How do I disable TLS 1.0

ssl
tls
pci

#1

My PCI Compliance company is flagging my site because of a Cloudflare IP supports TLS 1.0 when I run my scans. How do I disable TLS 1.0 and only user TLS 1.1 and 1.2?


#2

hi @tandree as far as I am aware you can use ‘Require Modern TLS’ on business plan which will shut off ‘1.0 and 1.1’ you will find this in your crypto tab


#3

Thanks for the reply. Is there a way to do it without being on the business plan?


#4

@tandree Not that I am aware via cloudflare; Not sure if you can do this server side (I’m sure someone else will be able to clarify)


#5

Disabling TLS 1.0 does indeed require Modern TLS which is available on the Business and Enterprise plan only at this time. Separately, it requires you to upload a Custom SSL certificate in order to work.

There are plans to deprecate over time, following the official sunset timeline. I would recommend keeping an eye out on the blog to stay up to date on this matter, as this is definitely something that would be announced more widely.


#6

Thanks. Does the pro version at least get disable 1.0?

I need to resolve my pci compliance issue before October 2017.


#7

No, it is only possible with the Business and Enterprise plans today. However, as said earlier, we plan to deprecate this following the sunset timeline outlined by the PCI council. Currently this means that existing service providers -such as ourselves- have until June 30th, 2018 to sunset TLS 1.0.


#8

OK. Thanks again for the info.


#9

This may also be of use: https://support.cloudflare.com/hc/en-us/articles/202249734-Cloudflare-and-PCI-Compliance as well as https://support.cloudflare.com/hc/en-us/articles/205043158-PCI-3-1-and-TLS-1-2 (the second article doesn’t have the updated sunset dates, but we’re not quite there yet).


#10

You can also go to your domain’s “Crypto” tab and choose the “Minimum TLS Version” as TLS 1.1 to disable TLS 1.0 for Cloudflare SSL.