Enforce TLS v1.3 to all clients

Dear Cloudflare security team,
I want to force the older devices to move to the latest TLS version. Unfortunately, I’m unable to do this on the origin server. I need advice on how can i deal with this issue.

Here are the requests from the past 24hrs:

Here’s the SSL Labs Report:
And the supported versions:
https://www.ssllabs.com/ssltest/analyze.html?d=ncr-cet.com

I do not want to lose traffic from the older clients, how can I safely redirect them to a newer version like v1.3? I have tested other Cloudflare-hosted websites, they are using only the latest TLS version, and still, their website is accessible on older devices, but not mine.

ChatGPT suggested to deploy this Cloudflare Worker:

addEventListener("fetch", (event) => {
  event.respondWith(handleRequest(event.request));
});

async function handleRequest(request) {
  // Check the TLS version of the incoming request
  const tlsVersion = request.cf.tlsVersion;

  // If the request is using TLS v1.2, upgrade the connection to TLS v1.3
  if (tlsVersion === "TLSv1.2") {
    const upgradedRequest = new Request(request, {
      cf: {
        // Force the request to use TLS v1.3
        tlsVersion: "TLSv1.3",
      },
    });

    // Fetch the upgraded request and return the response
    return await fetch(upgradedRequest);
  }

  // For requests using TLS v1.3 or higher, simply pass them through to the origin server
  return await fetch(request);
}

Before deploying this worker I need a bit of expert advice.

Thank you

devyaqoob

Clients will negotiate the highest level of encryption they support. If the client can’t support a version higher than 1.2 you can’t safely redirect them to a higher version.

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.