Custom Cipher Suite settings

user2376 · February 1, 2021, 3:48am

Hi, we need to disable weak cipher suite in TLS 1.2.

The basic certificate (Universal SSL) does not allow us to customize the cipher suite and we need to purchase “Advanced Certificate Manager”.

We have purchased “Advanced Certificate Manager” and created the digicert. As instructed we need to call the API (https://developers.cloudflare.com/ssl/advanced-certificate-manager#change-ciphers-suite-settings) in order to modify the cipher suite.

We go ahead and try to create the custom token (API Token).
According to (https://developers.cloudflare.com/api/tokens/create/permissions), we need to enable “SSL and Certificates Write” permissions in order to modify the SSL. However we cant find this option under the “Permissions” dropdown.

So the question what are the actual steps to customize the cipher suite?

Thank.

sdayman · February 1, 2021, 4:02am

I’ve not tried using API Token for this, but did try with the Global Key. Is this an option for you?

user2376 · February 1, 2021, 4:13am

Hi sdayman,

Yes the Global Key works, thank.

However I encounter another problem when setting the cipher suite:
code: 1007
message: Invalid value for zone setting ciphers

This is the value:
‘{“value”:[“EECDH+AESGCM”,“EDH+AESGCM”,“DHE-RSA-AES256-CCM8”,“DHE-RSA-AES256-CCM”,“DHE-RSA-AES128-CCM8”,“DHE-RSA-AES128-CCM”]}’

Also the values are extracted from origin server setting and it works well there.

Any idea on this? Or any value you recommended to exclude all the weak ciphers?

Thank.

user2376 · February 1, 2021, 6:55am

ok we found the list of cipher suites that support by Cloudflare (https://developers.cloudflare.com/ssl/origin-configuration/cipher-suites). We will try them out.

Thanks!

michael · February 1, 2021, 8:46am

I use the following, which will give you excellent browser support, and excludes all legacy ciphers. You get support to Safari 9, Android 4.4.2, Windows 7, etc. I deliberately use ECC ciphers only. You don’t need to list the TLSv1.3 ciphers. (If running scans from Internet.nl they will show one pre-RFC variant of ChaCha20-Poly1305 that you should drop, but due to a bug cannot be dropped by ACM unless you drop the RFC version also, which is needed for the widest browser support.)

curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/${zoneid}/settings/ciphers" -H "X-Auth-Email: ${auth_email}" -H "X-Auth-Key: ${auth_key}" -H "Content-Type: application/json" --data '{"value":["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305"]}'

system · February 2, 2021, 8:47am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.