Cloudflare Developers•4w ago

TLS 1.2 locked - What?

We use Cloudflare pages for simple test sites, our docs, placeholders on other domains we own... Pages works fine if you know from the start that you want to use Pages, which we did. Now we are getting compliance checks failing because you use old unsafe ciphers of TLS 1.2. Any Cloudflare Pages hosted site can not be PCI DSS compliant, and anyone who accepts payments online needs to be PCI DSS compliant. To recap: anyone who uses Cloudflare Pages and accepts payments online is directly violating PCI DSS compliance and can be fined. Cloudflare Pages === guaranteed failed audit. Cloudflare proxy allows you to bump up to TLS 1.1, 1.2, 1.3. But Cloudflare Pages explicitly does not. "It is not possible to configure minimum TLS version nor cipher suites for Cloudflare Pages hostnames." https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/#before-you-begin I hate to do this but now I need to figure out some other way to host simple docs sites etc. Forcing me to consider using Vercel. Or we doct-tape an S3 bucket to the Cloudflare proxy and bump up the TLS. This is pretty silly... Why does CF even still default to told unsafe ciphers?

Cloudflare Docs

Customize cipher suites · Cloudflare SSL/TLS docs

With Advanced Certificate Manager or within Cloudflare for SaaS, you can restrict connections between Cloudflare and clients — such as your visitor's browser — to specific cipher suites.

7 Replies

Walshy•4w ago

Pages is 1.2 by default?

$ curl https://test-dcz.pages.dev/ --tls-max 1.0
curl: (35) TLS connect error: error:00000000:lib(0)::reason(0)
$ curl https://test-dcz.pages.dev/ --tls-max 1.1
curl: (35) TLS connect error: error:00000000:lib(0)::reason(0)
$ curl https://test-dcz.pages.dev/ --tls-max 1.2
<html>
<body>
  <div id="abc">Test 123</div>

  <img src="/assets/pages.png" />
<!-- Cloudflare Pages Analytics --><script defer src='https://static.cloudflareinsights.com/beacon.min.js' data-cf-beacon='{"token": "b0ae18f0512448b3b7fad13d5b3a1c7a"}'></script><!-- Cloudflare Pages Analytics --></body>
</html>

$ curl https://test-dcz.pages.dev/ --tls-max 1.0
curl: (35) TLS connect error: error:00000000:lib(0)::reason(0)
$ curl https://test-dcz.pages.dev/ --tls-max 1.1
curl: (35) TLS connect error: error:00000000:lib(0)::reason(0)
$ curl https://test-dcz.pages.dev/ --tls-max 1.2
<html>
<body>
  <div id="abc">Test 123</div>

  <img src="/assets/pages.png" />
<!-- Cloudflare Pages Analytics --><script defer src='https://static.cloudflareinsights.com/beacon.min.js' data-cf-beacon='{"token": "b0ae18f0512448b3b7fad13d5b3a1c7a"}'></script><!-- Cloudflare Pages Analytics --></body>
</html>

yes... the min is 1.2

SWOP•4w ago

Sorry - correcting. 1.2 forced only.

Walshy•4w ago

?????

SWOP•4w ago

Any ciphers below would result in a failed audit:

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: client

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: client

So in order to use pages for SOC2, PCI DSS and pretty much any other compliance audited site we need to be able to bump to TLS 1.3

Walshy•4w ago

Ok your issue is the ciphers in 1.2, not min tls - description was initially misleading I'd suggest Workers Assets. You have full control over the TLS then.

SWOP•4w ago

Yep - corrected. OK. Is ther any plans to allow Pages TLS to be customized?

Walshy•4w ago

No plans at this time

Gaming

Programming

TLS 1.2 locked - What?

Did you find this page helpful?