For testing purposes I setup my website to only allow TLS 1.3 (with all ciphers) or TLS 1.2 with the ECDHE-RSA-AES256-GCM-SHA384 cipher.
The following screenshot shows what the cipher suites looks like when testing with ssllabs with Cloudflare disabled:
When Cloudflare is disabled I can access the site, but when enabling Cloudflare I get the “525: SSL handshake failed” error.
I can of course easily solve this by adding the ECDHE-RSA-AES128-GCM-SHA256 cipher back to my site config, but it makes me wonder: doesn’t Cloudflare support AES256 or TLS 1.3 in the connection to the origin, or is there something else I have to configure?
I’m using nginx 1.15.8 built with OpenSSL 1.1.1a on alpine linux 3.9.0 in case it matters.