Moving TLS1.2 to TLS1.3 Get Algorithm Mismatch Error

We have currently set TLS1.2 as a minimum protocol in CLoudflare and our client application are using TLS1.2 when making calls. It is working fine. We need to move to TLS1.3. When I set it to TLS1.3 in TLS>Edge Certificate in Cloudflare and also set TLS1.3 protocol when making a call from client application, I get algorithm mismatch error. Our domain name servers in on cloudflare.

Please help.

There are two different settings that are relevant here, but they do different things.

The first enables TLS 1.3 for use, and is under the TLS 1.3 section of the Edge Certificates tab of the Cloudflare SSL/TLS app. Without this enabled only TLS 1.0, 1.1 and 1.2 are available.

The second is the minimum TLS version which is on the same tab, and this can be used to disable the older versions of TLS that are generally not needed any more.

I would recommend that TLS 1.3 is enabled, but that the minimum TLS version is set to 1.2.

I still see a sizeable amount of traffic using 1.2, so cannot see a general purpose domain being able to set the minimum to 1.3 yet, that is probably a few years away.

Once you have enabled 1.3, you can monitor your application and your traffic to make a decision on when and if it is safe to disable 1.2.

3 Likes

Thanks for the reply.

In our Edge Certificate settings, we have enabled the TLS1.3 and set TLS1.2 as a minimum.

TLS 1.3

Enable the latest version of the TLS protocol for improved security and performance.

Minimum TLS Version

Only allow HTTPS connections from visitors that support the selected TLS protocol version or newer.

When I set TLS1.3 as a minimum version and make an API call from C# by setting
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls13;

then it throws exception of mismatch; But if I keep minimum version at TLS1.2 and call like
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls13;

then it works fine.

Please advise.

Since you recommend that TLS 1.3 is enabled, but that the minimum TLS version is set to 1.2. Any reason behind? Cannot we set TLS1.3 as a minimum version by force?

You cannot force a client that does not support TLS 1.3 to use it. While the majority of clients will use TLS 1.3, there are still enough older clients in the wild that TLS 1.2 is needed.

With my proposed config, clients will negotiate to 1.3 is they support it, and fallback to 1.2 otherwise (and if the client is so old that it needs 1.0 it will fail to connect).

Your issue with .Net is best taken to StackOverflow or similar forum, as it is outside the scope of this Community.

1 Like