Cipher settings for tls 1.3 now work

grenruraltourism · March 18, 2021, 4:39pm

Hello to all

I have an issue with with Cipher settings.

So what we have

Minimum TLS Version 1.3 enabled
Advanced Certificate Manager

So during api documentation we can see our current settings

curl -X GET "https://api.cloudflare.com/client/v4/zones/xxxxxxxxxxxxxxxxxxx/settings/tls_1_3" \
       -H "X-Auth-Email: xxxxxxxxxxxxxxxxxxx" \
       -H "X-Auth-Key: xxxxxxxxxxxxxxxxxxx" \
       -H "Content-Type: application/json"

{“result”:{“id”:“tls_1_3”,“value”:“on”,“modified_on”:null,“editable”:true},“success”:true,“errors”:[],“messages”:[]}

so there is no settings by default

Also during this link https://developers.cloudflare.com/ssl/ssl-tls/cipher-suites

we can enable for tls 1.3 next cipher:
AEAD-AES256-GCM-SHA384
AEAD-AES128-GCM-SHA256
AEAD-CHACHA20-POLY1305-SHA256

api documentations Cloudflare API v4 Documentation

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/xxxxxxxxxxxxxxxxxxxsettings/ciphers" \
     -H "X-Auth-Email: xxxxxxxxxxxxxxxxxxx" \
     -H "X-Auth-Key: xxxxxxxxxxxxxxxxxxx" \
     -H "Content-Type: application/json" \
     --data '{"value":["AEAD-AES256-GCM-SHA384"]}'

{“success”:false,“errors”:[{“code”:1007,“message”:“Invalid value for zone setting ciphers”}],“messages”:[],“result”:null}

So main point how to remove from tls 1.3 AEAD-AES256-GCM-SHA384 and |AEAD-CHACHA20-POLY1305-SHA256

Any ideas ?

Thanks to all.

michael · March 19, 2021, 4:07am

I do not believe you can modify the ciphers used for TLS 1.3. The settings/ciphers API can only set the ciphers used for earlier versions of TLS, and the TLS 1.3 ciphers are automatically added. The ones Cloudflare uses are specified in the TLS 1.3 specification as MUST and SHOULD implement.

system · March 21, 2021, 5:03pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.