Subscribe to receive notifications of new posts:

Tracking our SSL configuration

2014-05-03

1 min read

Over time we've updated the SSL configuration we use for serving HTTPS as the security landscape has changed. In the past we've documented those changes in blog posts; to make things simpler to track, and so that people can stay up to date on the configuration we've chosen, I've created a Github repository called sslconfig. I've recreated the history of our SSL configuration from an internal repository and going forward we'll synchronize this repo with the configuration we are using.

Our SSL configuration has changed because attacks on SSL/TLS have appeared: Lucky 13, BEAST, and biases in RC4.

Not long ago we modified OpenSSL to prevent the use of RC4 for TLS 1.1 and above and introduced ECDSA and we continue to examine the right set of ciphers to use so that our customers are as secure as possible (such as using Perfect Forward Secrecy).

Stay tuned for further announcements, and keep an eye on sslconfig for the latest configuraton.

PS As with any of our open source efforts, comments, criticisms and pull requests are most welcome.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
OpenSSLSSL

Follow on X

Cloudflare|@cloudflare

Related posts

September 19, 2024 2:00 PM

How Cloudflare is helping domain owners with the upcoming Entrust CA distrust by Chrome and Mozilla

Chrome and Mozilla will stop trusting Entrust’s public TLS certificates issued after November 2024 due to concerns about Entrust’s compliance with security standards. In response, Entrust is partnering with SSL.com to continue providing trusted certificates. Cloudflare will support SSL.com as a CA, simplifying certificate management for customers using Entrust by automating issuance and renewals....

April 12, 2024 1:00 PM

How we ensure Cloudflare customers aren't affected by Let's Encrypt's certificate chain change

Let’s Encrypt’s cross-signed chain will be expiring in September. This will affect legacy devices with outdated trust stores (Android versions 7.1.1 or older). To prevent this change from impacting customers, Cloudflare will shift Let’s Encrypt certificates upon renewal to use a different CA...