From e91c553550bf241c6c7fc9ca972daf3cd4d710cc Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Wed, 7 May 2025 14:54:27 +0100 Subject: [PATCH 1/4] Make CF4SaaS disclaimer simpler and move it higher on the page --- .../cipher-suites/customize-cipher-suites/index.mdx | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/index.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/index.mdx index 8d854540668e400..e9c90b74d3de8a2 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/index.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/index.mdx @@ -17,8 +17,8 @@ You may want to do this to follow specific [recommendations](/ssl/edge-certifica Customizing cipher suites will not lead to any downtime in your SSL/TLS protection. -:::note -This documentation only refers to connections [between clients and the Cloudflare network](/ssl/concepts/#edge-certificate). For connections between Cloudflare and your origin server, refer to [Origin server > Cipher suites](/ssl/origin-configuration/cipher-suites/). +:::note[Cloudflare for SaaS] +If you are a SaaS provider looking to restrict cipher suites for connections to [custom hostnames](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/), this can be configured with a [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/) subscription. Refer to [TLS management](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#cipher-suites) instead. ::: ## How it works @@ -36,11 +36,9 @@ Currently, you have the following options: - Set custom cipher suites for a zone: either [via API](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/) or [on the dashboard](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard/). - Set custom cipher suites per-hostname: only available [via API](/api/resources/hostnames/subresources/settings/subresources/tls/methods/update/). Refer to the [how-to](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/) for details. -### Cloudflare for SaaS - -If you are a SaaS provider looking to restrict cipher suites for connections to your custom hostnames, refer to [TLS settings - Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#cipher-suites). - -To restrict cipher suites for connections to your own zone, continue on this guide. In this case, you must also have purchased [Advanced Certificate Manager](/ssl/edge-certificates/advanced-certificate-manager/). +:::note +This documentation only refers to connections [between clients and the Cloudflare network](/ssl/concepts/#edge-certificate). For connections between Cloudflare and your origin server, refer to [Origin server > Cipher suites](/ssl/origin-configuration/cipher-suites/). +::: ## Settings priority and ciphers order From c4d5e3dfd5e2c31fa9f5d015a0aca7674f00b766 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Wed, 7 May 2025 15:11:58 +0100 Subject: [PATCH 2/4] More generic warning and add footnotes to recommendations.mdx --- .../additional-options/cipher-suites/recommendations.mdx | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/recommendations.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/recommendations.mdx index 4e0630b3793ae3a..44c18c56ba9deaa 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/recommendations.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/recommendations.mdx @@ -16,7 +16,7 @@ Refer to the sections below for three different security levels and how Cloudfla Refer to [Customize cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) to learn how to specify cipher suites at zone level or per hostname. :::caution -When opting for [compatible](#compatible) or [modern](#modern), make sure to up your [Minimum TLS version](/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2` and [enable TLS 1.3](/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) on your zone. +When opting for [compatible](#compatible) or [modern](#modern), make sure to review the [related SSL/TLS settings](/ssl/edge-certificates/additional-options/cipher-suites/#related-ssltls-settings)[^4]. ::: ## Modern @@ -37,7 +37,7 @@ Provides broader compatibility with somewhat weaker security. Supports TLS 1.2-1
-`AEAD-AES128-GCM-SHA256`, `AEAD-AES256-GCM-SHA384`, `AEAD-CHACHA20-POLY1305-SHA256`, `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-CHACHA20-POLY1305`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA384` +`AEAD-AES128-GCM-SHA256`[^1], `AEAD-AES256-GCM-SHA384`[^2], `AEAD-CHACHA20-POLY1305-SHA256`[^3], `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-CHACHA20-POLY1305`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA384` @@ -49,7 +49,7 @@ Includes all cipher suites that Cloudflare supports today. Broadest compatibilit
-`AEAD-AES128-GCM-SHA256`, `AEAD-AES256-GCM-SHA384`, `AEAD-CHACHA20-POLY1305-SHA256`, `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-CHACHA20-POLY1305`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA384`, `ECDHE-ECDSA-AES128-SHA`, `ECDHE-RSA-AES128-SHA`, `AES128-GCM-SHA256`, `AES128-SHA256`, `AES128-SHA`, `ECDHE-RSA-AES256-SHA`, `AES256-GCM-SHA384`, `AES256-SHA256`, `AES256-SHA`, `DES-CBC3-SHA` +`AEAD-AES128-GCM-SHA256`[^1], `AEAD-AES256-GCM-SHA384`[^2], `AEAD-CHACHA20-POLY1305-SHA256`[^3], `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-CHACHA20-POLY1305`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA384`, `ECDHE-ECDSA-AES128-SHA`, `ECDHE-RSA-AES128-SHA`, `AES128-GCM-SHA256`, `AES128-SHA256`, `AES128-SHA`, `ECDHE-RSA-AES256-SHA`, `AES256-GCM-SHA384`, `AES256-SHA256`, `AES256-SHA`, `DES-CBC3-SHA` @@ -57,4 +57,5 @@ To reset your option to the default, [use an empty array](/ssl/edge-certificates [^1]: Same as `TLS_AES_128_GCM_SHA256`. Refer to [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details. [^2]: Same as `TLS_AES_256_GCM_SHA384`. Refer to [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details. -[^3]: Same as `TLS_CHACHA20_POLY1305_SHA256`. Refer to [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details. \ No newline at end of file +[^3]: Same as `TLS_CHACHA20_POLY1305_SHA256`. Refer to [TLS 1.3 cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details. +[^4]: Although configured independently, cipher suites interact with **Minimum TLS version** and **TLS 1.3**. \ No newline at end of file From 7a2cc3cc3fa37ab24a0705284974da1d62be7788 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Wed, 7 May 2025 15:22:38 +0100 Subject: [PATCH 3/4] Clarify that Modern equals PCI DSS when used with TLS 1.3 --- .../customize-cipher-suites/dashboard.mdx | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard.mdx index 44f11542727db30..5fd5dbc52d502d2 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard.mdx @@ -12,7 +12,7 @@ import { Render, Details } from "~/components"; When configuring cipher suites via dashboard, you can use three different selection modes: -- **By security level**: allows you to select between the predefined [Cloudflare recommendations](/ssl/edge-certificates/additional-options/cipher-suites/recommendations/) (Modern, Compatible, or Legacy). +- **By security level**: allows you to select between the predefined [Cloudflare recommendations](/ssl/edge-certificates/additional-options/cipher-suites/recommendations/) (Modern[^1], Compatible, or Legacy). - **By compliance standard**: allows you to select cipher suites grouped according to [industry standards](/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/) (PCI DSS or FIPS-140-2). - **Custom**: allows you to individually select the cipher suites you would like to support. @@ -32,4 +32,10 @@ For any of the modes, you should keep in mind the following configuration condit 3. For the **Cipher suites** setting select **Configure**. 4. Choose a mode to select your cipher suites and select **Next**. 5. Select a predefined set of cipher suites or, if you opted for **Custom**, specify which cipher suites you want to allow. Make sure you are aware of how your selection will interact with Minimum TLS version, TLS 1.3, and the certificate algorithm (ECDSA or RSA). -6. Select **Save** to confirm. \ No newline at end of file +6. Select **Save** to confirm. + +:::note[Modern or PCI DSS] +When used with [TLS 1.3](/ssl/edge-certificates/additional-options/cipher-suites/#tls-13), Modern is the same as PCI DSS. +::: + +[^1]: When used with TLS 1.3, Modern is the same as PCI DSS. \ No newline at end of file From be053d326e7a852f4f1c5a309186b68abc5d4de7 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Date: Thu, 8 May 2025 09:53:35 +0100 Subject: [PATCH 4/4] Apply suggestion from code review Co-authored-by: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> --- .../additional-options/cipher-suites/recommendations.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/recommendations.mdx b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/recommendations.mdx index 44c18c56ba9deaa..4ef7936290ac190 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/recommendations.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/recommendations.mdx @@ -16,7 +16,7 @@ Refer to the sections below for three different security levels and how Cloudfla Refer to [Customize cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) to learn how to specify cipher suites at zone level or per hostname. :::caution -When opting for [compatible](#compatible) or [modern](#modern), make sure to review the [related SSL/TLS settings](/ssl/edge-certificates/additional-options/cipher-suites/#related-ssltls-settings)[^4]. +Before opting for [compatible](#compatible) or [modern](#modern), review the [related SSL/TLS settings](/ssl/edge-certificates/additional-options/cipher-suites/#related-ssltls-settings)[^4]. ::: ## Modern