TLS Versions -- Minimum TLS Configuration
In this tutorial, you'll learn about TLS Versions. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloudflare Minimum TLS Version allows you to set the lowest TLS protocol version that Cloudflare will accept from incoming connections, blocking older protocols like TLS 1.0 and TLS 1.1 that are vulnerable to attacks such as POODLE, BEAST, and CRIME. By enforcing a minimum TLS version, you reduce your attack surface and comply with security standards including PCI DSS and NIST guidelines.
Why Minimum TLS Version Matters
Outdated TLS versions carry known cryptographic weaknesses. TLS 1.0 was defined in 1999 and uses older cipher suites vulnerable to BEAST attacks. TLS 1.1 improved on 1.0 but still lacks support for modern authenticated encryption. Both TLS 1.0 and 1.1 have been deprecated by major browsers and the IETF since March 2020. Continuing to support them exposes your users to unnecessary risk. Setting a minimum of TLS 1.2 ensures connections use modern ciphers with forward secrecy and authenticated encryption.
Real-World Use Case
A healthcare platform required PCI DSS Compliance for processing insurance payments. The Compliance scan flagged TLS 1.0 support as a critical finding. By setting Cloudflare's Minimum TLS Version to 1.2, they instantly eliminated TLS 1.0 and 1.1 from all incoming connections without touching any origin server configuration. The follow-up scan passed, and no legitimate traffic was affected because modern browsers and API clients already use TLS 1.2 or higher.
TLS Protocol Evolution
flowchart LR
subgraph "Deprecated Protocols"
A[TLS 1.0 - 1999] --> B[TLS 1.1 - 2006]
end
subgraph "Modern Protocols"
C[TLS 1.2 - 2008] --> D[TLS 1.3 - 2018]
end
B -.->|Deprecated by IETF 2020| C
style A fill:#e74c3c,color:#fff
style B fill:#e67e22,color:#fff
style C fill:#27ae60,color:#fff
style D fill:#2ecc71,color:#fff
TLS 1.2 introduced AEAD cipher suites and is the minimum recommended version for all services. TLS 1.3 reduced handshake latency to one round trip (or zero with session resumption) and removed insecure algorithms entirely. Cloudflare supports TLS 1.0 through 1.3 on the edge and lets you choose the minimum acceptable version.
Configuring Minimum TLS Version via API
# Get current Minimum TLS Version setting
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/settings/min_tls_version" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Content-Type: application/json" | python3 -m json.tool
# Expected output:
# {
# "result": {
# "id": "min_tls_version",
# "value": "1.2",
# "modified_on": "2025-04-10T08:00:00Z"
# }
# }
The value field returns the current minimum TLS version as a string: "1.0", "1.1", "1.2", or "1.3". The default for most Cloudflare zones is "1.0" for maximum compatibility. Security-focused deployments should set this to "1.2" at minimum.
Setting Minimum TLS Version to 1.2 or 1.3
# Set Minimum TLS Version to 1.2
curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/settings/min_tls_version" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value": "1.2"}' | python3 -m json.tool
# Expected output:
# {
# "result": {
# "id": "min_tls_version",
# "value": "1.2",
# "modified_on": "2025-06-20T14:30:00Z"
# },
# "success": true
# }
# Set Minimum TLS Version to 1.3 (most secure)
curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/settings/min_tls_version" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value": "1.3"}' | python3 -m json.tool
Setting to TLS 1.2 is safe for virtually all modern traffic. Setting to TLS 1.3 provides maximum security but may block older API clients, IoT devices, and Embedded Systems that do not yet support TLS 1.3. Test before enforcing TLS 1.3 on production traffic.
Testing Supported TLS Versions
# Test TLS 1.2 connection
curl -vI --tlsv1.2 --tls-max 1.2 https://example.com 2>&1 | grep "SSL connection"
# Expected output:
# SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
# Note: curl may negotiate up to TLS 1.3 even with --tlsv1.2
# Test TLS 1.1 connection (should fail if minimum is 1.2)
curl -vI --tlsv1.1 https://example.com 2>&1 | grep -E "SSL|error|handshake"
# Expected output (with min TLS 1.2):
# curl: (35) error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
The first command confirms that TLS 1.2 connections succeed. The second command confirms that TLS 1.1 connections are rejected when Minimum TLS Version is set to 1.2. Use this testing pattern after changing settings to verify the configuration works as expected.
Checking Cipher Suites for Each TLS Version
# List supported ciphers for a given TLS version
# First, get the list of ciphers from the server
echo | openssl s_client -connect example.com:443 -servername example.com \
-tls1_2 -cipher "ECDHE-RSA-AES128-GCM-SHA256" 2>/dev/null | grep -E "Cipher|handshake"
# Expected output:
# New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
# Try a weaker cipher (should fail with modern config)
echo | openssl s_client -connect example.com:443 -servername example.com \
-tls1_2 -cipher "ECDHE-RSA-DES-CBC3-SHA" 2>/dev/null | grep -E "Cipher|handshake"
# Expected output:
# 3072008160:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
You can verify which cipher suites Cloudflare negotiates for each TLS version. Cloudflare's edge supports modern ciphers including those with forward secrecy (ECDHE) and authenticated encryption (GCM, CHACHA20). Weak or outdated ciphers are rejected regardless of the TLS version.
Common Errors and Troubleshooting
Legacy API Clients Fail After Upgrade
If you set Minimum TLS Version to 1.2 or 1.3, very old API clients using TLS 1.0 or 1.1 will be unable to connect. Solution: audit your API client connections before upgrading. Use Cloudflare's analytics to check which TLS versions your visitors use before making changes.
IoT Devices Cannot Connect
IoT devices and Embedded Systems often ship with older TLS stacks that only support TLS 1.0 or 1.1. Solution: if you must support such devices, keep the minimum at TLS 1.0 for those specific endpoints, or use a separate hostname with a lower minimum.
TLS 1.3 Blocks Some Firewalls
Some corporate firewalls and proxy servers do not yet support TLS 1.3 and may break connections. Solution: set Minimum TLS Version to 1.2 instead of 1.3 if you serve enterprise users behind such proxies.
Browser Warning About Outdated TLS
Some browsers show warnings when connecting to sites with TLS 1.0 or 1.1. Solution: set Minimum TLS Version to 1.2 to eliminate these warnings and provide a modern secure experience.
Inconsistent Settings Across Zones
If you manage multiple zones, ensure Minimum TLS Version is consistent across all zones in your organization. Solution: use the Cloudflare API to audit all zones and enforce a baseline of TLS 1.2 using automation scripts.
Practice Questions
- What is the current IETF recommendation for the minimum TLS version in production?
- Which TLS version introduced AEAD cipher suites and is considered the minimum for modern security?
- What command-line tool can you use to test whether a server rejects TLS 1.1 connections?
FAQ
Summary
Cloudflare Minimum TLS Version is a simple but powerful security control that blocks outdated, vulnerable TLS protocols at the edge. Setting it to TLS 1.2 eliminates TLS 1.0 and 1.1 vulnerabilities without any origin server changes. TLS 1.3 provides maximum security and performance but may affect legacy clients. Audit your traffic, test with curl and OpenSSL, and enforce the highest minimum TLS version that your user base supports.
This guide is brought to you by the developers of Cloudflare, Cyber Security, and Doda Browser security features at DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro