How do I enable TLS 1.3?

What is TLS 1.3?
TLS 1.3 is the newest and most secure version of the TLS protocol. It has improved latency over older versions and several new features.

To learn more about TLS 1.3 support in Cloudflare, read the blog post: You get TLS 1.3! You get TLS 1.3! Everyone gets TLS 1.3!

What is 0-RTT?
0-RTT is a feature that improves performance for clients who have previously connected to your website. It allows the client's first request to be sent before the TLS connection is fully established, resulting in faster connection times.

What is the Early-Data header?
It's possible for an attacker to replay the first request sent with 0-RTT. This could result in Cloudflare sending the same requests multiple times to the origin. In order to help you identify when a request has been replayed, Cloudflare includes a new header named "Early-Data" on all requests that were sent over 0-RTT. In this case, the header would have a value of 1. You can use this header to decide on whether to accept a particular request sent during the 0-RTT connection phase.

How can I enable TLS 1.3 for sites on CloudFlare?

TLS 1.3 (with or without 0-RTT) can be enabled in the Crypto app of the Cloudflare dashboard.

cf_crypto_tls1.3.png

Do I need to support TLS 1.3 on my servers to use this feature?

No. CloudFlare terminates client TLS 1.3 connections at our edge, and does not require you to support TLS 1.3 on your servers. Furthermore, we do not currently support TLS 1.3 from our edge to origins or plan to support this in the immediate future. Therefore, the only reason to enable TLS 1.3 on your servers is if you wish to do so for your own purposes.

How can I use TLS 1.3 in my browser?

TLS 1.3 is currently supported in both Chrome (starting with release 66) and Firefox (starting with release 60), and in development for Safari and Edge browsers.

For Chrome:

  1. In the address bar, enter chrome://flags and press Enter.
  2. Scroll to locate the TLS 1.3 entry, and set it to Enabled. You will say a message saying that the change will take effect the next time you relaunch Chrome.
  3. Click RELAUNCH NOW to re-start Chrome.

After enabling TLS 1.3, visit a site with TLS 1.3 enabled over HTTPS. Then:

  1. Open Chrome Developer Tools.
  2. Click the Security tab.
  3. Reload the page (Command-R in Mac OS, Ctrl-R in Windows).
  4. Click on the site under Main origin.
  5. Look on the right-hand tab under Connection to confirm that TLS 1.3 is listed as the protocol (see image below).

tls1.3_chrome_dev_tools_security.png

For Firefox:

  1. In the address bar, enter about:config and click to accept the warranty warning.
  2. Search for security.tls.version.max and set it from the default value of 3 to 4.

After enabling TLS 1.3, visit a site with TLS 1.3 enabled over HTTPS. Then:

  1. Click the green lock icon in the address bar, then >.
  2. Click More Information.
  3. Under Technical Details, verify that the TLS version is TLS 1.3 (see image below).

tls1.3_firefox_more_info_security_ann.png

What should I do if I'm seeing an error/other issues while using TLS 1.3?

Since TLS 1.3 implementations are relatively new, some failures may occur. To help us debug our implementation, please submit a Cloudflare Support ticket with the following information:

  • Steps to replicate the issue (if possible)
  • The client build version
  • Any client diagnostic information
  • Packet captures.

With this information, our engineering team is able to perform an in-depth review.

Chrome users should submit a net-internals trace. Firefox users should report bugs to Mozilla. and, if they determine that the issue is related to the Cloudflare implementation, submit any logs they determine relevant to us. 

 

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk