include IE on Windows XP SP2 (or earlier) and pre-Gingerbread Android.
While we encourage site owners to maintain maximum compatibility with their visitors, some with specific concerns about SHA-1 may wish to disable this feature.
Disabling Legacy Browser Support (Business or Enterprise only)
Warning: Disabling Legacy Browser Support will also prevent browsers without Server Name Indication (SNI) support from connecting to your site. Review the list below to determine if you need support for earlier browsers than those listed.
- IE7 on Windows Vista (Windows XP is not supported)
- Google Chrome on Windows Vista or OS X 10.5.7
- Safari 3.0 on Windows Vista or Mac OS X 10.5.6
- Mozilla Firefox 2.0
- Opera 8.0 (with TLS 1.1 enabled)
- BlackBerry 10
- Windows Phone 7
As a website owner you have the ability to disable Legacy Browser Support. If you disable this feature, visitors using an older operating system or browser will experience errors when attempting to establish an SSL/TLS session with your website. Such errors may be obvious and reported by the browser, or they may silently break functionality and be difficult to troubleshoot.
You can disable Legacy Browser Support under the Crypto page on the Cloudflare dashboard. Scroll to the bottom of the page and click on the “Disable SHA-1 Support” button. You will then be shown a modal; read the warning and then check the box to indicate you understand the consequences. You should then see the button change to “Enable SHA-1 Support”.
Lastly, if you only have SHA-1 custom certificates uploaded, these will still be served to your customers. To take advantage of certificate optimization with these custom certificates, please open a support request. Or simply upload a replacement SHA-2 certificate and remove the existing SHA-1.