[SSL] Cipher suites - add UI steps and clarify SaaS availability (#20739)

* Unbundle cipher restiction on SaaS provider own zone vs CHs

* Separate API steps and make customize-cipher-suites a folder

* Create page for UI steps and add SaaS callout as partial

* Adjust intro to separate guides and fill in UI requirements

* Fill in dashboard instructions and frame conditions

* Adjust recommendations page title to match UI

* Use Render and Details, and link out to restrict arrays to api.mdx

* Optimize dashboard.mdx for docs-in-dash

* Apply suggestions from code review

Co-authored-by: Jun Lee <[email protected]>

* Better separate different names for different selection modes

---------

Co-authored-by: Jun Lee <[email protected]>

Author: RebeccaTamachiro

src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx

@@ -53,20 +53,19 @@ While TLS 1.3 is the most recent and secure version, it is not supported by some
 
 ## Cipher suites
 
-For security and regulatory reasons, you may want to only allow connections from certain cipher suites. Cloudflare provides recommended values and full cipher suite reference in our [Cipher suites documentation](/ssl/edge-certificates/additional-options/cipher-suites/).
+For security and regulatory reasons, you may want to only allow connections from certain cipher suites. Cloudflare provides recommended values and full cipher suite reference in our [Cipher suites documentation](/ssl/edge-certificates/additional-options/cipher-suites/#resources).
 
 
-<Details header="Restrict cipher suites for zone">
-
-Refer to [Edit zone setting](/api/resources/zones/subresources/settings/methods/edit/) and use `ciphers` as the setting name in the URI path.
+<Details header="Restrict cipher suites for your zone">
 
+Refer to [Customize cipher suites - SSL/TLS](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/).
 
 </Details>
 
 
 <Details header="Restrict cipher suites for custom hostname">
 
-Refer to [SSL properties of a custom hostname](/api/resources/custom_hostnames/methods/edit/).
+In the API documentation, refer to [SSL properties of a custom hostname](/api/resources/custom_hostnames/methods/edit/).
 
 <Render file="edit-custom-hostname-api" params={{ one: "When making the request," }} />
 

src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/compliance-status.mdx

@@ -9,43 +9,39 @@ head:
 
 ---
 
-import { Render } from "~/components"
+import { Render, Details } from "~/components"
 
 Consider the following recommendations on custom [cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/) for when your organization needs to comply with regulatory standards.
 
 Refer to [Customize cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) to learn how to specify cipher suites at zone level or per hostname.
 
+:::caution
 Also [enable TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) on your zone and, when opting for [PCI DSS](#pci-dss), make sure to up your [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2`. Refer to [Cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/) and [TLS protocols](/ssl/reference/protocols/) to learn more.
+:::
 
 ## PCI DSS
 
 Recommended cipher suites for compliance with the [Payment Card Industry Data Security Standard (PCI DSS)](https://www.pcisecuritystandards.org/standards/pci-dss/). Enhances payment card data security.
 
-* Cipher suites:
+<Details header="Cipher suites list">
 
 `AEAD-AES128-GCM-SHA256`[^1], `AEAD-AES256-GCM-SHA384`[^2], `AEAD-CHACHA20-POLY1305-SHA256`[^3], `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-CHACHA20-POLY1305`
 
-* Formatted array to copy:
+</ Details>
 
-<Render file="ciphers-tls-13-array-callout" />
-
-```txt
-["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"]
-```
+<Render file="cipher-suites-api-linkout" />
 
 ## FIPS-140-2
 
 Recommended cipher suites for compliance with the [Federal Information Processing Standard (140-2)](https://csrc.nist.gov/pubs/fips/140-2/upd2/final). Used to approve cryptographic modules.
 
-* Cipher suites:
+<Details header="Cipher suites list">
 
 `AES128-GCM-SHA256`, `AES128-SHA`, `AES128-SHA256`, `AES256-SHA`, `AES256-SHA256`, `DES-CBC3-SHA`, `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-AES128-SHA`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-AES128-SHA`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-SHA`, `ECDHE-RSA-AES256-SHA384`
 
-* Formatted array to copy:
+</ Details>
 
-```txt
-["AES128-GCM-SHA256", "AES128-SHA", "AES128-SHA256", "AES256-SHA", "AES256-SHA256", "DES-CBC3-SHA", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-SHA", "ECDHE-RSA-AES256-SHA384"]
-```
+<Render file="cipher-suites-api-linkout" />
 
 [^1]: Same as `TLS_AES_128_GCM_SHA256`. Refer to [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details.
 [^2]: Same as `TLS_AES_256_GCM_SHA384`. Refer to [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details.

src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites.mdx renamed to src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx

@@ -1,75 +1,38 @@
 ---
-title: Customize cipher suites
+title: Customize cipher suites via API
 pcx_content_type: how-to
 sidebar:
-  order: 1
-head:
-  - tag: title
-    content: Customize cipher suites
-
+  order: 2
+  label: Use the API
 ---
 
-import { Render, TabItem, Tabs } from "~/components"
-
-With [Advanced Certificate Manager](/ssl/edge-certificates/advanced-certificate-manager/) or within [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/), you can restrict connections between Cloudflare and clients — such as your visitor's browser — to specific [cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/).
-
-You may want to do this to follow specific [recommendations](/ssl/edge-certificates/additional-options/cipher-suites/recommendations/), to [disable weak cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/troubleshooting/#ssl-labs-weak-ciphers-report), or to comply with [industry standards](/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/).
+import { Render, TabItem, Tabs } from "~/components";
 
-Customizing cipher suites will not lead to any downtime in your SSL/TLS protection.
+<Render file="cipher-suites-definition" />
 
 :::note
-This documentation only refers to connections [between clients and the Cloudflare network](/ssl/concepts/#edge-certificate). For connections between Cloudflare and your origin server, refer to [Origin server > Cipher suites](/ssl/origin-configuration/cipher-suites/).
+<Render file="cipher-suites-saas-linkout" />
 :::
 
-## How it works
-
-Custom cipher suites is a hostname-level setting, which implies that:
-
-* When you customize cipher suites for a [zone](/fundamentals/setup/accounts-and-zones/#zones), this will affect all hostnames within that zone.
-* The configuration is applicable to all edge certificates used to connect to the hostname(s), regardless of [certificate type](/ssl/edge-certificates/) (universal, advanced, or custom).
-* If you need to use a per-hostname cipher suite customization, you must ensure that the hostname is specified on the certificate.
-
-### Scope
-
-Currently, you can only customize cipher suites when using the API:
-
-* [Zone](/api/resources/zones/subresources/settings/methods/edit/) (using `ciphers` as the setting name in the URI path)
-* [Per-hostname](/api/resources/hostnames/subresources/settings/subresources/tls/methods/update/) (regular zones only)
-* [Custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#cipher-suites) (Cloudflare for SaaS zones only)
-
-### Settings priority and ciphers order
-
-Cloudflare uses the [hostname priority logic](/ssl/reference/certificate-and-hostname-priority/) to determine which setting to apply.
-
-ECDSA cipher suites are prioritized over RSA, and Cloudflare preserves the specified cipher suites in the order they are set. This means that, if both ECDSA and RSA are used, Cloudflare presents the ECDSA ciphers first - in the order they were set - and then the RSA ciphers, also in the order they were set.
-
-## Set up
-
-
-:::note
-For guidance around custom hostnames, refer to [TLS settings - Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#cipher-suites).
-:::
-
-### Before you begin
+## Before you begin
 
 Note that:
 
 * Cipher suites are used in combination with other [SSL/TLS settings](/ssl/edge-certificates/additional-options/cipher-suites/#related-ssltls-settings).
 * You cannot set specific TLS 1.3 ciphers. Instead, you can [enable TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) for your entire zone and Cloudflare will use all applicable [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/).
 * Each cipher suite also supports a specific algorithm (RSA or ECDSA) so you should consider the algorithms in use by your edge certificates when making your ciphers selection. You can find this information under each certificate listed in [**SSL/TLS** > **Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates).
 * It is not possible to configure minimum TLS version nor cipher suites for [Cloudflare Pages](/pages/) hostnames.
+* If setting up a per-hostname cipher suite customization, make sure that the hostname is specified on the certificate (instead of being covered by a wildcard).
 * If you use Windows you might need to adjust the `curl` syntax, refer to [Making API calls on Windows](/fundamentals/api/how-to/make-api-calls/#making-api-calls-on-windows) for further guidance.
 
-### Steps and API examples
+## Steps and API examples
 
 1. Decide which cipher suites you want to specify and which ones you want to disable (meaning they will not be included in your selection).
 
    Below you will find samples covering the recommended ciphers [by security level](/ssl/edge-certificates/additional-options/cipher-suites/recommendations/) and [compliance standards](/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/), but you can also refer to the [full list](/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/) of supported ciphers and customize your choice.
 
 2. Log in to the Cloudflare dashboard and get your Global API Key in [**My Profile** > **API Tokens**](https://dash.cloudflare.com/?to=/:account/profile/api-tokens/).
-
 3. Get the Zone ID from the [Overview page](https://dash.cloudflare.com/?to=/:account/:zone/) of the domain you want to specify cipher suites for.
-
 4. Make an API call to either the [Edit zone setting](/api/resources/zones/subresources/settings/methods/edit/) endpoint or the [Edit TLS setting for hostname](/api/resources/hostnames/subresources/settings/subresources/tls/methods/update/) endpoint, specifying `ciphers` in the URL. List your array of chosen cipher suites in the `value` field.
 
 :::note
@@ -151,7 +114,7 @@ curl --request PATCH \
 
 </TabItem> </Tabs>
 
-## Reset to default values
+### Reset to default values
 
 <Tabs> <TabItem label="zone">
 
@@ -180,4 +143,4 @@ curl --request DELETE \
 
 </TabItem> </Tabs>
 
-For guidance around custom hostnames, refer to [TLS settings - Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#cipher-suites).
+<Render file="cipher-suites-saas-linkout" />

src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard.mdx

@@ -0,0 +1,35 @@
+---
+title: Customize cipher suites via dashboard
+pcx_content_type: how-to
+sidebar:
+  order: 1
+  label: Use the dashboard
+---
+
+import { Render, Details } from "~/components";
+
+<Render file="cipher-suites-definition" />
+
+When configuring cipher suites via dashboard, you can use three different selection modes:
+
+- **By security level**: allows you to select between the predefined [Cloudflare recommendations](/ssl/edge-certificates/additional-options/cipher-suites/recommendations/) (Modern, Compatible, or Legacy).
+- **By compliance standard**: allows you to select cipher suites grouped according to [industry standards](/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/) (PCI DSS or FIPS-140-2).
+- **Custom**: allows you to individually select the cipher suites you would like to support.
+
+For any of the modes, you should keep in mind the following configuration conditions. If using the **security level** or the **compliance standard** mode, some actions may be blocked and explained referencing these conditions.
+
+<Details header="Configuration conditions">
+* Cipher suites are used in combination with other [SSL/TLS settings](/ssl/edge-certificates/additional-options/cipher-suites/#related-ssltls-settings).
+* You cannot set specific TLS 1.3 ciphers. Instead, you can [enable TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) for your entire zone and Cloudflare will use all applicable [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/).
+* Each cipher suite also supports a specific algorithm (RSA or ECDSA), so you should consider the algorithms in use by your edge certificates when making your ciphers selection. You can find this information under each certificate listed in [**SSL/TLS** > **Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates).
+* It is not possible to configure minimum TLS version nor cipher suites for [Cloudflare Pages](/pages/) hostnames.
+</ Details>
+
+## Steps
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and domain.
+2. Go to **SSL/TLS** > **Edge Certificates**.
+3. For the **Cipher suites** setting select **Configure**.
+4. Choose a mode to select your cipher suites and select **Next**.
+5. Select a predefined set of cipher suites or, if you opted for **Custom**, specify which cipher suites you want to allow. Make sure you are aware of how your selection will interact with Minimum TLS version, TLS 1.3, and the certificate algorithm (ECDSA or RSA).
+6. Select **Save** to confirm.

src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/index.mdx

@@ -0,0 +1,49 @@
+---
+title: Customize cipher suites
+pcx_content_type: how-to
+sidebar:
+  order: 1
+head:
+  - tag: title
+    content: Customize cipher suites
+
+---
+
+import { Render, TabItem, Tabs, DirectoryListing } from "~/components";
+
+With an [Advanced Certificate Manager](/ssl/edge-certificates/advanced-certificate-manager/) subscription, you can restrict connections between Cloudflare and clients — such as your visitor's browser — to specific [cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/).
+
+You may want to do this to follow specific [recommendations](/ssl/edge-certificates/additional-options/cipher-suites/recommendations/), to [disable weak cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/troubleshooting/#ssl-labs-weak-ciphers-report), or to comply with [industry standards](/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/).
+
+Customizing cipher suites will not lead to any downtime in your SSL/TLS protection.
+
+:::note
+This documentation only refers to connections [between clients and the Cloudflare network](/ssl/concepts/#edge-certificate). For connections between Cloudflare and your origin server, refer to [Origin server > Cipher suites](/ssl/origin-configuration/cipher-suites/).
+:::
+
+## How it works
+
+Custom cipher suites is a hostname-level setting, which implies that:
+
+* When you customize cipher suites for a zone, this will affect all hostnames within that zone. If you are not familiar with what a Cloudflare zone is, refer to [Fundamentals](/fundamentals/setup/accounts-and-zones/#zones).
+* The configuration is applicable to all edge certificates used to connect to the hostname(s), regardless of the [certificate type](/ssl/edge-certificates/) (universal, advanced, or custom).
+* If you need to use a per-hostname cipher suite customization, you must ensure that the hostname is specified on the certificate.
+
+## Scope
+
+Currently, you have the following options:
+
+- Set custom cipher suites for a zone: either [via API](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/) or [on the dashboard](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard/).
+- Set custom cipher suites per-hostname: only available [via API](/api/resources/hostnames/subresources/settings/subresources/tls/methods/update/). Refer to the [how-to](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/) for details.
+
+### Cloudflare for SaaS
+
+If you are a SaaS provider looking to restrict cipher suites for connections to your custom hostnames, refer to [TLS settings - Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#cipher-suites).
+
+To restrict cipher suites for connections to your own zone, continue on this guide. In this case, you must also have purchased [Advanced Certificate Manager](/ssl/edge-certificates/advanced-certificate-manager/).
+
+## Settings priority and ciphers order
+
+Cloudflare uses the [hostname priority logic](/ssl/reference/certificate-and-hostname-priority/) to determine which setting to apply.
+
+ECDSA cipher suites are prioritized over RSA, and Cloudflare preserves the specified cipher suites in the order they are set. This means that, if both ECDSA and RSA are used, Cloudflare presents the ECDSA ciphers first - in the order they were set - and then the RSA ciphers, also in the order they were set.

src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/index.mdx

@@ -3,14 +3,15 @@ title: Cipher suites
 pcx_content_type: concept
 sidebar:
   order: 1
+  label: About
 head: []
 description: Consider information about supported cipher suites, how to meet
   your security requirements, and how to troubleshoot compatibility and other
   issues.
 
 ---
 
-import { DirectoryListing, Render } from "~/components"
+import { DirectoryListing, Render } from "~/components";
 
 <Render file="cipher-suites-definition" /><br />