Unwanted ciphers pushed by Cloudflare

We have unwanted ciphers that fail our internal scan. I have reviewed the two below links, but am a real novice to API configuration. Can anyone provide step by step to get this started in Cloudflare?




I believe that API requires the purchase of Advanced Certificate Manager, but something like the following is what I use:

curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/${zoneid}/settings/ciphers" -H "X-Auth-Email: ${auth_email}" -H "X-Auth-Key: ${auth_key}" -H "Content-Type: application/json" --data '{"value":["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305"]}'

The TLS 1.3 ciphers are automatically added, so I only included the three TLS 1.2 ciphers I wanted. If you want RSA as well as ECDSA they should be added to the list above.

There is a bug at the moment in relation to the Chacha20-Poly1305 cipher. If you add this cipher you enable both the standard version (0xcca9) as well as the pre-RFC7905 version (0xcc14), and there is no way to get rid of 0xcc14. I opened a ticket about this a while ago and was told that:

“engineers are aware of the limitation and are working towards investigating a solution for the future.”

1 Like