Disable weak cipher not working

Developers API
1

For Workers & Pages, what is the name of the domain?

veroit.app

What is the error number?

Disable weak cipher not working

What is the error message?

I’m trying to disable insecure ciphers on tls 1.2, but when I check they remain enabled

What is the issue or error you’re encountering

I’m trying to disable insecure ciphers on tls 1.2, but when I check they remain enabled. I have a Pro Plan and ACM. Universal SSL are disabled.

What are the steps to reproduce the issue?

Step 1

curl -X PATCH “https://api.cloudflare.com/client/v4/zones/XXXXXXXXXXXXXXXXXX/settings/ciphers
-H “X-Auth-Email: XXXXXXXXXXXXXXXXXXX”
-H “X-Auth-Key: XXXXXXXXXXXXXXXXXXXXXXXX”
-H “Content-Type: application/json”
-d ‘{ “value”: }’

Step 2

curl -X PATCH “https://api.cloudflare.com/client/v4/zones/XXXXXXXXXXXXXXXXXX/settings/ciphers
-H “X-Auth-Email: XXXXXXXXXXXXXXXXXXX”
-H “X-Auth-Key: XXXXXXXXXXXXXXXXXXXXXXXX”
-H “Content-Type: application/json”
-d ‘{
“value”: [
“ECDHE-ECDSA-AES128-GCM-SHA256”,
“ECDHE-ECDSA-CHACHA20-POLY1305”,
“ECDHE-ECDSA-AES128-SHA”,
“ECDHE-ECDSA-AES256-GCM-SHA384”,
“ECDHE-ECDSA-AES128-SHA256”,
“ECDHE-ECDSA-AES256-SHA384”,
“ECDHE-RSA-AES128-GCM-SHA256”,
“AES128-GCM-SHA256”,
“ECDHE-RSA-AES256-GCM-SHA384”,
“AES256-GCM-SHA384”
]
}’

Step 3

curl -X GET “https://api.cloudflare.com/client/v4/zones/XXXXXXXXXXXXXXXXXX/settings/ciphers
-H “X-Auth-Email: XXXXXXXXXXXXXXXXXXX”
-H “X-Auth-Key: XXXXXXXXXXXXXXXXXXXXXXXX” \

Result:
{“result”:{“id”:“ciphers”,“value”:[“ECDHE-RSA-CHACHA20-POLY1305”,“ECDHE-ECDSA-AES128-GCM-SHA256”,“ECDHE-ECDSA-CHACHA20-POLY1305”,“ECDHE-ECDSA-AES128-SHA”,“ECDHE-ECDSA-AES256-GCM-SHA384”,“ECDHE-ECDSA-AES128-SHA256”,“ECDHE-ECDSA-AES256-SHA384”,“ECDHE-RSA-AES128-GCM-SHA256”,“AES128-GCM-SHA256”,“ECDHE-RSA-AES256-GCM-SHA384”,“AES256-GCM-SHA384”],“modified_on”:null,“editable”:true},“success”:true,“errors”:,“messages”:}

Testing:

Executed command: openssl s_client -connect “veroit.app:443” -cipher “ECDHE-ECDSA-AES128-GCM-SHA256” -tls1_2
Result: ENABLED

Executed command: openssl s_client -connect “veroit.app:443” -cipher “ECDHE-ECDSA-CHACHA20-POLY1305” -tls1_2
Result: ENABLED

Executed command: openssl s_client -connect “veroit.app:443” -cipher “ECDHE-ECDSA-AES128-SHA” -tls1_2
Result: ENABLED

Executed command: openssl s_client -connect “veroit.app:443” -cipher “ECDHE-ECDSA-AES256-GCM-SHA384” -tls1_2
Result: ENABLED

Executed command: openssl s_client -connect “veroit.app:443” -cipher “ECDHE-ECDSA-AES128-SHA256” -tls1_2
Result: ENABLED

Executed command: openssl s_client -connect “veroit.app:443” -cipher “ECDHE-ECDSA-AES256-SHA384” -tls1_2
Result: ENABLED

Executed command: openssl s_client -connect “veroit.app:443” -cipher “ECDHE-RSA-AES128-GCM-SHA256” -tls1_2
Result: ENABLED

Executed command: openssl s_client -connect “veroit.app:443” -cipher “AES128-GCM-SHA256” -tls1_2
Result: ENABLED

Executed command: openssl s_client -connect “veroit.app:443” -cipher “ECDHE-RSA-AES256-GCM-SHA384” -tls1_2
Result: ENABLED

Executed command: openssl s_client -connect “veroit.app:443” -cipher “AES256-GCM-SHA384” -tls1_2
Result: ENABLED

Screenshot of the error

Captura de tela 2025-03-08 230348.png
Captura de tela 2025-03-08 230348.png2524×1178 182 KB

2

Unless I’m misreading what you did, you enabled all the ones on the list.

Screenshot 2025-03-08 at 6.32.57 PM
Screenshot 2025-03-08 at 6.32.57 PM1316×456 49.8 KB

If you meant to disable them, then your API call should be a list of the strong ciphers you wish to retain.