Does Cloud support TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 on Free Plan?
No, likely because CBC has known exploits. GCM is the replacement that isn’t vulnerable to this.
And, by the way, higher plans can’t enable more cipher suites. All Cloudflare sites offer the same list, which I’ve included below.
1 Like
Also, free plan is likely to get only ECDSA certificate, so ciphers related to RSA are not supported. Unless you purchase ACM.
1 Like
I saw this website is using Cloudfare and can use TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ( SSL Server Test: www.bnn.in.th (Powered by Qualys SSL Labs)).
What options do I have in order to enable this cipher suite? Upgrade to Pro Plan?
Is it on the list in Judge’s answer? If not, there isn’t an option to enable it.
2 Likes
It’s in the list in Judge’s answer and also I found website who is using cloudfare can use it as well. But for my free plan, I do not see this TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 so I’m not sure how to have it enabled for my website as well.
I believe this is this one. Anyway, since it’s shown in one of the website that using Cloudflare so I guess it is supported by Cloudflare.
Just to eliminate the confusion, so if I would like to use “ECDHE-RSA-AES256-SHA384” which is definitely in the list of Cloudfare but I cannot see it under my free plan. What options do that I have in order to enable this for my website? Thank you for your help!
I thought the names were one-to-one but they’re not:
https://testssl.sh/openssl-iana.mapping.html
[0xc028] ECDHE-RSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
And my free plan website (with only an ECDSA certificate) does indeed work with that suite
curl --ciphers ECDHE-RSA-AES256-SHA384 https://judge2020.com -v 2>&1 | grep 'location:\|using'
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
< location: https://judge.sh
So you should be able to use it.
1 Like
Thank you very much for you help. I did try your web on ssl labs and sslscan but it did not show “ECDHE-RSA-AES256-SHA384”. Which report is correct then?
Seems like Free Plan will not support any “RSA” cipher suites. I am not sure if 1) purchasing Advanced Certificate Manager or 2) upgrade to Pro plan will enable this “RSA”.
I am considering to upgrade to Pro plan. Cloud anyone share SSL Labs report for Cipher Suites on site that use pro plan? Just would like to confirm that iPro Plan can support RSA Cipher Suites.
This handy test lists various domains at each plan level. Some of them are educated guesses, so I suggest you check each one in the Pro Plan list:
https://cloudflare-test.judge.sh/
2 Likes
Thank you! This is exactly what I’m looking for.
1 Like
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.