3DES on some edge nodes, causing SWEET32 warnings

daniella1 · April 22, 2025, 5:18am

What is the name of the domain?

www.smartprod.com.au

What is the error number?

sweet32

What is the issue you’re encountering

can’t get ssl to update

What steps have you taken to resolve the issue?

Hey all, I’m on a Cloudflare Pro plan using Advanced Certificate Manager.
I’ve disabled TLS 1.0/1.1 and all legacy ciphers including 3DES — and I’ve confirmed the correct config is showing in my dashboard.~
However, SSL Labs and Vanta are still seeing 3DES on some edge nodes, causing SWEET32 warnings.
I’ve purged cache and waited several hours, but it seems the config hasn’t propagated fully to all Cloudflare edge servers.
Posting my config summary and scan results below — would love confirmation or escalation help.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

daniella1 · April 22, 2025, 5:20am

Plan: Pro

Advanced Certificate Manager: Enabled

Minimum TLS Version: Set to TLS 1.2

TLS 1.0 / 1.1: Disabled

TLS 1.3: Enabled (confirmed)

SSL Mode: Full (Strict)

Cloudflare Origin Certificate: Installed and active

Edge Cert Type: RSA (Google Trust Services)

Cipher Suites Configured:

Enabled:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_SHA256
- TLS_AES_256_SHA256
Disabled:
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- All CBC-mode RSA and ECDSA ciphers
Cache: Purged all files
DNS: All records proxied through Cloudflare
IPs: No Microsoft-origin web traffic (email-only DNS present)

daniella1 · April 24, 2025, 7:36am

Quick update — I’m on a Pro Plan with Advanced Certificate Manager enabled , and the issue seems to be that legacy Universal and Backup certificates are still being served on some edge nodes , exposing TLS 1.0 and 3DES , which triggers SWEET32 warnings in SSL Labs and Vanta.

Support ticket has been submitted — but any insight from the Community or moderators would be appreciated. This is blocking SOC 2 audit compliance.

Pinging @cscharff or @MoreHelp — is there any way to have legacy Universal certs fully removed at the edge when an Advanced ACM cert is active?

daniella1 · April 30, 2025, 11:55pm

Anyone know how to get Cloudflare to respond to anything? This post or a direct query

cscharff · May 1, 2025, 12:19am

You can point your SOC2 auditors to

And I’d assume the SSLlabs tool is probably checking the wrong things unless it could demonstrate the specifics of your cert being served with TLS 1.0 assuming you have set another minimum SSL version odds are higher the tool is wrong.

system · May 16, 2025, 12:19am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Moving TLS1.2 to TLS1.3 Get Algorithm Mismatch Error Security	5	5410	December 11, 2020
Unable to secure connection Security	7	1308	December 7, 2022
This server supports TLS 1.0 and TLS 1.1. Grade will be capped to B from January 2020 General	7	6594	January 22, 2020
TLS 1.3 disabled but still serving China Network	19	2861	May 1, 2022
Ssl unsuported protocol - ciphe rmismatch with lets encrypt Security	4	1373	December 7, 2022