Start with ECDSA SSL certificates on origin instead of RSA SSL certs https://community.centminmod.com/threads/improving-Cloudflare-connections-to-origin-server-use-ecdsa-ssl-certs.14817/. When combined with Nginx + OpenSSL 1.1.1 or Nginx + BoringSSL fork you will see much better ECDSA cipher performance compared to OpenSSL 1.0.2/1.1.0. My Centmin Mod Nginx builds support both OpenSSL 1.1.1 and BoringSSL built binaries https://community.centminmod.com/threads/centmin-mod-nginx-http-2-https-tls-1-3-support.15537/ 
FYI, Cloudflare has yet to enable TLS 1.3 CF to origin communication as yet see Cloudflare speak TLS 1.3 0-RTT with Origin Backend?