Using Minimum TLS Version in Cloudflare Crypto


Transport Layer Security (TLS) guarantees encrypted communications between a client and a web server via HTTPS. It replaces the now deprecated Secured Sockets Layer (SSL) protocol. When web traffic is encrypted with TLS, users see a green padlock in their browser window, near the URL box.

You can manage the TLS version that your domain uses when proxied through Cloudflare by setting the Minimum TLS Version in the Crypto app of the Cloudflare dashboard. 

Selecting a minimum version ensures that all subsequent, newer versions of the protocol are also supported.  TLS 1.0 is the version that Cloudflare sets by default for all customers using certificate-based encryption. In this case, it means that Cloudflare also accepts requests encrypted with all TLS versions beyond 1.0.

For guidance on which TLS version to use, review the information outlined below.

Understand TLS versions

A higher TLS version implies a stronger cryptographic standard.  TLS 1.2 includes fixes for known vulnerabilities found in previous versions. 

As of June 2018, TLS 1.2 is the version required by the Payment Card Industry (PCI) Security Standards Council. Cloudflare recommends migrating to TLS 1.2 to comply with the PCI requirement.

TLS 1.3, which offers offers additional security and performance improvements, was approved by the Internet Engineering Task Force (IETF) in May, 2018.

Decide what version to use

Not all browser versions support TLS 1.2 and above. Depending on your particular business situation, this may present some limitations in using stronger encryption standards.

Consider using TLS 1.0 or 1.1 for sites with a broad user base, particularly non-transactional sites. This way, you minimize the possibility that some clients might not be able to connect to your site securely.

For a narrow user base and sites that run internal applications or business and productivity applications, Cloudflare recommends TLS 1.2. These sites might already have more stringent security requirements or might be subject to PCI compliance.  However, you also need to ensure that your users upgrade to a TLS 1.2 compliant browser.

Related resources




Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk