Setting ciphers for a zone using API

Hello All,

I have been trying to set our standard ciphers for a zone in Cloudflare using postman. I can see the ciphers using “GET” command in another zone, but when I try to add ciphers to this zone it fails, but I’m getting “bad value for zone setting”. Any ideas

Which TLS version are you using at your client?
I see you use Postman, which has got Settings option to configre Protocols which are disabled during handshake and cipher suite selection - maybe you are using too old or unsupported one?

What ciphers do you get as a result when using GET?

Moreover, which TLS minimum version is selected at Cloudflare dashboard for your domain?

Can reply with the “copy-pasted” values which you have entered to your request?

There could be a mismatch between unsupported TLS version and ciphers of a client and of an SSL connection to Cloudflare.

Maybe for that kind of option you would need Advanced Certificate Manager?

Or is there a bug at the moment regarding it?

There is also the documentation for the list of accepted cipher suites here:

value should be in the body, not added as a header. In Postman, if you click the Body tab there should be some boilerplate Ciphers.

What is the logic in your choice of Cipher suite? You are including some ciphers that should not be needed any more, and are missing the CHACHA20-POLY1305 ciphers.

3 Likes

Hello All,

Please see details below

Which TLS version are you using at your client? 1.2
I see you use Postman, which has got Settings option to configre Protocols which are disabled during handshake and cipher suite selection - maybe you are using too old or unsupported one?

What ciphers do you get as a result when using GET? For this zone I see none, but for our home zone we see our needed cipher these need to be applied to another zone we have.

Moreover, which TLS minimum version is selected at Cloudflare dashboard for your domain? 1.2

Can reply with the “copy-pasted” values which you have entered to your request?

There could be a mismatch between unsupported TLS version and ciphers of a client and of an SSL connection to Cloudflare. We have out own set of approved ciphers the. We have an internal scanner and the CHA CHA cipher is not approved. We have tour standard default set on our home zone and see the cipher

When making a get request on that zone.

Maybe for that kind of option you would need Advanced Certificate Manager? I was told this was not needed for updating cipher suites

Or is there a bug at the moment regarding it? N/A

There is also the documentation for the list of accepted cipher suites here: We have to have custom ciphers

We have a separate zone that has our Standard headers set. Below is the ciphers set in the zone. I need to replicate this to another zone we have. We cannot have the CHA CHA ciphers in our domain or we will get flagged.

This is the results for our default zone when running the get command

Same get command for the zone we need to update with the ciphers in the above screen shot.

If you have not modified the Ciphers, then the value will be empty, "value": [].

If you want to copy the ciphers from one zone to another, just copy the value parameter into the Body of the Change Cipher Settings request, so mine looks like this:.

{
    "value": [
            "ECDHE-ECDSA-AES128-GCM-SHA256",
            "ECDHE-ECDSA-AES256-GCM-SHA384",
            "ECDHE-ECDSA-CHACHA20-POLY1305"
        ]
}

I am able to copy from the valid body, but I get the same “Read Only” message trying to paste into the body of the patch request in postman

Thanks