--- title: "SSL Protocols and Ciphers" description: "Learn how Sentry's SaaS product uses SSL Protocols and Ciphers for security and compatibility." url: https://docs.sentry.io/security-legal-pii/security/ssl/ --- # SSL Protocols and Ciphers ##### Note The contents of this page apply only to Sentry's SaaS product. It **does not** apply to self-hosted or single tenant. Sentry's API, dashboard, and event submission require a minimum TLS version of 1.2 to communicate securely. Sentry provides a suite of protocols and ciphers that focus on giving our users a balance of security and compatibility. Our servers will negotiate a cipher to the most secure combination the client can support in the preferential order specified below. The set of ciphers depends on the endpoint and negotiated TLS version. ### [sentry.io and \*.ingest.sentry.io](https://docs.sentry.io/security-legal-pii/security/ssl.md#sentryio-and-ingestsentryio) TLS versions 1.2 and 1.3 are supported for both Sentry's API, dashboard, and legacy event submission (via `sentry.io`), and for event ingestion domains (via `*.ingest.sentry.io`). Supported ciphers: #### [TLS 1.3](https://docs.sentry.io/security-legal-pii/security/ssl.md#tls-13) * TLS\_AES\_128\_GCM\_SHA256 * TLS\_AES\_256\_GCM\_SHA384 * TLS\_CHACHA20\_POLY1305\_SHA256 #### [TLS 1.2](https://docs.sentry.io/security-legal-pii/security/ssl.md#tls-12) * TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 * TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256 * TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA * TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA * TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 * TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA * TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA * TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA This suite of protocols and ciphers represents Sentry's official support; however, clients may experience an agreement on individual ciphers that exceed the strength ratings of those listed above. ## [Certificate Pinning](https://docs.sentry.io/security-legal-pii/security/ssl.md#certificate-pinning) At the moment, all Sentry TLS certificates use either Digicert or Let's Encrypt as certificate authorities. If this list of roots needs to be changed, we will publish an announcement on [status.sentry.io](https://status.sentry.io/). Here are corresponding root CA certificates if you would like to pin them in your applications: * [Digicert](https://www.digicert.com/kb/digicert-root-certificates.htm) ```bash DigiCert Global Root CA Valid until: 10/Nov/2031 Serial Number: 08:3B:E0:56:90:42:46:B1:A1:75:6A:C9:59:91:C7:4A SHA1 Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36 SHA256 Fingerprint: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61 DigiCert Global Root G2 Valid until: 15/Jan/2038 Serial Number: 03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5 SHA1 Fingerprint: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4 SHA256 Fingerprint: CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F ``` * [Let's Encrypt](https://letsencrypt.org/certificates/) ```bash ISRG Root X1 Valid until: 04/Jun/2035 Serial Number: 82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 SHA1 Fingerprint: CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8 SHA256 Fingerprint: 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6 ISRG Root X2 Valid until: 17/Sep/2040 Serial Number: 41:d2:9d:d1:72:ea:ee:a7:80:c1:2c:6c:e9:2f:87:52 SHA1 Fingerprint: BD:B1:B9:3C:D5:97:8D:45:C6:26:14:55:F8:DB:95:C7:5A:D1:53:AF SHA256 Fingerprint: 69:72:9B:8E:15:A8:6E:FC:17:7A:57:AF:B7:17:1D:FC:64:AD:D2:8C:2F:CA:8C:F1:50:7E:34:45:3C:CB:14:70 ```