TLS cipher order (again) (again)

What is the name of the domain?

not relevant

What is the issue you’re encountering

Cloudflare’s web server does not prefer ‘Good’ over ‘Sufficient’ over ‘Phase out’ ciphers by default

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

Is there a reason why the default Cloudflare TLS cipher order configuration prefers weaker ciphers over stronger ones?
I know I can change this on a business plan, but why would every site on the free version be stuck with this order?
ECDHE-ECDSA-AES128-SHA (weak, phase out) is preferred over ECDHE-ECDSA-AES256-GCM-SHA384 (sufficient).
Could this be switched for all customers?

TLS guidelines from Dutch government: IT Security Guidelines for Transport Layer Security (TLS) | Whitepaper | National Cyber Security Centre

See also:
https://community.cloudflare.com/t/tls-cipher-order/482720
https://community.cloudflare.com/t/tls-cipher-order-again/600252

Screenshot of the error

tls_order.png1732×570 104 KB

Hi @milk,

Unfortunately, the cipher suite order cannot be changed for edge certificates. Please refer to Customize cipher suites · Cloudflare SSL/TLS docs for details on how cipher suites are prioritized.

Please do note that if you would like to disable weak cipher suites, you do not need to upgrade to a business plan. In order to do this, you only need to enable the Advanced Certificate Manager add-on and then follow our Disable weak cipher suites · Cloudflare SSL/TLS docs documentation to disable weak ciphers using the API.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.