TLS 1.3
TLS 1.3 enables the latest version of the TLS protocol (when supported) for improved security and performance.
What is TLS 1.3?
TLS 1.3 is the newest, fastest, and most secure version of the TLS protocol. SSL/TLS is the protocol that encrypts communication between users and your website. When web traffic is encrypted with TLS, users will see the green padlock in their browser window.
By turning on the TLS 1.3 feature, traffic to and from your website will be served over the TLS 1.3 protocol when supported by clients. TLS 1.3 protocol has improved latency over older versions, has several new features, and is currently supported in both Chrome (starting with release 66), Firefox (starting with release 60), and in development for Safari and Edge browsers.
Availability
Free | Pro | Business | Enterprise | |
Availability | Yes | Yes | Yes | Yes |
Enable TLS 1.3
TLS 1.3 requires a two-step activation: in the Cloudflare dashboard and in the browser.
Enable TLS 1.3 in Cloudflare settings
To enable TLS 1.3 in the dashboard:
- Log in to your Cloudflare account and go to a specific domain.
- Go to SSL/TLS > Edge Certificates.
- For TLS 1.3, switch the toggle to On.
PATCH
request with the value
parameter set to your desired setting ("on"
or "off"
). Enable TLS 1.3 in the browser
Chrome
- In the address bar, enter
chrome://flags
and press Enter. - Scroll to locate the TLS 1.3 Early Data entry, and set it to Enabled. A message saying that the change will take effect the next time you relaunch Chrome will appear.
- Select RELAUNCH NOW to restart Chrome.
After enabling TLS 1.3, visit a site with TLS 1.3 enabled over HTTPS. Then:
- Open Chrome Developer Tools.
- Select the Security tab.
- Reload the page (Command-R in macOS, Ctrl-R in Windows).
- Select the site under Main origin.
- Under Connection, confirm that the protocol is TLS 1.3.
Firefox
- In the address bar, enter
about:config
and select to accept the warranty warning. - Search for
security.tls.version.max
and change the value from3
(the default) to4
.
After enabling TLS 1.3, visit a site with TLS 1.3 enabled over HTTPS. Then:
- Select the lock icon in the address bar.
- Select Connection secure > More information.
- Under Technical Details, verify that the TLS version is TLS 1.3.
Troubleshooting
Since TLS 1.3 implementations are relatively new, some failures may occur. If you experience errors, submit a Cloudflare Support ticket with the following information:
- Steps to replicate the issue (if possible)
- Client build version
- Client diagnostic information
- Packet captures
Chrome users should submit a net-internals trace to Google. Firefox users should report bugs to Mozilla.
Limitations
You cannot set specific TLS 1.3 ciphers.
Instead, you will need to enable TLS 1.3 for your entire domain and Cloudflare will use all applicable TLS 1.3 cipher suites.
In combination with this, you can still restrict specific ciphers for TLS 1.0-1.2.