How to disable weak ciphers

I have purchased Cloudflare’s Advanced Certificate Manager add-on and ordered an advanced edge certificate using Digicert as the CA. I need to disable certain cipher suites in order for my site to pass PCI compliance.

I am trying to figure out how to do this and have found some other community posts that seem to provide some information on how to do it, but I need help piecing everything together.

Here are the relevant posts I have looked at:

https://community.cloudflare.com/t/advanced-certificate-manager-query/229600
https://community.cloudflare.com/t/how-to-setup-advanced-certificate-manager/340485
https://community.cloudflare.com/t/weak-cipher-suites/63875/4

My questions at this point:

  1. Does DNS for the domain need to be managed in my Cloudflare account? Currently it is not.
  2. Is the API call mentioned in the second post I linked to above the correct call to use?
  3. Where do I have to enter this call? Is it done via Cloudflare Workers?
  4. Can this implementation be done on a Cloudflare free account (which is what I’m using currently)? When I called Cloudflare and spoke to someone last week I was told that it can.

Thank you.

I should add that although DNS is not managed by Cloudflare, the website’s hosting provider (Kinsta) proxies traffic through Cloudflare.

  1. I think as long as you have the traffic being proxied through Cloudflare it will work
  2. The API call is the only way that you can change the SSL ciphers.
  3. You make the API call using any HTTP tool such as curl, as in the example.
  4. The API call doesn’t show any plan limits.
1 Like

If you’re using Kinsta then they’re using Cloudflare For SAAS, so the CF settings would need to be handled on Kinsta’s end. This documentation at Certificate Management · Cloudflare for SaaS docs would be from point of view of Kinsta as the Cloudflare For SAAS customer.

I use CF For SAAS on my Cloudflare domain zone (i.e. mydomain.com) which has Advanced Certificate Management and is configured to disable weaker SSL ciphers and that config extends to all custom hostnames I add (i.e. customerdoman.com) that aren’t on my CF domain zone (mydomain.com) as well.

For example this ssllab result is from that custom hostname (customerdomain.com) which has CF SaaS extended benefits to it including ACM and disabling of weak SSL ciphers

From CF For SAAS users point of view (Kinsta) then the settings for custom hostname may look something like the below screenshot

Kinsta and CF For SAAS users have an option of choosing to use Cloudflare provided SSL certificates or upload a customer’s custom SSL certs as per Certificate Management · Cloudflare for SaaS docs

Cyb3r-Jak3, thank you for answering my questions. Regarding #3, I’m trying to understand where I would make this call. Would it be in Cloudflare via a Cloudflare Worker, in the website’s PHP code (it’s a WordPress site), or somewhere else?

Thank you for this info, eva2000. Do you implement the API call to disable weak ciphers in Cloudflare as a Cloudflare Worker, or somewhere else?

Also, if I’m understanding correctly, are you saying that in my case Kinsta would need to be the ones to purchase Advanced Certificate Manager and handle disabling the weak ciphers on their end?