Supported TLS cipher suites

jerome · February 4, 2022, 9:03pm

Hey there!

This isn’t well documented for our platform.

We support a smaller set of cipher suites because we’re using rustls as part of our custom Rust-based proxy.

Most CDNs or load balancers use OpenSSL, LibreSSL or BoringSSL. They have much bigger support for cipher suites from previous TLS versions or even newer versions.

We only support TLSv1.2 and TLSv1.3 with strong ciphers.

Here’s the list of cipher suites we support:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384

As far as our testing goes, this gives us wide and secure coverage. We do not support very old browsers though.

You can see which clients we support by looking at these test results.

Hope this helps!

Topic		Replies	Views
Access to the raw TLS certs via the Fly API Questions / Help wishlist	5	804	August 28, 2021
You have a service exposing port 443 but no "tls" handler on it, either remove the service or add the "tls" handler on it	1	225	November 4, 2023
TCP handler and "Client sent an HTTP request to an HTTPS server"	2	1801	May 3, 2022
Plans to support QUIC and HTTP3?	4	1108	October 14, 2023
TCP Pass Through	13	1043	September 30, 2020

Supported TLS cipher suites

Related topics