I am not sure that there’s an actual standard that mandates what is “weak”. If there isn’t one, there’s nothing for Cloudflare to follow. It’s an ever-changing thing.
However, I do know that TLS 1.3, as part of the standard, only allows a shortlist of strong ciphers. So if you limit yourself to TLS 1.3, you’ll probably have less or no “weak” ciphers. However that also means that some of your users will not be able to use your site. You see, many people out there still use software that doesn’t have all the shiny things, and may require "weak"er ciphers. I am guessing that this is the reason why Cloudflare doesn’t go into deep length to disable them.
Also, you seem to be using RSA. If you go EC only (as the Universal SSL gives you), you’ll probably also reduce the number of “weak” ciphers, as EC is more modern…
Thanks for the reply shaimi
I forget to mention my server do not have this RSA ciphers. and i am not using Universal SSL. I am using a dedicated SSL and sill can not get rid of the weak ciphers.
TLS 1.3 only will not be ok as you mention.
So I have 2 options.
1.) pay US$200 per month and get a business plane. and hope for no other limitations!
2.) dich cloud flare and go with another provider.
Any idea to fix this Cloudflare team? is there any workaround?
I was not talking about your server, I was talking about Cloudflare RSA. I know you’re using Dedicated SSL. That was my point. The Dedicated SSL is what enables RSA. Regular (free) Universal SSL does not do RSA. It is a limitation for most people and one of the main reasons people buy Dedicated SSL. For you it is actually a downside as it enables ciphers that you consider are “weak”. So you could ditch the dedicated SSL (or just disable the RSA cert in it, if that is possible. I don’t know, as I’m still using Universal…)