This question or similar have been asked before but I haven’t been able to find a workaround:
Basically we have a customer insisting that “the industry standard is AES 256” for HTTPS despite the A+ rating from SSLabs, a reference from NIST, and Google Chrome notifications that says
TLS_AES_128_GCM_SHA256 is considered secure.
SSLLabs says the following:
# TLS 1.3 (server has no preference) TLS_AES_128_GCM_SHA256 ( `0x1301` ) ECDH x25519 (eq. 3072 bits RSA) FS 128 TLS_AES_256_GCM_SHA384 ( `0x1302` ) ECDH x25519 (eq. 3072 bits RSA) FS 256 TLS_CHACHA20_POLY1305_SHA256 ( `0x1303` ) ECDH x25519 (eq. 3072 bits RSA) FS 256
In this case, even setting a TLS minimum of 1.3 wouldn’t fix our issue as that’s what is being used here. And we’ve found that Google Chrome (our officially supported browser for our enterprise SaaS app) uses
TLS_AES_128_GCM_SHA256 across difference operating systems and hardware. I know accounts on an Enterprise plan can disable specific ciphers, which we’d rather not do for cost and client compatibility.
Is there a way to set
TLS_AES_256_GCM_SHA384 as a preference without needing to upgrade to Enterprise? Or is there another workaround here that we’re not thinking of. I think we can change the SSL/TLS settings on our origin server if that has any flow on effect to Cloudflare.