Before you start

Auth0’s network edge requires a Server Name Indication (SNI) to be set on all requests. Most clients set SNI by default; if your web client does not, consult your web client documentation to determine how to manually set an SNI.
Auth0’s network edge has a secure set of allowed SSL/TLS version/cipher suite combinations. When connecting to Auth0 services using a reverse proxy with self-managed certificates, you must use a supported TLS version and cipher suite. During the TLS handshake, communication between the server and client specifies the TLS version and cipher suite. If you are not using a supported version, a failure could occur.

Supported Versions

If you are using self-managed certificates in your custom domain, they must be compatible with one of the below TLS versions and ciphers. For security purposes, a protocol or cipher could be removed from support without notice.
Auth requires using TLS version 1.2 or 1.3 with the supported ciphers.

TLS 1.3 Supported Ciphers

AEAD-AES128-GCM-SHA256
AEAD-AES256-GCM-SHA384
AEAD-CHACHA20-POLY1305-SHA256

TLS 1.2 Supported Ciphers

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA

TLS RFCs

TLS 1.2 TLS 1.3

TLS Parameters

To learn more, read Transport Layer Security (TLS) Parameters for the Internet Assigned Numbers Authority (IANA) list of registered parameters including ciphers.

Learn more