[SSL] Custom cipher suites clarifications (#22268)

RebeccaTamachiro · deadlypants1973 · daisyfaithauma · commit 8cf9e2a6355b · 2025-05-13T17:05:24.000+01:00
* Make CF4SaaS disclaimer simpler and move it higher on the page

* More generic warning and add footnotes to recommendations.mdx

* Clarify that Modern equals PCI DSS when used with TLS 1.3

* Apply suggestion from code review

Co-authored-by: Kate Tungusova &lt;70746074+deadlypants1973@users.noreply.github.com&gt;

---------

Co-authored-by: Kate Tungusova &lt;70746074+deadlypants1973@users.noreply.github.com&gt;
diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard.mdx
@@ -12,7 +12,7 @@ import { Render, Details } from "~/components";
 
 When configuring cipher suites via dashboard, you can use three different selection modes:
 
-- **By security level**: allows you to select between the predefined [Cloudflare recommendations](/ssl/edge-certificates/additional-options/cipher-suites/recommendations/) (Modern, Compatible, or Legacy).
+- **By security level**: allows you to select between the predefined [Cloudflare recommendations](/ssl/edge-certificates/additional-options/cipher-suites/recommendations/) (Modern[^1], Compatible, or Legacy).
 - **By compliance standard**: allows you to select cipher suites grouped according to [industry standards](/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/) (PCI DSS or FIPS-140-2).
 - **Custom**: allows you to individually select the cipher suites you would like to support.
 
@@ -32,4 +32,10 @@ For any of the modes, you should keep in mind the following configuration condit
 3. For the **Cipher suites** setting select **Configure**.
 4. Choose a mode to select your cipher suites and select **Next**.
 5. Select a predefined set of cipher suites or, if you opted for **Custom**, specify which cipher suites you want to allow. Make sure you are aware of how your selection will interact with Minimum TLS version, TLS 1.3, and the certificate algorithm (ECDSA or RSA).
-6. Select **Save** to confirm.
+6. Select **Save** to confirm.
+
+:::note[Modern or PCI DSS]
+When used with [TLS 1.3](/ssl/edge-certificates/additional-options/cipher-suites/#tls-13), Modern is the same as PCI DSS.
+:::
+
+[^1]: When used with TLS 1.3, Modern is the same as PCI DSS.
diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/index.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/index.mdx
@@ -17,8 +17,8 @@ You may want to do this to follow specific [recommendations](/ssl/edge-certifica
 
 Customizing cipher suites will not lead to any downtime in your SSL/TLS protection.
 
-:::note
-This documentation only refers to connections [between clients and the Cloudflare network](/ssl/concepts/#edge-certificate). For connections between Cloudflare and your origin server, refer to [Origin server > Cipher suites](/ssl/origin-configuration/cipher-suites/).
+:::note[Cloudflare for SaaS]
+If you are a SaaS provider looking to restrict cipher suites for connections to [custom hostnames](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/), this can be configured with a [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/) subscription. Refer to [TLS management](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#cipher-suites) instead.
 :::
 
 ## How it works
@@ -36,11 +36,9 @@ Currently, you have the following options:
 - Set custom cipher suites for a zone: either [via API](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/) or [on the dashboard](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard/).
 - Set custom cipher suites per-hostname: only available [via API](/api/resources/hostnames/subresources/settings/subresources/tls/methods/update/). Refer to the [how-to](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/) for details.
 
-### Cloudflare for SaaS
-
-If you are a SaaS provider looking to restrict cipher suites for connections to your custom hostnames, refer to [TLS settings - Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#cipher-suites).
-
-To restrict cipher suites for connections to your own zone, continue on this guide. In this case, you must also have purchased [Advanced Certificate Manager](/ssl/edge-certificates/advanced-certificate-manager/).
+:::note
+This documentation only refers to connections [between clients and the Cloudflare network](/ssl/concepts/#edge-certificate). For connections between Cloudflare and your origin server, refer to [Origin server > Cipher suites](/ssl/origin-configuration/cipher-suites/).
+:::
 
 ## Settings priority and ciphers order
 
diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/recommendations.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/recommendations.mdx
@@ -16,7 +16,7 @@ Refer to the sections below for three different security levels and how Cloudfla
 Refer to [Customize cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) to learn how to specify cipher suites at zone level or per hostname.
 
 :::caution
-When opting for [compatible](#compatible) or [modern](#modern), make sure to up your [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2` and [enable TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) on your zone.
+Before opting for [compatible](#compatible) or [modern](#modern), review the [related SSL/TLS settings](/ssl/edge-certificates/additional-options/cipher-suites/#related-ssltls-settings)[^4].
 :::
 
 ## Modern
@@ -37,7 +37,7 @@ Provides broader compatibility with somewhat weaker security. Supports TLS 1.2-1
 
 <Details header="Cipher suites list">
 
-`AEAD-AES128-GCM-SHA256`, `AEAD-AES256-GCM-SHA384`, `AEAD-CHACHA20-POLY1305-SHA256`, `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-CHACHA20-POLY1305`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA384`
+`AEAD-AES128-GCM-SHA256`[^1], `AEAD-AES256-GCM-SHA384`[^2], `AEAD-CHACHA20-POLY1305-SHA256`[^3], `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-CHACHA20-POLY1305`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA384`
 
 </ Details>
 
@@ -49,12 +49,13 @@ Includes all cipher suites that Cloudflare supports today. Broadest compatibilit
 
 <Details header="Cipher suites list">
 
-`AEAD-AES128-GCM-SHA256`, `AEAD-AES256-GCM-SHA384`, `AEAD-CHACHA20-POLY1305-SHA256`, `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-CHACHA20-POLY1305`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA384`, `ECDHE-ECDSA-AES128-SHA`, `ECDHE-RSA-AES128-SHA`, `AES128-GCM-SHA256`, `AES128-SHA256`, `AES128-SHA`, `ECDHE-RSA-AES256-SHA`, `AES256-GCM-SHA384`, `AES256-SHA256`, `AES256-SHA`, `DES-CBC3-SHA`
+`AEAD-AES128-GCM-SHA256`[^1], `AEAD-AES256-GCM-SHA384`[^2], `AEAD-CHACHA20-POLY1305-SHA256`[^3], `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-CHACHA20-POLY1305`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA384`, `ECDHE-ECDSA-AES128-SHA`, `ECDHE-RSA-AES128-SHA`, `AES128-GCM-SHA256`, `AES128-SHA256`, `AES128-SHA`, `ECDHE-RSA-AES256-SHA`, `AES256-GCM-SHA384`, `AES256-SHA256`, `AES256-SHA`, `DES-CBC3-SHA`
 
 </ Details>
 
 To reset your option to the default, [use an empty array](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/#reset-to-default-values).
 
 [^1]: Same as `TLS_AES_128_GCM_SHA256`. Refer to [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details.
 [^2]: Same as `TLS_AES_256_GCM_SHA384`. Refer to [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details.
-[^3]: Same as `TLS_CHACHA20_POLY1305_SHA256`. Refer to [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details.
+[^3]: Same as `TLS_CHACHA20_POLY1305_SHA256`. Refer to [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details.
+[^4]: Although configured independently, cipher suites interact with **Minimum TLS version** and **TLS 1.3**.
