Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Minimum TLS Version

Minimum TLS Version only allows HTTPS connections from visitors that support the selected TLS protocol version or newer.

For example, if TLS 1.1 is selected, visitors attempting to connect with TLS 1.0 will be rejected. Visitors attempting to connect using TLS 1.1, 1.2, or 1.3 (if enabled) will be allowed to connect.

​​ Availability

Free Pro Business Enterprise


Yes Yes Yes Yes

​​ Setup

​​ Zone-level

To manage the TLS version applied to your whole zone when proxied through Cloudflare:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Select your website.
  3. Go to SSL/TLS > Edge Certificates.
  4. For Minimum TLS Version, select an option.

Use the Change Minimum TLS Version setting endpoint, specifying your preferred minimum version in the value parameter.

​​ Per-hostname

Advanced Certificate Manager users also have the option to specify minimum TLS versions per specific hostnames in their Cloudflare zone.

This is currently only available via the API:

Cloudflare uses the hostname priority logic to determine which setting to apply.

​​ Test supported TLS versions

To test supported TLS versions, attempt a request to your website or application while specifying a TLS version.

For example, use a curl command to test TLS 1.1 (replace with your Cloudflare domain and hostname):

$ curl -svo /dev/null --tls-max 1.1

If the TLS version you are testing is blocked by Cloudflare, the TLS handshake is not completed and returns an error:

* error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert