SSL handshake fails when origin server doesn't support 128 bit AES cipher

For testing purposes I setup my website to only allow TLS 1.3 (with all ciphers) or TLS 1.2 with the ECDHE-RSA-AES256-GCM-SHA384 cipher.

The following screenshot shows what the cipher suites looks like when testing with ssllabs with Cloudflare disabled:
Ciphers

When Cloudflare is disabled I can access the site, but when enabling Cloudflare I get the “525: SSL handshake failed” error.

I can of course easily solve this by adding the ECDHE-RSA-AES128-GCM-SHA256 cipher back to my site config, but it makes me wonder: doesn’t Cloudflare support AES256 or TLS 1.3 in the connection to the origin, or is there something else I have to configure?

I’m using nginx 1.15.8 built with OpenSSL 1.1.1a on alpine linux 3.9.0 in case it matters.

This topic was automatically closed after 30 days. New replies are no longer allowed.