--- title: "SSL Protocols and Cipher Suites" description: "Learn how Sentry's SaaS product uses SSL protocols and cipher suites for security and compatibility." url: https://docs.sentry.io/security-legal-pii/security/ssl/ --- # SSL Protocols and Cipher Suites ##### Note The contents of this page apply only to Sentry's SaaS product. It **does not** apply to self-hosted or single tenant. Sentry's API, dashboard, and event submission require a minimum TLS version of 1.2 to communicate securely. Sentry provides a suite of protocols and cipher suites that focus on giving our users a balance of security and compatibility. Our servers will negotiate the most secure cipher suite the client can support in the preferential order specified below. The set of cipher suites depends on the endpoint and negotiated TLS version. ### [sentry.io and \*.ingest.sentry.io](https://docs.sentry.io/security-legal-pii/security/ssl.md#sentryio-and-ingestsentryio) TLS versions 1.2 and 1.3 are supported for both Sentry's API, dashboard, and legacy event submission (via `sentry.io`), and for event ingestion domains (via `*.ingest.sentry.io`). Supported cipher suites: #### [TLS 1.3](https://docs.sentry.io/security-legal-pii/security/ssl.md#tls-13) * TLS\_AES\_128\_GCM\_SHA256 * TLS\_AES\_256\_GCM\_SHA384 * TLS\_CHACHA20\_POLY1305\_SHA256 #### [TLS 1.2](https://docs.sentry.io/security-legal-pii/security/ssl.md#tls-12) * TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 * TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256 * TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA * TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA * TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 * TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA * TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA * TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA This suite of protocols and cipher suites represents Sentry's official support; however, clients may negotiate individual cipher suites that exceed the strength ratings of those listed above. ## [Certificate Pinning](https://docs.sentry.io/security-legal-pii/security/ssl.md#certificate-pinning) At the moment, all Sentry TLS certificates use either Digicert or Let's Encrypt as certificate authorities. If this list of roots needs to be changed, we will publish an announcement on [status.sentry.io](https://status.sentry.io/). Here are corresponding root CA certificates if you would like to pin them in your applications: * [Digicert](https://www.digicert.com/kb/digicert-root-certificates.htm) ```bash DigiCert Global Root CA Valid until: 10/Nov/2031 Serial Number: 08:3B:E0:56:90:42:46:B1:A1:75:6A:C9:59:91:C7:4A SHA1 Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36 SHA256 Fingerprint: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61 DigiCert Global Root G2 Valid until: 15/Jan/2038 Serial Number: 03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5 SHA1 Fingerprint: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4 SHA256 Fingerprint: CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F ``` * [Let's Encrypt](https://letsencrypt.org/certificates/) ```bash ISRG Root X1 Valid until: 04/Jun/2035 Serial Number: 82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 SHA1 Fingerprint: CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8 SHA256 Fingerprint: 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6 ISRG Root X2 Valid until: 17/Sep/2040 Serial Number: 41:d2:9d:d1:72:ea:ee:a7:80:c1:2c:6c:e9:2f:87:52 SHA1 Fingerprint: BD:B1:B9:3C:D5:97:8D:45:C6:26:14:55:F8:DB:95:C7:5A:D1:53:AF SHA256 Fingerprint: 69:72:9B:8E:15:A8:6E:FC:17:7A:57:AF:B7:17:1D:FC:64:AD:D2:8C:2F:CA:8C:F1:50:7E:34:45:3C:CB:14:70 ```