Newbie Alert! Consumer of my WebService complains about Ciphers - help please

What is the name of the domain?

weird you need this for a community question. Doesn’t that generate a security issue if exposed to the forums?

What is the error number?

N/A

What is the error message?

N/A

What is the issue you’re encountering

Consumer of my REST API says "

What are the steps to reproduce the issue?

From my 3rd party consumer: we’re having issues connecting to your back-end. The message from our hosting team was:
We have recently restricted our TLS ciphers to only allow forward secrecy ciphers for the highest security possible.
The ciphers we support are:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA256

Does this make sense? I use the UI to make config changes. I have changed the default from 1.0 to 1.2 in Minimum TLS version. 1.3 is also enabled. With this in place, should the above be supported?
I thought I would get more options with “Advanced certifate manager”, so I purchased that, but I am not sure it is what is needed.
Aside: I haven’t used the API to change anything and ideally would like to be able to configure in the CF GUI. Thanks for your help in advance, Regards, Jason,.

They support only those for TLS 1.3 any no other?

The TLSv1.3 ciphers cannot be changed, but there is no known issues with the three that Cloudflare support by default.

Source article:

Helpful post:

Article for reset and use API for Legacy in case you haven’t tried yet, otherwise as the articles states to use Advanced Certificate Manager. Please, consider that TLSv1.2 is still used, therefrom don’t disable it’s ciphers:

Thanks for your time and patience with this… My main problem with the 3rd party is that this is their hosting team talking to me via a developer (who has limited understanding of the specific area) and I really only have theoretical knowledge.

To me it should be working now without any intervention.
So this is a system to system connection and it looks like their “client” is IIS 10 / Windows 2019.

The 2 ciphers that they support: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 & TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA256 match what is on the link below, i.e.:
“TLS 1.2 Modern [0xc030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384”

Now assuming the above page is relevant for my set up (please correct me if I am using the wrong terminology): Cloudflare Zero Trust - Tunnels. In addition I have set “Always Use HTTPS” against the domain.

So to sanity check, should the caller and the cloudflare server be able to negotiate a common cipher and just get on with it?

Also: I am currently on the Free version. Am I likely to get good support / answers from upgrading to the Business ($240 per year) and will they be able to look at my set up to assist with my gaps in knowledge?

TIA JAC.

You pointed me to: Customize cipher suites · Cloudflare SSL/TLS docs
I have now read this.

I used NMAP to test the connection and it came back with the following (I have added what the CF docs say is the level in brackets at the end.
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A (Legacy TLS 1.0)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A (Compatible)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A (Modern)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A (Not Found)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A (compatible)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A (Modern)
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A (Modern)

So my Q’s I guess now:

• am I right in saying the ONLY way to tweak these is to use the API (which I now realise is basically issuing CURL commands)?
• It looks like this is at the domain level, not the subdomain / tunnel level, is that right - my dev / preprod / prod are all on the same domain, just different subdomains (tunnels), so this is a pain if I can’t perfect on one before rolling out to others.

TIA. JAC

“Highest Security” but not even TLS 1.3 support.

Anyway, your NMAP results would suggest that your domain only has an ECDSA certificate, but you actually need an RSA certificate. Can you check at https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates what type your Edge certificate is? If you only have an ECDSA cert, all you need to do is create an RSA cert with Advanced Certificate Manager.

Any certificate authority will do, see here:

No need to manually set ciphers.

Might be worth asking them to consider ugprading their Windows Server?, 2019 is end of life despite it’s extended support for patches only is until 1.1.2029.

From my experience with IIS 8 and Windows Server management, might be only RSA supported as I had issue with SSL and listening on 443 port with Cloudflare Origin CA certificate on Windows Server 2012 and 2016.

““Highest Security” but not even TLS 1.3 support.” - Yes, that was my lightbulb moment a couple of hours ago!

From the URL you pointed me to:

Edge Certificates

Manage and purchase SSL certificates that will be served to your web visitors.

Your plan includes a shared Cloudflare Universal SSL certificate. To get a dedicated certificate with custom hostnames

place a certificate order.

Your plan does not allow you to upload any SSL certificates, but you may

order an auto-renewing certificate or upgrade to the Business plan to enable this feature.You have used 0 out of 100 Advanced certificates.

So I got the domain from CF and it comes with an edge Cert. I did this as I wanted the least (shallowest) learning curve possible, which is already turning out to be VERY steep.

It feels like changing the ciphers for a zone\hostname may be the simplest (from where I am)?
“suggest that your domain only has an ECDSA certificate, but you actually need an RSA certificate.” - does this mean, whatever I do with ciphers, won’t make any difference because I have the wrong type of certificate?

Might be worth asking them to consider ugprading their Windows Server?, 2019 is end of life despite it’s extended support for patches only is until 1.1.2029.

Not really an option I don’t think, certainly not in the short run.

From my experience with IIS 8 and Windows Server management, might be only RSA supported as I had issue with SSL and listening on 443 port with Cloudflare Origin CA certificate on Windows Server 2012 and 2016.

OK, so this also implies needing an RSA cert.

Am I wasting my time with the ciphers?

Regards,
Jason.
P.s. apologies for the poor quoting an attributing. I haven’t workout out how to quote other than for the initial reply!

You don’t need to worry about Ciphers. Cloudflare supports the Cipher you need by default, but an RSA Cipher requires an RSA certificate.

image1145×585 29.4 KB

On a free plan, your domain will only have an ECDSA cert, not RSA.

Since you have ordered Advanced Certificate Manager, all you need to do is click “Order Advanced Certificate”, select any of the available Certificate Authorities and enter your subdomain.

Do you really mean any will allow me to support: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA256
?
Not doubting, but just confirming, before I make more confusion. Any suggestion on which one?

This one, yes.

Cloudflare doesn’t support this one.

Just take SSL.com as the cert authority, they should provide the best compatibility.

More “pennies dropping now”. When I look at the 2 x certs that I think CF auto created for me when I was on the free plan:

One by google and the other by lets encrypt, they both say: “ECDSA SHA384 2025-03-12(Managed by Cloudflare)” Which gives a clue. I didn’t realise the difference between ECDSA vs RSA, it was all just a stream of letters.

The cert is currently “Pending Validation (txt)” and while I wait, I’m downloading Nmap as a new tool to learn. Curl was earlier today (although I knew roughly what it was). I am hoping to write some lines of code later! I really appreciate the help.

OK, after adding the new SSL.COM cert I now get:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A

Which includes the elusive: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.