Experience with APIs for modifying SSL/TLS cipher settings in Cloudflare
Does anyone have real world examples of the API commands for modifying cipher settings?
We purchased the Advanced Certificate Manager subscription to be able to customize the ciphers being submitted by Cloudflare but I am finding the API documentation extremely limited in how to implement this. We essentially have a vendor/partner that is requiring a specific cipher be disabled and we've confirmed that Cloudflare is presenting this cipher.
The API documentation for the get ciphers command from Cloudflare doesn't actually return the list of ciphers either for a zone or for a specific hostname. Like I don't see how their response example in their own documentation is supposed to be the results for listing cipher suites.
https://developers.cloudflare.com/api/operations/zone-settings-get-ciphers-setting
Cloudflare API Documentation
Interact with Cloudflare's products and services via the Cloudflare API
3 Replies
https://developers.cloudflare.com/api/operations/zone-settings-change-ciphers-setting ive used this before to get rid of all the CBCs and anything else auditors complain about. if you want to check the cipher suites available - might just use ssllabs ssl checker to see what youre accepting
Cloudflare API Documentation
Interact with Cloudflare's products and services via the Cloudflare API
It only returns the list if you've overridden them. Otherwise it uses all supported: https://developers.cloudflare.com/ssl/reference/cipher-suites/supported-cipher-suites/
There's a bunch of other docs here: https://developers.cloudflare.com/ssl/reference/cipher-suites/ on which are supported, recommendations (https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/) and such
appreciate the feedback, SSLLabs is where we confirmed that Cloudflare was responsible for the cipher in question, since we had disabled it locally on the server and ended up using SSLLabs to run against proxied and non-proxied DNS name that went to the same server.
I was just hoping that I could get the list command to confirm what the values our so I could definitely use their names for them.
Regarding the change command, do I have to repeat the API command for each individual cipher that we want to leave enabled? This is why I was hoping for a community example since their own documentation only shows it being enabled for a single cipher.