Check supported TLS versions and ciphers if you are using a reverse proxy configured for use with self-managed certificates
Before you start
Auth0’s network edge requires a Server Name Indication (SNI) to be set on all requests. Most clients set SNI by default; if your web client does not, consult your web client documentation to determine how to manually set an SNI.
Auth0’s network edge has a secure set of allowed SSL/TLS version/cipher suite combinations. When connecting to Auth0 services using a reverse proxy with self-managed certificates, you must use a supported TLS version and cipher suite. During the TLS handshake, communication between the server and client specifies the TLS version and cipher suite. If you are not using a supported version, a failure could occur.
If you are using self-managed certificates in your custom domain, they must be compatible with one of the below TLS versions and ciphers. For security purposes, a protocol or cipher could be removed from support without notice.
Auth0 requires using TLS version 1.2 or 1.3 with the supported ciphers.
Although they remain available in some environments, the following TLS 1.2 cipher suites are deprecated and will reach end-of-support in June 2026. To learn more, read Weak TLS 1.2 Cipher Suites.
