128 bit encryption vs. 256 bit encryption depends on the the cipher suite that is negotiated for the specific connection. The list of those defined as part of TLS 1.1 is in RFC 4346 Appendix A.5 (http://tools.ietf.org/html/rfc4346#appendix-A.5).
For example TLS_RSA_WITH_AES_128_CBC_SHA will use a 128-bit key, whereas TLS_DHE_RSA_WITH_AES_256_CBC_SHA will use a 256-bit key.
Which cipher suite is negotiated will depend on the client/browser configuration and the server configuration. It is not related to the certificate installed on the server or in place at CloudFlare. When the client/browser initiates the connection with a Client Hello message, it sends a list of cipher suites it supports. The server then picks the one it wants and says so in its Server Hello message.
CloudFlare currently prefers to negotiate a connection using AES128, so it's very unlikely for a client/browser to negotiate and use AES256 when talking to our service. To negotiate and use AES256 you'd specifically need to force a 256 bit cipher suite from your client/browser side. Our preference to use AES128 may change in the future, but this isn't likely to change in the immediate future.
CloudFlare's ordered preference list is:
Article is closed for comments.