Missing ciphers after moving to Cloudflare


#1

I’m new to Cloudflare so excuse my ignorance on SSL implementation.

I have Let’s Encrypt set up on nginx. All was working fine but I’m having a problem with ciphers since moving to Cloudflare.

Before moving to Clouflare, a scan of my server showed the following TLS v1.2 ciphers available

| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp384r1) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A

After moving to Cloudlfare, the Ciphers have changed to

| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A

The problem is that my payment gateway is trying to connect to my server using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 but the handshake is failing.

I tried disabling SSL completely in Cloudflare but the ciphers don’t change. I can only get the original ciphers back if I disable Cloudflare altogether.

Does anyone know any way around this? Thanks.


#2

Cloudflare free flexible SSL certs use ECC 256 bit certs with ECDSA ciphers. If you need traditional RSA 2048bit SSL certificate support, you need to upgrade to Cloudflare Pro plan at least from what I understand.


#3

Hi @bbdever does upgrade to pro solve your issue?
I am facing similar problem.


#4

On my free plans, I pay for the $5/month Dedicated SSL certificates and they come with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384


#5

thanks, I upgraded to Dedicated SSL certificates.


#6

Did that take care of the problem?


#7

it does. thanks for helping out.