Customize cipher suites
With Advanced Certificate Manager or within Cloudflare for SaaS, you can restrict connections between Cloudflare and clients – such as your visitor’s browser – to specific cipher suites.
You may want to do this to follow specific recommendations, to disable weak cipher suites, or to comply with industry standards.
Customizing cipher suites will not lead to any downtime in your SSL/TLS protection.
How it works
Custom cipher suites is a hostname-level setting, which implies that:
- When you customize cipher suites for a zone, this will affect all hostnames within that zone.
- The configuration is applicable to all edge certificates used to connect to the hostname(s), regardless of certificate type (universal, advanced, or custom).
- If you need to use a per-hostname cipher suite customization, you must ensure that the hostname is specified on the certificate.
Scope
Currently, you can only customize cipher suites when using the API:
- Zone (using
ciphersas the setting name in the URI path) - Per-hostname (regular zones only)
- Custom hostname (Cloudflare for SaaS zones only)
Settings priority and ciphers order
Cloudflare uses the hostname priority logic to determine which setting to apply.
ECDSA cipher suites are prioritized over RSA, and Cloudflare preserves the specified cipher suites in the order they are set. This means that, if both ECDSA and RSA are used, Cloudflare presents the ECDSA ciphers first - in the order they were set - and then the RSA ciphers, also in the order they were set.
Set up
Before you begin
Note that:
- Cipher suites are used in combination with other SSL/TLS settings.
- You cannot set specific TLS 1.3 ciphers. Instead, you can enable TLS 1.3 for your entire zone and Cloudflare will use all applicable TLS 1.3 cipher suites.
- Each cipher suite also supports a specific algorithm (RSA or ECDSA) so you should consider the algorithms in use by your edge certificates when making your ciphers selection. You can find this information under each certificate listed in SSL/TLS > Edge Certificates.
- It is not possible to configure minimum TLS version nor cipher suites for Cloudflare Pages hostnames.
Steps and API examples
Decide which cipher suites you want to specify and which ones you want to disable (meaning they will not be included in your selection).
Below you will find samples covering the recommended ciphers by security level and compliance standards, but you can also refer to the full list of supported ciphers and customize your choice.
Log in to the Cloudflare dashboard and get your Global API Key in My Profile > API Tokens.
Get the Zone ID from the Overview page of the domain you want to specify cipher suites for.
Make an API call to either the Edit zone setting endpoint or the Edit TLS setting for hostname endpoint, specifying
ciphersin the URL. List your array of chosen cipher suites in thevaluefield.
Make the following API call with the appropriate {zone_id}, <EMAIL>, and <API_KEY>.
If you choose to use a token, you will not need an email nor an API key. You will instead replace the X-Auth-Email and X-Auth-Key headers by --header "Authorization: Bearer <API_TOKEN>" \.
# To configure cipher suites per hostname, replace the first two lines by the following
# curl --request PUT \
# "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \
curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{"value": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384"]}'
Make the following API call with the appropriate {zone_id}, <EMAIL>, and <API_KEY>.
If you choose to use a token, you will not need an email nor an API key. You will instead replace the X-Auth-Email and X-Auth-Key headers by --header "Authorization: Bearer <API_TOKEN>" \.
# To configure cipher suites per hostname, replace the first two lines by the following
# curl --request PUT \
# "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \
curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{"value": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384"]}'
Make the following API call with the appropriate {zone_id}, <EMAIL>, and <API_KEY>.
If you choose to use a token, you will not need an email nor an API key. You will instead replace the X-Auth-Email and X-Auth-Key headers by --header "Authorization: Bearer <API_TOKEN>" \.
# To configure cipher suites per hostname, replace the first two lines by the following
# curl --request PUT \
# "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \
curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{"value": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"]}'
Make the following API call with the appropriate {zone_id}, <EMAIL>, and <API_KEY>.
If you choose to use a token, you will not need an email nor an API key. You will instead replace the X-Auth-Email and X-Auth-Key headers by --header "Authorization: Bearer <API_TOKEN>" \.
# To configure cipher suites per hostname, replace the first two lines by the following
# curl --request PUT \
# "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \
curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{"value":["AES128-GCM-SHA256", "AES128-SHA", "AES128-SHA256", "AES256-SHA", "AES256-SHA256", "DES-CBC3-SHA", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-SHA", "ECDHE-RSA-AES256-SHA384"]}'
Reset to default values
To reset to the default cipher suites at zone level, use the Edit zone setting endpoint, specifying ciphers as the setting name in the URL, and send an empty array in the value field.
curl --request PATCH \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ciphers" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{"value": []}'
For specific hostname settings, use the Delete TLS setting for hostname endpoint.
curl --request DELETE \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header 'Content-Type: application/json' \
For guidance around custom hostnames, refer to TLS settings - Cloudflare for SaaS.