Obsolete CBC ciphers Offered. Even with TLS v1.3

What is the name of the domain?

app.staging.skima.ai

What is the error message?

Obsoleted CBC ciphers (AES, ARIA etc.) offered

What is the issue you’re encountering

I have enabled TLS 1.3 for this zone but still getting this issue while testing for SSL. This is a compliance related query since we’re not able to get our compliance due to this.

What steps have you taken to resolve the issue?

I have tried downgrading minimum TLS version to 1.2 and added custom ciphers:
[“ECDHE-ECDSA-AES128-GCM-SHA256”,“ECDHE-ECDSA-AES256-GCM-SHA384”,“ECDHE-ECDSA-CHACHA20-POLY1305”,“ECDHE-RSA-AES128-GCM-SHA256”,“ECDHE-RSA-AES256-GCM-SHA384”,“ECDHE-RSA-CHACHA20-POLY1305”]

But still getting the same issue while testing with drwetter/testssl.sh

Not sure how i can solve this. The application is hosted on cloudflare pages. With the domain proxied through cloudflare DNS.

What is the current SSL/TLS setting?

Off

What is the current SSL/TLS setting?

Full Strict

In that case, you have no control over the TLS settings.

Is there any work around for this? If not, we might have to move our app away from Cloudflare pages to be compliant

You could point a different subdomain at your pages project and then use your original subdomain to proxy that other subdomain with a Snippet I guess.

(The example only has GET requests, add other request types that you need)

Someone just mentioned to me that there’s a better way to achieve this with Snippets, so I’m also sharing that example with you:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.