Hi, we need to disable weak cipher suite in TLS 1.2.
The basic certificate (Universal SSL) does not allow us to customize the cipher suite and we need to purchase “Advanced Certificate Manager”.
We have purchased “Advanced Certificate Manager” and created the digicert. As instructed we need to call the API (Advanced certificates · Cloudflare SSL/TLS docs) in order to modify the cipher suite.
We go ahead and try to create the custom token (API Token).
According to (Cloudflare API Documentation), we need to enable “SSL and Certificates Write” permissions in order to modify the SSL. However we cant find this option under the “Permissions” dropdown.
So the question what are the actual steps to customize the cipher suite?
I use the following, which will give you excellent browser support, and excludes all legacy ciphers. You get support to Safari 9, Android 4.4.2, Windows 7, etc. I deliberately use ECC ciphers only. You don’t need to list the TLSv1.3 ciphers. (If running scans from Internet.nl they will show one pre-RFC variant of ChaCha20-Poly1305 that you should drop, but due to a bug cannot be dropped by ACM unless you drop the RFC version also, which is needed for the widest browser support.)