Disable TLS 1.0/1.1 for R2 subdomain

We need to disable TLS 1.0 and 1.1 for our subdomains that are served by R2. We configured this at the top level for *.ourdomain.com but that doesn’t seem to be applying to the R2 subdomains.

Is there a way to do this?

2 Likes

Like your custom domains for R2 or the r2.dev domain?

Our own domains.

Have you set the minimum TLS version under SSL?
https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

I see the same problem.
I turned on “Minimum TLS 1.2”, “Always use HTTPS”, and also HSTS. I use default SSL certificate from Cloudflare (I don’t have Advanced Certificate Manager).

  • Website using just CF Proxy have SSL configuration like described above (only TLSv1.2 and TLSv1.3 enabled).
  • Resources in R2 (available on my subdomain) are available also using TLSv1.0 and TLSv1.1, so my SSL settings doesn’t work here.
2 Likes

Same issue here. I also have Minimum TLS Version configured under https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

Cloudflare’s own compliance checker alerts on this under Security Center > Security Insights

2 Likes

@cloudflare please can this be reviewed by the Security Team? I’ve already posted it on HackerOne almost a year ago.

Cloudflare Public Bug Bounty | Report #2246250 | HackerOne

H1 is for vulns, this isn’t a vuln but more of a bad default. Lots of legitimate reasons to support 1.0 still (e.g. older devices).

You can contact support to have it manually changed, feel free to send me ticket IDs and I’ll push them along.

What’s frustrating me is that I’ve told Cloudflare explicitly not to accept TLS connections that are below 1.2, and it outright ignores that setting. That’s a major issue.

The fact that lots of legitimate reasons exist, doesn’t mean it should ignore the setting. If you set the setting, whether the user knows the implications, it should take effect all the time. I have submitted a pull request to the docs as this is not made clear at all.

Pages also does a similar thing. It sets a higher limit (breaking older devices like you said) and the owner has no control over it.

I can’t submit a ticket because I’m on free, but I can DM you on Discord my R2 Custom Domains so you can change those (and also change the default in future I assume?) if you’re able to help with that please.

Update minimum-tls.md by RyderCragie · Pull Request #15932 · cloudflare/cloudflare-docs (github.com)

Hello, I’ve also got the same problem. Our Infosec team has flagged one of our properties in Cloudflare with TLS 1.0 and TLS 1.1 but I clearly have TLS 1.2 set as the minimum. That property is pointing to an R2 bucket. Scans show that TLS 1.0 and 1.1 are still supported.

Is there a workaround, or a fix in sight?

Thanks very much!

This is now possible with an API call: R2 Edit Custom Domain Settings

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.