Disable/order cipher preference

This question or similar have been asked before but I haven’t been able to find a workaround:

Basically we have a customer insisting that “the industry standard is AES 256” for HTTPS despite the A+ rating from SSLabs, a reference from NIST, and Google Chrome notifications that says TLS_AES_128_GCM_SHA256 is considered secure.

SSLLabs says the following:

# TLS 1.3 (server has no preference)
TLS_AES_128_GCM_SHA256 ( `0x1301` ) ECDH x25519 (eq. 3072 bits RSA)   FS 128
TLS_AES_256_GCM_SHA384 ( `0x1302` ) ECDH x25519 (eq. 3072 bits RSA)   FS 256
TLS_CHACHA20_POLY1305_SHA256 ( `0x1303` ) ECDH x25519 (eq. 3072 bits RSA)   FS 256

In this case, even setting a TLS minimum of 1.3 wouldn’t fix our issue as that’s what is being used here. And we’ve found that Google Chrome (our officially supported browser for our enterprise SaaS app) uses TLS_AES_128_GCM_SHA256 across difference operating systems and hardware. I know accounts on an Enterprise plan can disable specific ciphers, which we’d rather not do for cost and client compatibility.

Is there a way to set TLS_AES_256_GCM_SHA384 as a preference without needing to upgrade to Enterprise? Or is there another workaround here that we’re not thinking of. I think we can change the SSL/TLS settings on our origin server if that has any flow on effect to Cloudflare.

I think I found your problem. And Cloudflare won’t fix that. Well, unless you give them a lot of money to reconfigure a server for you (i.e. Enterprise Plan) to please a customer’s whims.

This topic was automatically closed after 30 days. New replies are no longer allowed.