Minimum TLS Version
Minimum TLS Version only allows HTTPS connections from visitors that support the selected TLS protocol version or newer.
For example, if TLS 1.1 is selected, visitors attempting to connect using TLS 1.0 will be rejected. Visitors attempting to connect using TLS 1.1, 1.2, or 1.3 (if enabled) will be allowed to connect.
Free | Pro | Business | Enterprise | |
---|---|---|---|---|
Availability | Yes | Yes | Yes | Yes |
It is not possible to configure minimum TLS version for Cloudflare Pages hostnames.
You can disable TLS 1.0 by choosing a higher minimum TLS version.
All users can apply this configuration to all hostnames in their zones following the steps under zone-level.
If you have an Advanced Certificate Manager subscription, you also have the option to disable TLS 1.0 (or other versions) with a per-hostname setup.
To manage the TLS version applied to your whole zone when proxied through Cloudflare:
- Log in to the Cloudflare dashboard ↗ and select your account.
- Select your website.
- Go to SSL/TLS > Edge Certificates.
- For Minimum TLS Version, select an option.
Use the Edit zone setting endpoint with min_tls_version
as the setting name in the URI path, and specify your preferred minimum version in the value
parameter.
Advanced Certificate Manager users also have the option to specify minimum TLS versions per specific hostnames in their Cloudflare zone.
This is currently only available via the API:
- Use the Edit TLS setting for hostname endpoint to specify different values for
min_tls_version
. - Use the Delete TLS setting for hostname endpoint to clear previously defined
min_tls_version
setting.
Cloudflare uses the hostname priority logic to determine which setting to apply.
To test supported TLS versions, attempt a request to your website or application while specifying a TLS version.
For example, use a curl
command to test TLS 1.1 (replace www.example.com
with your Cloudflare domain and hostname):
If the TLS version you are testing is blocked by Cloudflare, the TLS handshake is not completed and returns an error:
* error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert