Introduction

Cloudflare allows configuring the minimum TLS version for client-to-Cloudflare connections. When TLS 1.3 is set as the minimum, older clients that do not support TLS 1.3 (old Android devices, legacy Java applications, outdated browsers, some corporate proxies) cannot establish connections. While TLS 1.3 is more secure, the transition must be managed carefully to avoid cutting off legitimate users.

Symptoms

  • Specific users or applications cannot access the site through Cloudflare
  • openssl s_client -connect site.com:443 -tls1_2 fails but -tls1_3 works
  • Error varies by client: SSL handshake failure, connection reset, or timeout
  • Site works for most users but fails for specific regions or corporate networks
  • Corporate proxy or firewall strips TLS 1.3 support, causing connection failures

Common Causes

  • Cloudflare SSL/TLS setting set to TLS 1.3 minimum in Edge Certificates
  • Client or intermediate proxy does not support TLS 1.3
  • Enterprise MITM proxy with outdated TLS stack
  • Old mobile devices (Android 4.x, iOS 9) lacking TLS 1.3 support
  • Load balancer or CDN in the client network terminating TLS with old version

Step-by-Step Fix

  1. 1.Check the current minimum TLS version in Cloudflare:
  2. 2.- In Cloudflare dashboard: SSL/TLS > Edge Certificates > Minimum TLS Version
  3. 3.- Or via API:
  4. 4.```bash
  5. 5.curl -s "https://api.cloudflare.com/client/v4/zones/ZONE_ID/settings/min_tls_version" \
  6. 6.-H "Authorization: Bearer API_TOKEN"
  7. 7.`
  8. 8.Identify which clients are affected:
  9. 9.```bash
  10. 10.# Check user agent analytics in Cloudflare
  11. 11.# Look for patterns: old Android versions, specific Java versions
  12. 12.# Check Cloudflare Analytics > Traffic for error patterns
  13. 13.`
  14. 14.Lower the minimum TLS version temporarily:
  15. 15.- In Cloudflare dashboard: SSL/TLS > Edge Certificates > Minimum TLS Version
  16. 16.- Change from TLS 1.3 to TLS 1.2
  17. 17.- This allows both TLS 1.2 and 1.3 clients to connect
  18. 18.Via API, set minimum TLS version:
  19. 19.```bash
  20. 20.curl -X PATCH "https://api.cloudflare.com/client/v4/zones/ZONE_ID/settings/min_tls_version" \
  21. 21.-H "Authorization: Bearer API_TOKEN" \
  22. 22.-H "Content-Type: application/json" \
  23. 23.--data '{"value":"1.2"}'
  24. 24.`
  25. 25.Test client compatibility across TLS versions:
  26. 26.```bash
  27. 27.# Test TLS 1.2
  28. 28.openssl s_client -connect site.com:443 -tls1_2 </dev/null 2>&1 | grep "Protocol"
  29. 29.# Test TLS 1.3
  30. 30.openssl s_client -connect site.com:443 -tls1_3 </dev/null 2>&1 | grep "Protocol"
  31. 31.`
  32. 32.For clients that must use TLS 1.3, upgrade their TLS stack:
  33. 33.```bash
  34. 34.# Java 11+ supports TLS 1.3 natively
  35. 35.# For Java 8, update to the latest patch version
  36. 36.# OpenSSL 1.1.1+ required for TLS 1.3
  37. 37.openssl version
  38. 38.`

Prevention

  • Set minimum TLS version to TLS 1.2 as a balance of security and compatibility
  • Monitor Cloudflare analytics for TLS version distribution before enforcing TLS 1.3
  • Gradually increase minimum TLS version as your user base upgrades
  • Use Cloudflare's browser isolation for legacy clients that cannot support modern TLS
  • Document the TLS requirements for all services that connect through Cloudflare