Weak Ciphers Suites Supported

How can I use just strong Ciphers Suites in my SSL configuration?*

I need to change this configuration to deny TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

There is any way to do it?

You would have to use a custom certificate and the API to set your ciphers.

So, I have to use this Custom Certificate to modify the settings via API. Is there other way to use the the Certificate that I already have?

If you have a Business or Enterprise plan, you can upload your own certificate.

(Just to clarify the terminology, Custom certs are where you use a certificate you bought somewhere else, and is a feature included with Business and Enterprise plans. Dedicated certs and ACM are paid features that enable you to issue Cloudflare managed certs with customised and multi-level SANs. Universal certs are the normal certs used by Cloudflare managed domains.)

The certificate used and the ciphers used are two separate things. Cloudflare ACM bundles them as one product. Even if you are on a paid plan and using a custom SSL certificate, you will be using the default Cloudflare ciphers unless you also use ACM. You do not have to use the certificate feature of ACM at all, and can continue to use the Universal or Custom certs, and just configure the ciphers.

Personally, I think it is time for the default ciphers to be improved, but CF could still allow weaker ciphers as an ACM paid for feature.

3 Likes

Thank you for your reply!

I’m with this problem because I need to allow just strong ciphers suite on my HTTPS connection. Nowadays I’m using the Encryption Mode Full from the Client-Side to my Server. If I change the configuration on NGINX to accept just the Ciphers that I want, would it work?

I mean, if my Server just allow this or that kind of Cipher, Cloudflare will be forced to use just what I’ve configured.
Or am I wrong?

There are two separate connections in play. Client --> Cloudflare, and Cloudflare --> Origin. The ciphers are different for each.

For the first connection, you can only configure the ciphers using the Cloudflare API when you have purchased an entitlement to use that API, such as with ACM.

For the second connection, you can configure Nginx on your Origin to use just one cipher, and provided it’s on Cloudflares list, it will work fine. There are other features such as Authenticated Origin Pull, which give you more ways to protect the connection between Cloudflare and your Origin.

4 Likes

Thank you very much for your reply!

It helped me a lot!

Regards.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.