Minimum TLS Version only allows HTTPS connections from visitors that support the selected TLS protocol version or newer.
For example, if TLS 1.1 is selected, visitors attempting to connect using TLS 1.0 will be rejected. Visitors attempting to connect using TLS 1.1, 1.2, or 1.3 (if enabled) will be allowed to connect.
Note
If you are looking to restrict cipher suites, refer to Customize cipher suites. For guidance on which TLS version to use, refer to TLS protocols.
It is not possible to configure minimum TLS version for Cloudflare Pages hostnames.
You can disable TLS 1.0 by choosing a higher minimum TLS version.
All users can apply this configuration to all hostnames in their zones following the steps under zone-level.
If you have an Advanced Certificate Manager subscription, you also have the option to disable TLS 1.0 (or other versions) with a per-hostname setup.
Warning
The Minimum TLS version that you set up following these steps does not apply to R2 custom domains. To control the TLS version for R2 custom domains, refer to the custom domains documentation.
To manage the TLS version applied to your whole zone when proxied through Cloudflare:
Use the Edit zone setting endpoint with min_tls_version as the setting name in the URI path, and specify your preferred minimum version in the value field.
In the following example, the minimum TLS version for the zone will be set to 1.2. Replace the zone ID and API token placeholders with your information, and adjust the value field with your chosen TLS version.
Required API token permissions
At least one of the following token permissions is required:Zone Settings Writecurl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/min_tls_version" \
--request PATCH \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
--json '{
"id": "min_tls_version",
"value": "1.2"
}'
Advanced Certificate Manager users also have the option to specify minimum TLS versions per specific hostnames in their Cloudflare zone.
This is currently only available via the API:
min_tls_version.min_tls_version setting.Cloudflare uses the hostname priority logic to determine which setting to apply.
In the following example, the minimum TLS version for a specific hostname will be set to 1.2. Replace the zone ID, hostname, and authentication placeholders with your information, and adjust the value field with your chosen TLS version.
Required API token permissions
At least one of the following token permissions is required:SSL and Certificates Writecurl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/hostnames/settings/min_tls_version/$HOSTNAME" \
--request PUT \
--header "X-Auth-Email: $CLOUDFLARE_EMAIL" \
--header "X-Auth-Key: $CLOUDFLARE_API_KEY" \
--json '{
"value": "1.2"
}'
To test supported TLS versions, attempt a request to your website or application while specifying a TLS version.
For example, use a curl command to test TLS 1.1 (replace www.example.com with your Cloudflare domain and hostname):
curl https://www.example.com -svo /dev/null --tls-max 1.1
If the TLS version you are testing is blocked by Cloudflare, the TLS handshake is not completed and returns an error:
* error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4