Cloudflare- cipher suites

Configuring Cipher Suites on Cloudflare

This document provides details on the enabled cipher suites and the steps to view or edit them using Cloudflare's API.

Enabled Cipher Suites

The following cipher suites have been enabled on Cloudflare as per the official documentation:

• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-ECDSA-CHACHA20-POLY1305
• ECDHE-RSA-CHACHA20-POLY1305

Note - This PR will make these cipher suites consistent across cloudflare and nginx

Testing

These cipher suites were tested using Qualys SSL Labs.

---

Viewing Cipher Suites on Cloudflare

To see the currently enabled cipher suites, use the following API request:

curl --request GET \
  --url https://api.cloudflare.com/client/v4/zones/1a61b108e92a1d7fee1b11406a136086/settings \
  --header "Authorization: Bearer <Api Token>" \
  --header 'Content-Type: application/json'

Replace <Api Token> with your actual API token.

Editing Cipher Suites on Cloudflare

To edit the enabled cipher suites, use the following API request:

curl --request PATCH \
  "https://api.cloudflare.com/client/v4/zones/1a61b108e92a1d7fee1b11406a136086/settings/ciphers" \
  --header "Authorization: Bearer <API TOKEN>" \
  --header "Content-Type: application/json" \
  --data '{
    "value": [
      "ECDHE-ECDSA-AES128-GCM-SHA256",
      "ECDHE-RSA-AES128-GCM-SHA256",
      "ECDHE-ECDSA-AES256-GCM-SHA384",
      "ECDHE-RSA-AES256-GCM-SHA384",
      "ECDHE-ECDSA-CHACHA20-POLY1305",
      "ECDHE-RSA-CHACHA20-POLY1305"
    ]
  }'

API Token Requirements

The API token used for the above requests requires the following permissions:
* Zone → Zone Settings - Edit
You can create API tokens from your Cloudflare account:
1. Navigate to My Profile → API Tokens.
2. Generate a new token with the required permissions.