How can we disable weak ciphers

We’ve been asked to make the following modifications to our network traffic by a government entity with which we do business:

  • Configure servers to disable TLS 1.0 and TLS 1.1
  • Disable weak cipher suites

I can see where to set the TLS version – all good :slight_smile:

But how do we “disable weak ciphers”? Is this done automatically as a consequence of setting a higher TLS level? Or do we have to do this elsewhere in the interface?

By disable weak ciphers, we’re only supposed to ALLOW the following:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Is there anyway to determine what ciphers are currently being used?

I remember there’s an API to modify ciphers settings (allowlist), try checking this out: Cloudflare API v4 Documentation

I think you need ACM addon plan (advanced certificate manager, in SSL → Edge Certificates), so you get your own dedicated cert instead of using CF’s shared cert.

Maybe give it a try?

1 Like

I found the following reference to cipher suites:

https://developers.cloudflare.com/ssl/origin-configuration/cipher-suites

Does this mean that if we set the TLS to 1.2 that we get a pre-selected set of ciphers as indicated by the checked cipher options for 1.2 and 1.3?

Because that looks like it might satisfy the requirements.

Yes, that’s how it will work. Note that in some cases it seems like the server supports TLS 1.0 and TLS 1.1 even when disabled, it doesn’t actually work, the IP just allows connections but not your domain.

1 Like

I’ve had cases where legacy TLS has become active. A support ticket indicated to drop the minimum TLS and raise it again to redeploy if this happens. (Turn it off and on again!)

Even with minimum TLS set to TLS v1.2 there are some ciphers that would be considered weak. I use ACM with this API call to disable ciphers I don’t need:

curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/${zoneid}/settings/ciphers" -H "X-Auth-Email: ${auth_email}" -H "X-Auth-Key: ${auth_key}" -H "Content-Type: application/json" --data '{"value":["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-CHACHA20-POLY1305"]}'

The TLSv1.3 ciphers cannot be changed, but there is no known issues with the three that Cloudflare support by default. Due to a bug, this command will enable the pre-RFC version of the Chacha20-Poly1305 ciphers (0xcc13 and 0xcc14). The only fix at present is to exclude those two ciphers.

1 Like

Realistically, what are the drawbacks of just going straight TLS 1.3 and relying on the three ciphers nominated?

A healthy percentage of your users will not be able to connect to your website is one reason! On my sites I’m showing 18% TLS v1.2 in the last week, a lot of that is internal API traffic, but a lot of users are still using TLS v1.2. There is no real security reason to disable TLS 1.2 at this time.

https://caniuse.com/tls1-3

3 Likes