How do I enable TLS 1.3?

What is TLS 1.3?
TLS 1.3 is the newest and most secure version of the TLS protocol. It has improved latency over older versions and several new features.

What is 0-RTT?
0-RTT is a feature that improves performance for clients who have previously connected to your website. It allows the client's first request to be sent before the TLS connection is fully established, resulting in faster connection times.

What is the CF-0RTT-Unique header?
It's possible for an attacker to replay the first request sent with 0-RTT, this will result in Cloudflare sending the same requests multiple times to the origin. In order to help you identify when a request has been replayed, Cloudflare includes a new header "CF-0RTT-Unique" on all requests that were sent over 0-RTT. This header contains a unique string associated with the request. If your origin sees multiple requests with identical "CF-0RTT-Unique" headers, the repeated requests were triggered by malicious replays and can be ignored.

How can I enable TLS 1.3 for sites on CloudFlare?

TLS 1.3 (with or without 0-RTT) can be enabled in the Crypto section of the dashboard:

Do I need to support TLS 1.3 on my servers to use this feature?

No. CloudFlare terminates client TLS 1.3 connections at our edge, and does not require you to support TLS 1.3 on your servers. Furthermore, we do not currently support TLS 1.3 from our edge to origins or plan to support this in the immediate future, so the only reason to enable TLS 1.3 on your servers is if you wish to do so for your own purposes.

How can I use TLS 1.3 in my browser?

TLS 1.3 is currently only in development versions of browsers, and is not be enabled by default.

For Chrome users:

  1. Download and install Chrome Canary
  2. Enter "chrome://flags/" in the address bar and press Enter
  3. Go to "Maximum TLS version enabled." and select "TLS 1.3"
  4. Restart Chrome Canary.

After enabling TLS 1.3, visit a site with TLS 1.3 enabled over HTTPS. Then:

  1. Click on the lock icon in the address bar and select "Details"
  2. Select the "Security" tab
  3. Reload the page (Command-R in Mac, Ctrl-R in Windows)
  4. Click on the site under "Main origin"
  5. Look on the right-hand tab under "Connection" to confirm that TLS 1.3 is listed as the protocol:

For Firefox users:

  1. Download and install Firefox Nightly
  2. Enter "about:config" in the address bar and click "I'll be careful, I promise!"
  3. Search for "security.tls.version.max" and change it from the default value "3" to "4".

After enabling TLS 1.3, visit a site with TLS 1.3 enabled over HTTPS. Then:

  1. Click the lock icon in the address bar, ">", "More Information"
  2. Under "Technical Details", check that the TLS version is TLS 1.3

What should I do if I'm seeing an error/other issues while using TLS 1.3?

As TLS 1.3 implementations are fairly new, failures may occur. To help us debug our implementation, please submit a support ticket with steps to replicate the issue (if possible), client build version, client diagnostic information, and packet captures for our engineering team to review. Chrome users should submit a net-internals trace. Firefox users should report bugs to Mozilla and, if they determine that an issue is with our implementation, submit any logs they determine relevant to us.

 

 

 

 

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk