On June 4, Cloudflare will be dropping support for TLS 1.0 and 1.1 on api.cloudflare.com. Additionally, the dashboard will be moved from www.cloudflare.com/a to dash.cloudflare.com and will require a browser that supports TLS 1.2 or higher.

No changes will be made to customer traffic that is proxied through our network, though you may decide to enforce a minimum version for your own traffic. We will soon expose TLS analytics that indicate the percent of connections to your sites using TLS 1.0-1.3, and controls to set a specific minimum version. Currently, you may enforce version 1.2 or higher using the Require Modern TLS setting.

Prior to June 4, API calls made with TLS 1.0 or 1.1 will have warning messages inserted into responses and dashboard users will see a banner encouraging you to upgrade your browser. Additional details on these changes, and a complete schedule of planned events can be found in the timeline below.

Background

Transport Layer Security (TLS) is the protocol used on the web today to encrypt HTTPS connections. Version 1.0 was standardized almost 20 years ago as the successor to SSL 3.0, but is universally considered insecure due to being vulnerable to attacks such as BEAST and POODLE. Version 1.1 followed in 2006 and mitigated BEAST, but adoption was minimal as some major browsers opted to make the jump directly to TLS 1.2 (codified in 2008).

In addition to the documented vulnerabilities, standards bodies such as the Payment Cards Industry Security Standards Council (PCI SSC) and the National Institute of Standards and Technology (NIST) recommend disabling TLS 1.0 and 1.1. Specifically, PCI requires that sites use a minimum of TLS 1.1, with TLS 1.2 recommended, and NIST requires at least TLS 1.2.

Fortunately, almost all (>96%) the traffic we see on api.cloudflare.com is already using TLS 1.2 or greater, so most users will not need to make any changes. However, if you’re using one of the user agents or operating systems listed below, you may need to upgrade. To check which version your browser or API client is using, make a request to https://version.tls.fun.

Problematic user agents

Below are the user agents with the highest frequency of TLS 1.0 or 1.1 requests to api.cloudflare.com. If you recognize your API client in this list, please take steps to upgrade as soon as possible.

Many developers use curl, an excellent tool built by Daniel Stenberg, to make API calls to api.cloudflare.com. As is common with command-line tools, curl relies on the underlying crypto library that it is built against for SSL/TLS support, e.g., OpenSSL, NSS, etc.

Therefore, users running curl on operating systems with outdated crypto libraries are likely to encounter problems. TLS 1.2 support was first added to OpenSSL in v1.0.1, which was released in March of 2012.

Java 1.7 or earlier

TLS 1.2 support was added to the JRE in 1.7.0_131-b12, so API calls made using ancient versions of Java may fail.

Internet Explorer 10 or earlier

Internet Explorer did not ship with TLS 1.2 enabled by default until v11 on Windows 7 and Windows Server 2008 R2. While these versions went End of Life (EOL) in January 2015, many still exist in the wild as observed on our edge.

Detailed timeline

While TLS 1.0 and 1.1 will be permanently disabled on June 4 (12 weeks from today), we will take steps before then to encourage users still running outdated browsers and operating systems to upgrade.

Date Days from Today Event 2018/03/12 0 Publication date of this blog post. 2018/04/30 49 Cloudflare Dashboard available for use at dash.cloudflare.com. Some percent of users will automatically be redirected here.

API responses from api.cloudflare.com will include a deprecation warning in the messages field (when request is made using TLS 1.0 or 1.1). 2018/05/07 56 Twenty-four (24) hour brownout of TLS 1.0 and 1.1 on api.cloudflare.com.

All API responses for calls made using either of these versions will be returned as an HTTP 400/Bad Request with a detailed error message in the payload. 2018/06/04 84 TLS 1.0 and 1.1 permanently disabled on api.cloudflare.com.

Cloudflare Dashboard available exclusively at dash.cloudflare.com and will require TLS 1.2 or higher.

Deprecation message in API responses

Beginning on April 30, API responses from api.cloudflare.com will include a deprecation warning in the messages field when the request is made using TLS 1.0 or 1.1:

{ "result": { "id":"2d4d028de3015345da9420df5514dad0", ... }, "success": true, "errors": [], "messages": [ {"code": "1911", "message": "This API call was made using TLS v1.0. TLS versions below 1.2 will no longer be supported as of June 4, 2018. You must upgrade your client before then or your API calls will fail. See https://blog.cloudflare.com/deprecating-old-tls-versions-on-cloudflare-dashboard-and-api/."} ], "result_info": { "page": 1, ... } }

Twenty-four (24) hour brownout

On May 7, we will temporary disable TLS 1.0 and 1.1 for a 24-hour "brownout" period. All calls made to api.cloudflare.com using TLS 1.0 or 1.1 will be immediately returned with an HTTP 400 (Bad Request) error and the requested action will not be processed. Additionally, the Cloudfare Dashboard will be inaccessible using TLS 1.0 or 1.1 during this time.

The purpose of this brownout is to provide a warning to Cloudflare customers still using legacy browsers or operating systems. If your API calls suddenly stop working on this date, take a look at your technical stack.

Permanent disabling of TLS 1.0 and 1.1

On June 4, we will permanently disable TLS 1.0 and 1.1 on api.cloudflare.com. All users accessing the dashboard will also require TLS 1.2 or greater.

As a reminder, we will not be making any changes to your traffic. While we recommend that you also disable TLS 1.0 and 1.1 for security reasons, we prefer to let our customers decide what is best for them. Continue reading to see how we will provide you with the data and controls you need to make and enforce this decision.

Upcoming controls and analytics

Currently you have the ability in the Crypto tab of the dashboard to disable TLS 1.0 and 1.1 together, but not 1.0 only:

Flip the toggle on, as shown in the above screenshot, and only TLS 1.2 or higher will be permitted on your site. Even though TLS 1.1 represents ~0.2% of traffic we see at the edge, some customers have indicated they wish to continue to support it but not TLS 1.0. To address this request, we will soon make the two changes detailed below.

1. Replace Require Modern TLS control with Minimum TLS Version

Replacing the "Require Modern TLS" card above will be the "Minimum TLS Version" card:

Note that while the Require Modern TLS UI control will be removed as soon as the Minimum TLS Version card is deployed, the existing API endpoint will continue to function for 60 days from that date. We will enforce the greater of the two settings (if both are used).

The current "Traffic Served Over SSL" pie chart will be enhanced to show the percent of requests by TLS version with slices for HTTP, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. Hovering over any section will pop up the number of requests in the selected time period.

Additional communications

We will update this blog post with any changes, as well as publish new posts as the changes outlined above take effect (including availability of the new TLS analytics for your domain and ability to enforce a specific minimum version).

Enterprise customers who are still making API calls with TLS 1.0 or 1.1 will receive an email from your Customer Success Manager with problematic user agents and frequencies.

Everyone else should contact Cloudflare Support with any questions.