Checklist
Introduction
This guide will walk you through disabling TLS versions 1.0 and 1.1.
Both of these versions of TLS are deprecated, and it's generally recommended that you disable them for added security.
Luckily it's incredibly easy to disable these insecure versions of TLS when you're using Cloudflare Tunnels, and it should only take us a few minutes.
Check Your TLS Versions
The first thing we're going to do is check to see which TLS versions are currently enabled. To do this, we're going to use the SSL Labs Server Test. Visit the site, enter your URL, and then click Submit.
Once the scan of your site has finished, scroll down to the Configuration -> Protocols section. Here you'll see a list of the TLS versions that are currently enabled. If you see TLS 1.0 or TLS 1.1 enabled, you'll want to proceed with the rest of this guide.
If TLS 1.0 and 101 are not enabled, you can skip the rest of this guide, you're already set!
Disable Insecure TLS Versions
Login to your Cloudflare account, or if you're already logged in, click on Account Home, and then click on your domain.
After your domain's overview page loads, click on SSL/TLS in the left-hand menu, and then click on Edge Certificates.
Scroll down the page until you see the section titled Minimum TLS Version. Click on the dropdown menu, and then select TLS 1.2.
That's it! TLS version 1.2 will now be the minimum used when Cloudflare serves up your content.
Re-Check Your TLS Versions
To make sure this change is working, we're going to run another scan using the SSL Labs Server Test. Visit the site, enter your URL, and then click Submit.
Once the scan of your site has finished, scroll back down to the Configuration -> Protocols section and confirm that TLS 1.0 and 1.1 are no longer enabled.
If you're still seeing TLS 1.0 or 1.1 enabled, it's possible you may be seeing your original scan results. At the top of your scan results page, click on Clear cache to force a full rescan of your site.
