Disable TSL1.0

#1

My payment processor need me to disable TLS1.0 please how do I go about it

#2

I’ll dig for any newer details, but this is what I’ve found so far. In order to disable TLS 1.0, you have these options:

  1. Purchase a dedicated certificate then disable Universal SSL. This allows you to control the minimum TLS version as the certificate is dedicated to your zone.
  2. Upgrade to our Business plan. Business plan IP space is not shared with another zone, allowing you to control the minimum TLS of the Universal certificate.
  3. Use Cloudflare Workers to deny TLS 1.0 request. This allows granular control over which TLS version and cipher you want to allow.
1 Like
#3

Did I misunderstand something or cant you always set the minimum version at https://dash.cloudflare.com/redirect?zone=ssl-tls/edge-certificates regardless of the plan?

1 Like
#4

There is the ability, in all plan levels, to set the minimum TLS version, within the SSL/TLS -> Edge certificates section. Set it to TLSv1.1 or, better, TLSv1.2.

edit Damn it, @sandro ahah

2 Likes
#5

+1 yes you can. I am not sure of the details of the issue and will keep digging but have seen this discussion before in tickets and here. Even though the minimum is set higher, payment processing fails.

We can test it now, @duoduclement, can you set to {EDIT} 1.2 on the SSL/TLS app, edge certificate tab and see if that works with your processor?

#6

Will report back in a jiffy :slight_smile:

1 Like
#7

Cannot comment on payment providers of course but ssllabs.com does seem to get the right version set as minimum.

1 Like
#8

Really curious to see if this meets PCI compliance. I found a recent ticket indicating setting at 1.2 should work for payment processing, although that client ended up going the route of a worker, https://developers.cloudflare.com/workers/templates/snippets/tls_version/

Edit

This is one of those conversations where tls is 1.2 but failing scan for 1.0, Set Minimum TLS to 1.2 but still failing PCI scan for TLS 1.0 being enabled.