> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Check supported TLS versions and ciphers if you are using a reverse proxy configured for use with self-managed certificates

# TLS (SSL) Versions and Ciphers

<Card title="Before you start">
  Auth0's network edge requires a Server Name Indication (SNI) to be set on all requests. Most clients set SNI by default; if your web client does not, consult your web client documentation to determine how to manually set an SNI.
</Card>

Auth0’s network edge has a secure set of allowed SSL/TLS version/cipher suite combinations. When connecting to Auth0 services using a reverse proxy with self-managed certificates, you **must** use a supported TLS version and cipher suite. During the TLS handshake, communication between the server and client specifies the TLS version and cipher suite. If you are not using a supported version, a failure could occur.

## Supported Versions

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  If you are using self-managed certificates in your custom domain, they must be compatible with one of the below TLS versions and ciphers. For security purposes, a protocol or cipher could be removed from support without notice.
</Callout>

Auth0 requires using TLS version 1.2 or 1.3 with the supported ciphers.

#### TLS 1.3 Supported Ciphers

TLS\_AES\_128\_GCM\_SHA256
TLS\_AES\_256\_GCM\_SHA384
TLS\_CHACHA20\_POLY1305\_SHA256

#### TLS 1.2 Supported Ciphers

TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256
TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384
TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305\_SHA256
TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256
TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384
TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256

#### TLS RFCs

[TLS 1.2](https://tools.ietf.org/html/rfc5246)

[TLS 1.3](https://tools.ietf.org/html/rfc8446)

#### TLS Parameters

To learn more, read [Transport Layer Security (TLS) Parameters](https://www.iana.org/assignments/tls-parameters) for the Internet Assigned Numbers Authority (IANA) list of registered parameters including ciphers.

## Deprecated versions

<Warning>
  Although they remain available in some environments, the following TLS 1.2 cipher suites are deprecated and will reach end-of-support in June 2026. To learn more, read [Weak TLS 1.2 Cipher Suites](/docs/troubleshoot/product-lifecycle/deprecations-and-migrations#weak-tls-1-2-cipher-suites).
</Warning>

TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA
TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA
TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256
TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384
TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA
TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA
TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256
TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384
TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256
TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA
TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384
TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA
TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256
TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256

## Learn more

* [Configure Cloudflare as Reverse Proxy](/docs/customize/custom-domains/self-managed-certificates/configure-cloudflare-for-use-as-reverse-proxy)