SSL Protocols and Ciphers
Learn how Sentry's SaaS product uses SSL Protocols and Ciphers for security and compatibility.
Note
The contents of this page apply only to Sentry's SaaS product. It does not apply to self-hosted or single tenant.
Sentry's API, dashboard, and event submission require a minimum TLS version of 1.2 to communicate securely.
Sentry provides a suite of protocols and ciphers that focus on giving our users a balance of security and compatibility. Our servers will negotiate a cipher to the most secure combination the client can support in the preferential order specified below. The set of ciphers depends on the endpoint and negotiated TLS version.
TLS versions 1.2 and 1.3 are supported for both Sentry's API, dashboard, and legacy event submission (via sentry.io), and for event ingestion domains (via *.ingest.sentry.io).
Supported ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
This suite of protocols and ciphers represents Sentry's official support; however, clients may experience an agreement on individual ciphers that exceed the strength ratings of those listed above.
Note
Starting on 2025-07-21, the following domains with certificates previously issued by DigiCert will be transitioned to being issued by Let's Encrypt:
sentry.iode.sentry.ious.sentry.io*.ingest.sentry.io*.ingest.us.sentry.io*.ingest.de.sentry.io
At the moment, all Sentry TLS certificates use either Digicert or Let's Encrypt as certificate authorities. If this list of roots needs to be changed, we will publish an announcement on status.sentry.io.
Here are corresponding root CA certificates if you would like to pin them in your applications:
DigiCert Global Root CA
Valid until: 10/Nov/2031
Serial Number: 08:3B:E0:56:90:42:46:B1:A1:75:6A:C9:59:91:C7:4A
SHA1 Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
SHA256 Fingerprint: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61
DigiCert Global Root G2
Valid until: 15/Jan/2038
Serial Number: 03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5
SHA1 Fingerprint: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
SHA256 Fingerprint: CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
ISRG Root X1
Valid until: 04/Jun/2035
Serial Number: 82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
SHA1 Fingerprint: CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
SHA256 Fingerprint: 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6
ISRG Root X2
Valid until: 17/Sep/2040
Serial Number: 41:d2:9d:d1:72:ea:ee:a7:80:c1:2c:6c:e9:2f:87:52
SHA1 Fingerprint: BD:B1:B9:3C:D5:97:8D:45:C6:26:14:55:F8:DB:95:C7:5A:D1:53:AF
SHA256 Fingerprint: 69:72:9B:8E:15:A8:6E:FC:17:7A:57:AF:B7:17:1D:FC:64:AD:D2:8C:2F:CA:8C:F1:50:7E:34:45:3C:CB:14:70
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) or suggesting an update ("yeah, this would be better").