SSL/TLS

TLS configuration affects both security and performance. Misconfiguration can add redirects, increase handshake time, or (worst case) cause downtime. This page focuses on safe settings that improve connection setup time and avoid common Cloudflare-origin mistakes.

Cloudflare SSL Mode

Use Full (Strict):

• Edge -> visitor is HTTPS
• Edge -> origin is HTTPS with a valid certificate

Avoid Flexible.

TLS Versions

Prefer:

• Minimum TLS: 1.2
• TLS 1.3: enabled

OCSP Stapling (Origin)

OCSP stapling can reduce certificate revocation check latency.

Nginx

nginx-ocsp.conf

ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;

OpenLiteSpeed

Verify stapling:

verify-ocsp-stapling.sh

openssl s_client -connect example.com:443 -status < /dev/null 2>&1 | grep -A 2 "OCSP Response"

HSTS (Use With Caution)

HSTS can eliminate HTTP->HTTPS redirects, but it is a commitment.

caution

Only enable HSTS when you are confident HTTPS will remain valid for all subdomains and assets.

Verification (curl)

Measure DNS/TLS/TTFB:

curl-tls-timing.sh

curl -w "DNS: %{time_namelookup}s\nTLS: %{time_appconnect}s\nTTFB: %{time_starttransfer}s\nTotal: %{time_total}s\n" \
  -o /dev/null -s https://example.com

What's Next

• Brotli + Early Hints
• Cloudflare WAF
• APO Configuration
• CDN Checklist