How do I enable TLS 1.3?

What is TLS 1.3?
TLS 1.3 is the newest and most secure version of the TLS protocol. It has improved latency over older versions and several new features.

What is 0-RTT?
0-RTT is a feature that improves performance for clients who have previously connected to your website. It allows the client's first request to be sent before the TLS connection is fully established, resulting in faster connection times.

What is the Early-Data header?
It's possible for an attacker to replay the first request sent with 0-RTT, this could result in Cloudflare sending the same requests multiple times to the origin. In order to help you identify when a request has been replayed, Cloudflare includes a new header named "Early-Data" on all requests that were sent over 0-RTT - the header will have a value of "1" in this case. You can use this header to make a decision on whether to accept a particular request sent during the 0-RTT connection phase.

How can I enable TLS 1.3 for sites on CloudFlare?

TLS 1.3 (with or without 0-RTT) can be enabled in the Crypto section of the dashboard:

Do I need to support TLS 1.3 on my servers to use this feature?

No. CloudFlare terminates client TLS 1.3 connections at our edge, and does not require you to support TLS 1.3 on your servers. Furthermore, we do not currently support TLS 1.3 from our edge to origins or plan to support this in the immediate future, so the only reason to enable TLS 1.3 on your servers is if you wish to do so for your own purposes.

How can I use TLS 1.3 in my browser?

TLS 1.3 is currently supported in both Chrome & Firefox and in development for Safari & Edge browsers.

For Chrome users:

  1. Download and install Chrome Canary
  2. Enter "chrome://flags/" in the address bar and press Enter
  3. Go to "Maximum TLS version enabled." and select "TLS 1.3"
  4. Restart Chrome Canary.

After enabling TLS 1.3, visit a site with TLS 1.3 enabled over HTTPS. Then:

  1. Click on the lock icon in the address bar and select "Details"
  2. Select the "Security" tab
  3. Reload the page (Command-R in Mac, Ctrl-R in Windows)
  4. Click on the site under "Main origin"
  5. Look on the right-hand tab under "Connection" to confirm that TLS 1.3 is listed as the protocol:

For Firefox users:

  1. Download and install Firefox Nightly
  2. Enter "about:config" in the address bar and click "I'll be careful, I promise!"
  3. Search for "security.tls.version.max" and change it from the default value "3" to "4".

After enabling TLS 1.3, visit a site with TLS 1.3 enabled over HTTPS. Then:

  1. Click the lock icon in the address bar, ">", "More Information"
  2. Under "Technical Details", check that the TLS version is TLS 1.3

What should I do if I'm seeing an error/other issues while using TLS 1.3?

As TLS 1.3 implementations are fairly new, failures may occur. To help us debug our implementation, please submit a support ticket with steps to replicate the issue (if possible), client build version, client diagnostic information, and packet captures for our engineering team to review. Chrome users should submit a net-internals trace. Firefox users should report bugs to Mozilla and, if they determine that an issue is with our implementation, submit any logs they determine relevant to us. 

 

 

 

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk