Cipher Configs Subdomain

Wondering if its possible to change the cipher configs for a subdomain ww1.example.com without affecting example.com, wondering if this is even possible.

Ff Wondering if its possible to change the cipher configs for a subdomain ww1.examp...

Chaika•3/1/24, 2:23 PM

Yes: https://developers.cloudflare.com/api/operations/per-hostname-tls-settings-put, need ACM though (Adv. Cert Manager)
You asked a question about this but I didn't quite understand what you are asking. That endpoint just needs your zone id (right side of the overview of your website) and the hostname (ww1.example.com)

Cloudflare API Documentation

Interact with Cloudflare's products and services via the Cloudflare API

fOP•3/1/24, 3:22 PM

thanks Chaika we do have an ACM not very familiar with how it works tho so i will ook into it

CChaika Yes: https://developers.cloudflare.com/api/operations/per-hostname-tls-settings-...

fOP•3/1/24, 4:56 PM

I have to have the ACM ? i cant just apply the new ciphers on this endpoint for www1 hostname?/{zone_id}/hostnames/settings/{setting_id}/{hostname}

Ff I have to have the ACM ? i cant just apply the new ciphers on this endpoint for ...

Chaika•3/1/24, 5:02 PM

You need ACM on the zone/website, yea

Chaika•3/1/24, 5:02 PM

otherwise trying to use that endpoint just spits out

{
"success": false,
"errors": [
{
"code": 1450,
"message": "Access to configure this resource has not been granted for this zone. This feature is available with the Advanced Certificate Manager."
}
],
"messages": []
}

fOP•3/1/24, 5:06 PM

i see thanks Chaika, still trying to learn everything cloudflare has to offer

fOP•3/8/24, 10:32 PM

Hey Chaika, i was given permissions to apply the configs at the zone level since we do not have ACM and but this also gives us the same message: Advance Certificate Manager is Required to Set custom ciphers. We are just trying to upgrade to cloudflare's modern security level cipher suites

["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384"]

is zone changes of this sort still possible?

fOP•3/8/24, 10:32 PM

without ACM

Yomna Shousha•5/29/24, 7:42 PM

Hi everyone @here! My name is Yomna and I am a product intern on the SSL team. Exciting news--we are working on adding cipher suites to the Cloudflare dashboard!

If you are someone who has experience configuring cipher suites with our API, or are someone who hopes to configure suites, we'd love to hear from you! Here is a Calendly link to set up a time to chat:
https://calendly.com/yomna-4wzb/cipher-suite-selection-in-the-ui?month=2024-05

No time to chat? We've also created this survey to gather information:
https://docs.google.com/forms/d/15mGcm2aDLhTMeJpHPfAO8JrmOcuJaq-EHjkpLrQg5mM/edit

Thank you so much for your time and consideration! We're looking forward to effectively meeting you cipher suites needs

Calendly

Cipher Suite Selection in the UI - Yomna Shousha

Google Docs

Cipher Suite Selection in Cloudflare UI

We're excited to share that we're working on integrating cipher suite selection into the Cloudflare dashboard! Your insights are crucial in ensuring we tailor this feature to meet your needs effectively. Please take a moment to share your use cases and any pain points you've encountered.
If you'd like to set up a time to chat, please DM @yomshou...

YYomna Shousha Hi everyone @here! My name is Yomna and I am a product intern on the SSL team. E...

yev•6/21/24, 4:05 PM

Awesome news! Will these changes still require the purchase is Advanced Cert Manager (ACM) ?

yev•6/21/24, 4:20 PM

Filled out the Google form. Looking forward to this!

yev•6/21/24, 4:22 PM

Is there a roadmap or timeline for these changes?

yev•7/15/24, 8:34 PM

@Chaika do you have any updates on my questions above?

Sorry for bumping an old thread, lmk if I should open a new one

Yyev @Chaika do you have any updates on my questions above? Sorry for bumping an old...

Chaika•7/15/24, 8:35 PM

what's the question, if you can customize ciphers without ACM? You need ACM to change them at all

CChaika what's the question, if you can customize ciphers without ACM? You need ACM to c...

yev•7/15/24, 8:38 PM

Thank you, I was hoping that would have opened up but oh well. So the changes made are purely to give you the option to configure the ciphers through the UI.