Disable CBC ciphers on origin

Hello all! I have a server origin that has a Cloudflare generated origin certificate and is currently proxied by Cloudflare. I know that CBC ciphers can be disabled via Cloudflare Advanced Certificate API but we do not have that subscription. So instead I would like to disable CBC ciphers on our host.

Previously, when our server had a local Let’s Encrypt certificate I was able to do this by editing SSLCipherSuites in the /etc/letsencrypt/options-ssl-apache.conf & when the server was unproxied, it showed the correct ciphers on SSL Labs. However now with the Cloudflare generated origin certificate those changes aren’t shown in SSL Labs. Is it possible to do this? Making changes to /etc/apache2/mods-available/ssl.conf also does not appear to work.

Thank you!

Hi there,

When talking about Cloudflare you need to consider it is a reverse proxy, it sits in the middle between your client browser and your origin server - so there are two SSL/TLS handshakes:

client <-----> Cloudflare <------> origin

If you are proxied through Cloudflare and browse to your site, you are going to see the handshake that is controlled by Cloudflare and our edge, if you are not proxied through Cloudflare, the handshake will go directly to your origin server and use your configuration there.

If you want to have control to change ciphers at our edge, while proxied - you do need to use ACM - Advanced Certificate manager, this would be your only option to have cipher changes reflected.

regards,

Thank you for the response. I understand the role of Cloudflare as a proxy, and that this isn’t possible without Cloudflare Advanced Certificates while the server is being proxied, - however my goal here is to be able to unproxy my origin server, run a penetration test on it through the web, and have my chosen list of ciphers show up. I’m not sure how to do this on my host. Thank you!

You can set the accepted ciphers via the SSLCipherSuite directive in Apache, see SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.4 and mod_ssl - Apache HTTP Server Version 2.4.

You can do this in any config file that you actually use, like /etc/apache2/apache2.conf.
As you are no longer using letsencrypt, /etc/letsencrypt/options-ssl-apache.conf is probably no longer an activated config file.

Also, you can affect the ciphers that Cloudflare accepts by changing the minimum TLS version, without needing ACM.

2 Likes