TLS (SSL) Versions and Ciphers

Auth0’s network edge has a secure set of allowed SSL/TLS version/cipher suite combinations. When connecting to Auth0 services using a reverse proxy with self-managed certificates, you must use a supported TLS version and cipher suite. During the TLS handshake, communication between the server and client specifies the TLS version and cipher suite. If you are not using a supported version, a failure could occur.

Supported Versions

If you are using self-managed certificates in your custom domain, they must be compatible with one of the below TLS versions and ciphers. For security purposes, a protocol or cipher could be removed from support without notice.

We recommend using TLS version 1.2 or above. TLS 1.0 and 1.1 will be reaching End of Life in March 2021.

TLS 1.3 Supported Ciphers

AEAD-AES128-GCM-SHA256
AEAD-AES256-GCM-SHA384
AEAD-CHACHA20-POLY1305-SHA256

TLS 1.2 Supported Ciphers

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA

TLS 1.1 Supported Ciphers - Support to be removed in March 2021

ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
AES128-SHA
ECDHE-RSA-AES256-SHA
AES256-SHA
DES-CBC3-SHA

TLS 1.0 Supported Ciphers - Support to be removed in March 2021

ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
AES128-SHA
ECDHE-RSA-AES256-SHA
AES256-SHA
DES-CBC3-SHA

TLS RFCs

TLS 1.0

TLS 1.1

TLS 1.2

TLS 1.3

TLS Parameters

To learn more, read Transport Layer Security (TLS) Parameters for the Internet Assigned Numbers Authority (IANA) list of registered parameters including ciphers.

Learn more