How to disable weak ciphers

I have purchased Cloudflare’s Advanced Certificate Manager add-on and ordered an advanced edge certificate using Digicert as the CA. I need to disable certain cipher suites in order for my site to pass PCI compliance.

I am trying to figure out how to do this and have found some other community posts that seem to provide some information on how to do it, but I need help piecing everything together.

Here are the relevant posts I have looked at:

https://community.cloudflare.com/t/advanced-certificate-manager-query/229600
https://community.cloudflare.com/t/how-to-setup-advanced-certificate-manager/340485
https://community.cloudflare.com/t/weak-cipher-suites/63875/4

My questions at this point:

  1. Does DNS for the domain need to be managed in my Cloudflare account? Currently it is not.
  2. Is the API call mentioned in the second post I linked to above the correct call to use?
  3. Where do I have to enter this call? Is it done via Cloudflare Workers?
  4. Can this implementation be done on a Cloudflare free account (which is what I’m using currently)? When I called Cloudflare and spoke to someone last week I was told that it can.

Thank you.

I should add that although DNS is not managed by Cloudflare, the website’s hosting provider (Kinsta) proxies traffic through Cloudflare.

  1. I think as long as you have the traffic being proxied through Cloudflare it will work
  2. The API call is the only way that you can change the SSL ciphers.
  3. You make the API call using any HTTP tool such as curl, as in the example.
  4. The API call doesn’t show any plan limits.
2 Likes

If you’re using Kinsta then they’re using Cloudflare For SAAS, so the CF settings would need to be handled on Kinsta’s end. This documentation at Certificate Management · Cloudflare for SaaS docs would be from point of view of Kinsta as the Cloudflare For SAAS customer.

I use CF For SAAS on my Cloudflare domain zone (i.e. mydomain.com) which has Advanced Certificate Management and is configured to disable weaker SSL ciphers and that config extends to all custom hostnames I add (i.e. customerdoman.com) that aren’t on my CF domain zone (mydomain.com) as well.

For example this ssllab result is from that custom hostname (customerdomain.com) which has CF SaaS extended benefits to it including ACM and disabling of weak SSL ciphers

From CF For SAAS users point of view (Kinsta) then the settings for custom hostname may look something like the below screenshot

Kinsta and CF For SAAS users have an option of choosing to use Cloudflare provided SSL certificates or upload a customer’s custom SSL certs as per Certificate Management · Cloudflare for SaaS docs

1 Like

Cyb3r-Jak3, thank you for answering my questions. Regarding #3, I’m trying to understand where I would make this call. Would it be in Cloudflare via a Cloudflare Worker, in the website’s PHP code (it’s a WordPress site), or somewhere else?

Thank you for this info, eva2000. Do you implement the API call to disable weak ciphers in Cloudflare as a Cloudflare Worker, or somewhere else?

Also, if I’m understanding correctly, are you saying that in my case Kinsta would need to be the ones to purchase Advanced Certificate Manager and handle disabling the weak ciphers on their end?

Cyb3r-Jak3, thank you for answering my questions. Regarding #3, I’m trying to understand where I would make this call. Would it be in Cloudflare via a Cloudflare Worker, in the website’s PHP code (it’s a WordPress site), or somewhere else?

Thank you for this info, eva2000. Do you implement the API call to disable weak ciphers in Cloudflare as a Cloudflare Worker, or somewhere else?

As by default if you disable weak ciphers on main Cloudflare zone, all custom hostnames in CF For SAAS can inherit that same config for ciphers, so manually doing one time API call is enough. If you have to do it per custom hostname i.e. Kinsta for each customer, they’d use the doc’s outlined per custom hostname query TLS Settings — Cloudflare for SaaS · Cloudflare for SaaS docs

Cipher suites

Cipher suites for zone

Refer to change ciphers setting on a zoneOpen external link.

Cipher suites per custom hostname

Refer to SSL properties of a custom hostnameOpen external link.

Edit on GitHubOpen external link · Updated 2 days ago

2 Likes

ava2000, thank you very much for all of this information. I really appreciate it. Would I implement the one-time API call as a Cloudflare Worker, in the website’s PHP code, or somewhere else?

If you have access to linux system with curl, you can run curl CF API commands or use an app that can query the API i.e. Insomonia works for both CF API and CF GraphQL API calls https://insomnia.rest/

Or yeah you can use PHP/CF Worker I suppose. But you may not be able to run that query if using Kinsta as they would be the CF For SaaS customer not you.

1 Like

So simply doing something like adding the cURL command API call to the site’s root index.php file would do the trick?

You definitely don’t want to put the API command in your index.php. You just need to run the API call using curl one time from a terminal session that has internet connectivity and is able to reach the Cloudflare API endpoint. You could run it from you own workstation if you have curl available.

Thank you, epic.network. I do have cURL installed on my PC and will try running the command from there.

1 Like

So I have managed to set the ciphers I want to use, but when I run a test on SSL Labs it still shows weak ciphers being used.

Some useful information:

  • DNS is hosted in my Cloudflare account now.
  • I am subscribed to the Advanced Certificate Manager add-on.
  • I have disabled Universal SSL under Edge Certificates.
  • I have issued an advanced certificate (via DigiCert) and this is the only cert listed under Edge Certificates.
  • I have successfully run the API Patch call to set which ciphers I want to use.

When I run the following command to check which ciphers are enabled…:

curl -X GET "https://api.cloudflare.com/client/v4/zones/{$zoneid}/settings/ciphers" -H "Authorization: Bearer {$apitoken}" -H "Content-Type: application/json"

I get this response showing the ciphers are enabled…:

{"result":{"id":"ciphers","value":["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES128-SHA256","ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA256","ECDHE-RSA-AES128-SHA","AES128-GCM-SHA256","AES128-SHA256","AES128-SHA","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-SHA384","ECDHE-RSA-AES256-SHA","AES256-GCM-SHA384","AES256-SHA256","AES256-SHA"],"modified_on":null,"editable":true},"success":true,"errors":[],"messages":[]}

The ciphers in this result are all of the ones listed as supported by TLS 1.2 on this page (I’m not allowed to include links in my post): developers[dot]Cloudflare[dot]com/ssl/ssl-tls/cipher-suites. I also tried including the three listed for TLS 1.3, but whenever I tried including them in the list I would get the error message “Invalid value for zone setting ciphers”.

Despite everything seeming to be in place, when I run the site through SSL Labs I get the attaches result under Cipher Suites. This is after clearing all cache in Cloudflare.

Is there something I am doing incorrectly or something else I need to do still?

@donna.burns if you’re still behind Kinsta and their CF For SaaS, then running the API command to disable weak ciphers won’t work. Your CF settings are controlled by Kinsta and their CF For SaaS. Only Kinsta can run that query for you as outlined at Certificate Management · Cloudflare for SaaS docs

specifically TLS Settings — Cloudflare for SaaS · Cloudflare for SaaS docs

Cipher suites

Cipher suites for zone

Refer to change ciphers setting on a zoneOpen external link.

Cipher suites per custom hostname

Refer to SSL properties of a custom hostnameOpen external link.

Kinsta would have to run the per custom hostname query for your domain they setup as a custom hostname on Kinsta’s CF account.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.