[{"data":1,"prerenderedAt":2078},["ShallowReactive",2],{"content-query-kybquSlpTu":3,"content-query-yP1cWMns5L":1907,"content-query-eJ9XWy0CGH":1911,"content-query-W4RtfFQaoh":1924,"content-query-M5aWdXgQKx":1949,"content-query-j8GGVgf9na":1956,"content-query-9giMhwHrGj":1969,"content-query-G03kJtQzJS":1976,"content-query-No6iPTj4EO":1995,"content-query-7VgBfxLOWV":2005,"content-query-zRSmsuVl55":2027,"content-query-MsdmgXewTK":2031,"content-query-UP87PRcOMw":2038,"content-query-BMhIInEJl2":2042},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"intro":10,"type":11,"layout":12,"level":13,"section":5,"order":14,"tags":15,"body":22,"_type":1900,"_id":1901,"_source":1902,"_file":1903,"_stem":1904,"_extension":1905,"sitemap":1906},"/docs/webhooks/tls-ssl-errors","webhooks",false,"","Fix TLS/SSL handshake errors: unsupported protocol, wrong version number, handshake failure","A reference for the most common TLS/SSL handshake errors — sslv3 alert handshake failure, tlsv1 alert protocol version, unsupported protocol, wrong version number, ERR_SSL_VERSION_OR_CIPHER_MISMATCH, certificate verify failed and more — what each one means, and how Webhook Relay's per-input TLS compatibility and per-output TLS verification bridge modern and legacy endpoints.","Most TLS errors come down to one thing: the two sides couldn't agree on a protocol version, cipher or certificate. This page lists the exact error strings curl, OpenSSL, Python, Node.js, Java, Go and browsers print — what each means, and how Webhook Relay accepts legacy senders and delivers across the gap.","tutorial","doc","Intermediate",11,[16,17,18,19,20,21],"TLS","SSL","Handshake","Troubleshooting","Legacy TLS","Webhooks",{"type":23,"children":24,"toc":1869},"root",[25,41,61,82,89,246,256,261,335,345,385,395,415,485,494,503,513,525,539,548,557,567,579,616,625,658,683,695,700,746,763,802,814,860,877,894,905,910,997,1006,1015,1027,1041,1050,1059,1071,1094,1127,1144,1165,1177,1321,1330,1345,1351,1370,1377,1396,1408,1479,1488,1493,1550,1556,1594,1602,1607,1613,1621,1667,1675,1710,1716,1722,1748,1754,1773,1779,1797,1803,1820,1826,1863],{"type":26,"tag":27,"props":28,"children":29},"element","p",{},[30,33,39],{"type":31,"value":32},"text","Almost every TLS/SSL handshake error means the same thing underneath: ",{"type":26,"tag":34,"props":35,"children":36},"strong",{},[37],{"type":31,"value":38},"the client and the server could not agree on a protocol version or cipher suite",{"type":31,"value":40},". One side offered only modern TLS 1.2/1.3; the other offered only legacy TLS 1.0/1.1 (or a weak cipher) — and there was no overlap, so the handshake was aborted.",{"type":26,"tag":27,"props":42,"children":43},{},[44,46,52,54,59],{"type":31,"value":45},"This happens constantly when webhooks cross a boundary between ",{"type":26,"tag":47,"props":48,"children":49},"em",{},[50],{"type":31,"value":51},"modern",{"type":31,"value":53}," and ",{"type":26,"tag":47,"props":55,"children":56},{},[57],{"type":31,"value":58},"legacy",{"type":31,"value":60}," infrastructure: a new SaaS sender that speaks only TLS 1.3 trying to reach an old on-prem appliance, or a hardened endpoint that has disabled TLS 1.0/1.1 rejecting an older client that can't go higher.",{"type":26,"tag":27,"props":62,"children":63},{},[64,66,71,73,80],{"type":31,"value":65},"This page is a reference for the ",{"type":26,"tag":34,"props":67,"children":68},{},[69],{"type":31,"value":70},"exact error strings",{"type":31,"value":72}," different tools print, what each one means, and how to fix it — including how ",{"type":26,"tag":74,"props":75,"children":77},"a",{"href":76},"#how-webhook-relay-bridges-the-gap",[78],{"type":31,"value":79},"Webhook Relay's TLS compatibility",{"type":31,"value":81}," lets a legacy sender deliver webhooks that a modern endpoint would refuse, and lets you deliver to destinations with non-standard certificates.",{"type":26,"tag":83,"props":84,"children":86},"h2",{"id":85},"quick-diagnosis",[87],{"type":31,"value":88},"Quick diagnosis",{"type":26,"tag":90,"props":91,"children":92},"table",{},[93,112],{"type":26,"tag":94,"props":95,"children":96},"thead",{},[97],{"type":26,"tag":98,"props":99,"children":100},"tr",{},[101,107],{"type":26,"tag":102,"props":103,"children":104},"th",{},[105],{"type":31,"value":106},"What you see",{"type":26,"tag":102,"props":108,"children":109},{},[110],{"type":31,"value":111},"What it usually means",{"type":26,"tag":113,"props":114,"children":115},"tbody",{},[116,150,174,191,215],{"type":26,"tag":98,"props":117,"children":118},{},[119,145],{"type":26,"tag":120,"props":121,"children":122},"td",{},[123,130,132,138,139],{"type":26,"tag":124,"props":125,"children":127},"code",{"className":126},[],[128],{"type":31,"value":129},"unsupported protocol",{"type":31,"value":131}," / ",{"type":26,"tag":124,"props":133,"children":135},{"className":134},[],[136],{"type":31,"value":137},"protocol_version",{"type":31,"value":131},{"type":26,"tag":124,"props":140,"children":142},{"className":141},[],[143],{"type":31,"value":144},"ERR_SSL_VERSION_OR_CIPHER_MISMATCH",{"type":26,"tag":120,"props":146,"children":147},{},[148],{"type":31,"value":149},"One side requires a TLS version the other has disabled (e.g. server only allows TLS 1.2+, client only offers TLS 1.0/1.1, or vice-versa).",{"type":26,"tag":98,"props":151,"children":152},{},[153,169],{"type":26,"tag":120,"props":154,"children":155},{},[156,162,163],{"type":26,"tag":124,"props":157,"children":159},{"className":158},[],[160],{"type":31,"value":161},"sslv3 alert handshake failure",{"type":31,"value":131},{"type":26,"tag":124,"props":164,"children":166},{"className":165},[],[167],{"type":31,"value":168},"handshake_failure",{"type":26,"tag":120,"props":170,"children":171},{},[172],{"type":31,"value":173},"No shared cipher suite, a missing client certificate, or a rejected protocol version.",{"type":26,"tag":98,"props":175,"children":176},{},[177,186],{"type":26,"tag":120,"props":178,"children":179},{},[180],{"type":26,"tag":124,"props":181,"children":183},{"className":182},[],[184],{"type":31,"value":185},"wrong version number",{"type":26,"tag":120,"props":187,"children":188},{},[189],{"type":31,"value":190},"One side is speaking plain HTTP to an HTTPS port (or TLS to a plaintext port) — often not a version problem at all.",{"type":26,"tag":98,"props":192,"children":193},{},[194,210],{"type":26,"tag":120,"props":195,"children":196},{},[197,203,204],{"type":26,"tag":124,"props":198,"children":200},{"className":199},[],[201],{"type":31,"value":202},"dh key too small",{"type":31,"value":131},{"type":26,"tag":124,"props":205,"children":207},{"className":206},[],[208],{"type":31,"value":209},"no cipher overlap",{"type":26,"tag":120,"props":211,"children":212},{},[213],{"type":31,"value":214},"The server's certificate or DH parameters use a cipher the modern client refuses.",{"type":26,"tag":98,"props":216,"children":217},{},[218,241],{"type":26,"tag":120,"props":219,"children":220},{},[221,227,228,234,235],{"type":26,"tag":124,"props":222,"children":224},{"className":223},[],[225],{"type":31,"value":226},"certificate verify failed",{"type":31,"value":131},{"type":26,"tag":124,"props":229,"children":231},{"className":230},[],[232],{"type":31,"value":233},"self-signed certificate",{"type":31,"value":131},{"type":26,"tag":124,"props":236,"children":238},{"className":237},[],[239],{"type":31,"value":240},"unable to verify the first certificate",{"type":26,"tag":120,"props":242,"children":243},{},[244],{"type":31,"value":245},"The version is fine, but the endpoint's certificate isn't trusted by a public CA (self-signed, internal CA, or incomplete chain).",{"type":26,"tag":83,"props":247,"children":249},{"id":248},"error0a000102ssl-routinesunsupported-protocol",[250],{"type":26,"tag":124,"props":251,"children":253},{"className":252},[],[254],{"type":31,"value":255},"error:0A000102:SSL routines::unsupported protocol",{"type":26,"tag":27,"props":257,"children":258},{},[259],{"type":31,"value":260},"The OpenSSL 3.x \"no common protocol version\" error. You'll also see it wrapped by curl and Node.js:",{"type":26,"tag":262,"props":263,"children":266},"pre",{"className":264,"code":265,"language":31,"meta":7,"style":7},"language-text shiki shiki-themes github-dark","curl: (35) error:0A000102:SSL routines::unsupported protocol\n\n# OpenSSL 1.1.x phrased it as:\nerror:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol\n\n# Node.js:\nError: write EPROTO ... error:0A000102:SSL routines::unsupported protocol\n",[267],{"type":26,"tag":124,"props":268,"children":269},{"__ignoreMap":7},[270,281,291,300,309,317,326],{"type":26,"tag":271,"props":272,"children":275},"span",{"class":273,"line":274},"line",1,[276],{"type":26,"tag":271,"props":277,"children":278},{},[279],{"type":31,"value":280},"curl: (35) error:0A000102:SSL routines::unsupported protocol\n",{"type":26,"tag":271,"props":282,"children":284},{"class":273,"line":283},2,[285],{"type":26,"tag":271,"props":286,"children":288},{"emptyLinePlaceholder":287},true,[289],{"type":31,"value":290},"\n",{"type":26,"tag":271,"props":292,"children":294},{"class":273,"line":293},3,[295],{"type":26,"tag":271,"props":296,"children":297},{},[298],{"type":31,"value":299},"# OpenSSL 1.1.x phrased it as:\n",{"type":26,"tag":271,"props":301,"children":303},{"class":273,"line":302},4,[304],{"type":26,"tag":271,"props":305,"children":306},{},[307],{"type":31,"value":308},"error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol\n",{"type":26,"tag":271,"props":310,"children":312},{"class":273,"line":311},5,[313],{"type":26,"tag":271,"props":314,"children":315},{"emptyLinePlaceholder":287},[316],{"type":31,"value":290},{"type":26,"tag":271,"props":318,"children":320},{"class":273,"line":319},6,[321],{"type":26,"tag":271,"props":322,"children":323},{},[324],{"type":31,"value":325},"# Node.js:\n",{"type":26,"tag":271,"props":327,"children":329},{"class":273,"line":328},7,[330],{"type":26,"tag":271,"props":331,"children":332},{},[333],{"type":31,"value":334},"Error: write EPROTO ... error:0A000102:SSL routines::unsupported protocol\n",{"type":26,"tag":27,"props":336,"children":337},{},[338,343],{"type":26,"tag":34,"props":339,"children":340},{},[341],{"type":31,"value":342},"What it means:",{"type":31,"value":344}," the client and server share no enabled TLS protocol version. The most common cause today is a modern client (OpenSSL 3, which disables TLS 1.0/1.1 by default) connecting to a server that only speaks those old versions.",{"type":26,"tag":27,"props":346,"children":347},{},[348,353,355,361,363,369,371,376,378,383],{"type":26,"tag":34,"props":349,"children":350},{},[351],{"type":31,"value":352},"Fix on your side:",{"type":31,"value":354}," upgrade the server to TLS 1.2/1.3, or — if you genuinely must talk to a legacy box — explicitly re-enable an older protocol on the client (",{"type":26,"tag":124,"props":356,"children":358},{"className":357},[],[359],{"type":31,"value":360},"curl --tlsv1.0",{"type":31,"value":362},", or an OpenSSL config with ",{"type":26,"tag":124,"props":364,"children":366},{"className":365},[],[367],{"type":31,"value":368},"MinProtocol = TLSv1",{"type":31,"value":370},"). If the legacy system is the one ",{"type":26,"tag":47,"props":372,"children":373},{},[374],{"type":31,"value":375},"sending",{"type":31,"value":377}," you webhooks, point it at a ",{"type":26,"tag":74,"props":379,"children":380},{"href":76},[381],{"type":31,"value":382},"Webhook Relay input with legacy TLS enabled",{"type":31,"value":384}," instead of lowering TLS on everything else.",{"type":26,"tag":83,"props":386,"children":388},{"id":387},"error14094410ssl-routinesssl3_read_bytessslv3-alert-handshake-failure",[389],{"type":26,"tag":124,"props":390,"children":392},{"className":391},[],[393],{"type":31,"value":394},"error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure",{"type":26,"tag":27,"props":396,"children":397},{},[398,400,406,408,413],{"type":31,"value":399},"Despite the ",{"type":26,"tag":124,"props":401,"children":403},{"className":402},[],[404],{"type":31,"value":405},"sslv3",{"type":31,"value":407}," label, this rarely involves SSLv3 — it's a generic ",{"type":26,"tag":34,"props":409,"children":410},{},[411],{"type":31,"value":412},"handshake failure alert (alert number 40)",{"type":31,"value":414}," from the peer.",{"type":26,"tag":262,"props":416,"children":418},{"className":264,"code":417,"language":31,"meta":7,"style":7},"# OpenSSL / curl\ncurl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure\n\n# Python\nssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1007)\n\n# OpenSSL 3.x\nerror:0A000410:SSL routines::sslv3 alert handshake failure\n",[419],{"type":26,"tag":124,"props":420,"children":421},{"__ignoreMap":7},[422,430,438,445,453,461,468,476],{"type":26,"tag":271,"props":423,"children":424},{"class":273,"line":274},[425],{"type":26,"tag":271,"props":426,"children":427},{},[428],{"type":31,"value":429},"# OpenSSL / curl\n",{"type":26,"tag":271,"props":431,"children":432},{"class":273,"line":283},[433],{"type":26,"tag":271,"props":434,"children":435},{},[436],{"type":31,"value":437},"curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure\n",{"type":26,"tag":271,"props":439,"children":440},{"class":273,"line":293},[441],{"type":26,"tag":271,"props":442,"children":443},{"emptyLinePlaceholder":287},[444],{"type":31,"value":290},{"type":26,"tag":271,"props":446,"children":447},{"class":273,"line":302},[448],{"type":26,"tag":271,"props":449,"children":450},{},[451],{"type":31,"value":452},"# Python\n",{"type":26,"tag":271,"props":454,"children":455},{"class":273,"line":311},[456],{"type":26,"tag":271,"props":457,"children":458},{},[459],{"type":31,"value":460},"ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1007)\n",{"type":26,"tag":271,"props":462,"children":463},{"class":273,"line":319},[464],{"type":26,"tag":271,"props":465,"children":466},{"emptyLinePlaceholder":287},[467],{"type":31,"value":290},{"type":26,"tag":271,"props":469,"children":470},{"class":273,"line":328},[471],{"type":26,"tag":271,"props":472,"children":473},{},[474],{"type":31,"value":475},"# OpenSSL 3.x\n",{"type":26,"tag":271,"props":477,"children":479},{"class":273,"line":478},8,[480],{"type":26,"tag":271,"props":481,"children":482},{},[483],{"type":31,"value":484},"error:0A000410:SSL routines::sslv3 alert handshake failure\n",{"type":26,"tag":27,"props":486,"children":487},{},[488,492],{"type":26,"tag":34,"props":489,"children":490},{},[491],{"type":31,"value":342},{"type":31,"value":493}," the server rejected the handshake. Common causes are no shared cipher suite, the server requiring a client certificate you didn't present, or the server refusing the protocol version the client offered.",{"type":26,"tag":27,"props":495,"children":496},{},[497,501],{"type":26,"tag":34,"props":498,"children":499},{},[500],{"type":31,"value":352},{"type":31,"value":502}," confirm the client and server share at least one cipher suite and TLS version, and supply a client certificate if the endpoint requires mutual TLS.",{"type":26,"tag":83,"props":504,"children":506},{"id":505},"error1409442essl-routinesssl3_read_bytestlsv1-alert-protocol-version",[507],{"type":26,"tag":124,"props":508,"children":510},{"className":509},[],[511],{"type":31,"value":512},"error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version",{"type":26,"tag":27,"props":514,"children":515},{},[516,518,523],{"type":31,"value":517},"The peer sent a ",{"type":26,"tag":34,"props":519,"children":520},{},[521],{"type":31,"value":522},"protocol_version alert (alert number 70)",{"type":31,"value":524}," — it explicitly rejected the TLS version you offered.",{"type":26,"tag":262,"props":526,"children":528},{"className":264,"code":527,"language":31,"meta":7,"style":7},"curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version\n",[529],{"type":26,"tag":124,"props":530,"children":531},{"__ignoreMap":7},[532],{"type":26,"tag":271,"props":533,"children":534},{"class":273,"line":274},[535],{"type":26,"tag":271,"props":536,"children":537},{},[538],{"type":31,"value":527},{"type":26,"tag":27,"props":540,"children":541},{},[542,546],{"type":26,"tag":34,"props":543,"children":544},{},[545],{"type":31,"value":342},{"type":31,"value":547}," you offered a TLS version the other side has disabled. Typically an older client (TLS 1.0/1.1 only) hitting a server that now requires TLS 1.2+.",{"type":26,"tag":27,"props":549,"children":550},{},[551,555],{"type":26,"tag":34,"props":552,"children":553},{},[554],{"type":31,"value":352},{"type":31,"value":556}," upgrade the client's TLS library, or route the request through something that can negotiate the version the server expects.",{"type":26,"tag":83,"props":558,"children":560},{"id":559},"error1408f10bssl-routinesssl3_get_recordwrong-version-number",[561],{"type":26,"tag":124,"props":562,"children":564},{"className":563},[],[565],{"type":31,"value":566},"error:1408F10B:SSL routines:ssl3_get_record:wrong version number",{"type":26,"tag":27,"props":568,"children":569},{},[570,572,577],{"type":31,"value":571},"This one is a common red herring — it's usually ",{"type":26,"tag":34,"props":573,"children":574},{},[575],{"type":31,"value":576},"not",{"type":31,"value":578}," a TLS version mismatch.",{"type":26,"tag":262,"props":580,"children":582},{"className":264,"code":581,"language":31,"meta":7,"style":7},"curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number\n\n# OpenSSL 3.x\nerror:0A00010B:SSL routines::wrong version number\n",[583],{"type":26,"tag":124,"props":584,"children":585},{"__ignoreMap":7},[586,594,601,608],{"type":26,"tag":271,"props":587,"children":588},{"class":273,"line":274},[589],{"type":26,"tag":271,"props":590,"children":591},{},[592],{"type":31,"value":593},"curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number\n",{"type":26,"tag":271,"props":595,"children":596},{"class":273,"line":283},[597],{"type":26,"tag":271,"props":598,"children":599},{"emptyLinePlaceholder":287},[600],{"type":31,"value":290},{"type":26,"tag":271,"props":602,"children":603},{"class":273,"line":293},[604],{"type":26,"tag":271,"props":605,"children":606},{},[607],{"type":31,"value":475},{"type":26,"tag":271,"props":609,"children":610},{"class":273,"line":302},[611],{"type":26,"tag":271,"props":612,"children":613},{},[614],{"type":31,"value":615},"error:0A00010B:SSL routines::wrong version number\n",{"type":26,"tag":27,"props":617,"children":618},{},[619,623],{"type":26,"tag":34,"props":620,"children":621},{},[622],{"type":31,"value":342},{"type":31,"value":624}," the bytes received don't look like a TLS record at all. Almost always one of:",{"type":26,"tag":626,"props":627,"children":628},"ul",{},[629,648,653],{"type":26,"tag":630,"props":631,"children":632},"li",{},[633,635,646],{"type":31,"value":634},"You sent ",{"type":26,"tag":34,"props":636,"children":637},{},[638,644],{"type":26,"tag":124,"props":639,"children":641},{"className":640},[],[642],{"type":31,"value":643},"https://",{"type":31,"value":645}," to a port that's serving plain HTTP",{"type":31,"value":647}," (or vice-versa).",{"type":26,"tag":630,"props":649,"children":650},{},[651],{"type":31,"value":652},"A proxy or load balancer terminated TLS and is forwarding cleartext.",{"type":26,"tag":630,"props":654,"children":655},{},[656],{"type":31,"value":657},"The wrong port entirely.",{"type":26,"tag":27,"props":659,"children":660},{},[661,666,668,673,675,681],{"type":26,"tag":34,"props":662,"children":663},{},[664],{"type":31,"value":665},"Fix:",{"type":31,"value":667}," check the scheme and port before anything else — match ",{"type":26,"tag":124,"props":669,"children":671},{"className":670},[],[672],{"type":31,"value":643},{"type":31,"value":674}," to the TLS port and ",{"type":26,"tag":124,"props":676,"children":678},{"className":677},[],[679],{"type":31,"value":680},"http://",{"type":31,"value":682}," to the plaintext one.",{"type":26,"tag":83,"props":684,"children":686},{"id":685},"received-fatal-alert-protocol_version-java",[687,693],{"type":26,"tag":124,"props":688,"children":690},{"className":689},[],[691],{"type":31,"value":692},"received fatal alert: protocol_version",{"type":31,"value":694}," (Java)",{"type":26,"tag":27,"props":696,"children":697},{},[698],{"type":31,"value":699},"The Java/JSSE wording for the same protocol-version rejection above.",{"type":26,"tag":262,"props":701,"children":703},{"className":264,"code":702,"language":31,"meta":7,"style":7},"javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version\n\n# A related JSSE message when the JVM has disabled the only protocol on offer:\njavax.net.ssl.SSLHandshakeException: No appropriate protocol\n  (protocol is disabled or cipher suites are inappropriate)\n",[704],{"type":26,"tag":124,"props":705,"children":706},{"__ignoreMap":7},[707,715,722,730,738],{"type":26,"tag":271,"props":708,"children":709},{"class":273,"line":274},[710],{"type":26,"tag":271,"props":711,"children":712},{},[713],{"type":31,"value":714},"javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version\n",{"type":26,"tag":271,"props":716,"children":717},{"class":273,"line":283},[718],{"type":26,"tag":271,"props":719,"children":720},{"emptyLinePlaceholder":287},[721],{"type":31,"value":290},{"type":26,"tag":271,"props":723,"children":724},{"class":273,"line":293},[725],{"type":26,"tag":271,"props":726,"children":727},{},[728],{"type":31,"value":729},"# A related JSSE message when the JVM has disabled the only protocol on offer:\n",{"type":26,"tag":271,"props":731,"children":732},{"class":273,"line":302},[733],{"type":26,"tag":271,"props":734,"children":735},{},[736],{"type":31,"value":737},"javax.net.ssl.SSLHandshakeException: No appropriate protocol\n",{"type":26,"tag":271,"props":739,"children":740},{"class":273,"line":311},[741],{"type":26,"tag":271,"props":742,"children":743},{},[744],{"type":31,"value":745},"  (protocol is disabled or cipher suites are inappropriate)\n",{"type":26,"tag":27,"props":747,"children":748},{},[749,753,755,761],{"type":26,"tag":34,"props":750,"children":751},{},[752],{"type":31,"value":342},{"type":31,"value":754}," the JVM and the peer have no enabled TLS version in common. Modern JDKs disable TLS 1.0/1.1 in ",{"type":26,"tag":124,"props":756,"children":758},{"className":757},[],[759],{"type":31,"value":760},"jdk.tls.disabledAlgorithms",{"type":31,"value":762},", so a JVM talking to a legacy endpoint (or an old JVM talking to a hardened one) fails here.",{"type":26,"tag":27,"props":764,"children":765},{},[766,770,772,778,780,786,788,793,795,800],{"type":26,"tag":34,"props":767,"children":768},{},[769],{"type":31,"value":352},{"type":31,"value":771}," align the protocol versions (",{"type":26,"tag":124,"props":773,"children":775},{"className":774},[],[776],{"type":31,"value":777},"-Dhttps.protocols=TLSv1.2",{"type":31,"value":779},"), or update ",{"type":26,"tag":124,"props":781,"children":783},{"className":782},[],[784],{"type":31,"value":785},"java.security",{"type":31,"value":787},". If a legacy Java service is ",{"type":26,"tag":47,"props":789,"children":790},{},[791],{"type":31,"value":792},"posting",{"type":31,"value":794}," webhooks and can't reach a modern endpoint, give it a ",{"type":26,"tag":74,"props":796,"children":797},{"href":76},[798],{"type":31,"value":799},"Webhook Relay input that accepts its TLS version",{"type":31,"value":801}," instead of relaxing JVM-wide security policy.",{"type":26,"tag":83,"props":803,"children":805},{"id":804},"ssl-no_protocols_available-no-protocols-available-python",[806,812],{"type":26,"tag":124,"props":807,"children":809},{"className":808},[],[810],{"type":31,"value":811},"[SSL: NO_PROTOCOLS_AVAILABLE] no protocols available",{"type":31,"value":813}," (Python)",{"type":26,"tag":262,"props":815,"children":817},{"className":264,"code":816,"language":31,"meta":7,"style":7},"ssl.SSLError: [SSL: NO_PROTOCOLS_AVAILABLE] no protocols available (_ssl.c:997)\n\n# Often surfaced through requests as:\nrequests.exceptions.SSLError: HTTPSConnectionPool(host='...', port=443):\n  Max retries exceeded ... [SSL: NO_PROTOCOLS_AVAILABLE] no protocols available\n",[818],{"type":26,"tag":124,"props":819,"children":820},{"__ignoreMap":7},[821,829,836,844,852],{"type":26,"tag":271,"props":822,"children":823},{"class":273,"line":274},[824],{"type":26,"tag":271,"props":825,"children":826},{},[827],{"type":31,"value":828},"ssl.SSLError: [SSL: NO_PROTOCOLS_AVAILABLE] no protocols available (_ssl.c:997)\n",{"type":26,"tag":271,"props":830,"children":831},{"class":273,"line":283},[832],{"type":26,"tag":271,"props":833,"children":834},{"emptyLinePlaceholder":287},[835],{"type":31,"value":290},{"type":26,"tag":271,"props":837,"children":838},{"class":273,"line":293},[839],{"type":26,"tag":271,"props":840,"children":841},{},[842],{"type":31,"value":843},"# Often surfaced through requests as:\n",{"type":26,"tag":271,"props":845,"children":846},{"class":273,"line":302},[847],{"type":26,"tag":271,"props":848,"children":849},{},[850],{"type":31,"value":851},"requests.exceptions.SSLError: HTTPSConnectionPool(host='...', port=443):\n",{"type":26,"tag":271,"props":853,"children":854},{"class":273,"line":311},[855],{"type":26,"tag":271,"props":856,"children":857},{},[858],{"type":31,"value":859},"  Max retries exceeded ... [SSL: NO_PROTOCOLS_AVAILABLE] no protocols available\n",{"type":26,"tag":27,"props":861,"children":862},{},[863,867,869,875],{"type":26,"tag":34,"props":864,"children":865},{},[866],{"type":31,"value":342},{"type":31,"value":868}," every protocol version Python's ",{"type":26,"tag":124,"props":870,"children":872},{"className":871},[],[873],{"type":31,"value":874},"ssl",{"type":31,"value":876}," module would offer has been disabled (commonly because the OpenSSL build disabled TLS 1.0/1.1 and the target supports nothing newer).",{"type":26,"tag":27,"props":878,"children":879},{},[880,884,886,892],{"type":26,"tag":34,"props":881,"children":882},{},[883],{"type":31,"value":352},{"type":31,"value":885}," target an endpoint that supports TLS 1.2+, or — only when you control and trust the legacy endpoint — lower ",{"type":26,"tag":124,"props":887,"children":889},{"className":888},[],[890],{"type":31,"value":891},"ssl.SSLContext.minimum_version",{"type":31,"value":893},".",{"type":26,"tag":83,"props":895,"children":897},{"id":896},"err_ssl_version_or_cipher_mismatch-chrome-edge",[898,903],{"type":26,"tag":124,"props":899,"children":901},{"className":900},[],[902],{"type":31,"value":144},{"type":31,"value":904}," (Chrome / Edge)",{"type":26,"tag":27,"props":906,"children":907},{},[908],{"type":31,"value":909},"The browser equivalent, and by far the most-searched of this family.",{"type":26,"tag":262,"props":911,"children":913},{"className":264,"code":912,"language":31,"meta":7,"style":7},"This site can't provide a secure connection\nexample.com uses an unsupported protocol.\nERR_SSL_VERSION_OR_CIPHER_MISMATCH\n\n# In the console / network log:\nnet::ERR_SSL_VERSION_OR_CIPHER_MISMATCH\n\n# Firefox phrases it as:\nSecure Connection Failed — SSL_ERROR_UNSUPPORTED_VERSION\nSSL_ERROR_NO_CYPHER_OVERLAP\n",[914],{"type":26,"tag":124,"props":915,"children":916},{"__ignoreMap":7},[917,925,933,941,948,956,964,971,979,988],{"type":26,"tag":271,"props":918,"children":919},{"class":273,"line":274},[920],{"type":26,"tag":271,"props":921,"children":922},{},[923],{"type":31,"value":924},"This site can't provide a secure connection\n",{"type":26,"tag":271,"props":926,"children":927},{"class":273,"line":283},[928],{"type":26,"tag":271,"props":929,"children":930},{},[931],{"type":31,"value":932},"example.com uses an unsupported protocol.\n",{"type":26,"tag":271,"props":934,"children":935},{"class":273,"line":293},[936],{"type":26,"tag":271,"props":937,"children":938},{},[939],{"type":31,"value":940},"ERR_SSL_VERSION_OR_CIPHER_MISMATCH\n",{"type":26,"tag":271,"props":942,"children":943},{"class":273,"line":302},[944],{"type":26,"tag":271,"props":945,"children":946},{"emptyLinePlaceholder":287},[947],{"type":31,"value":290},{"type":26,"tag":271,"props":949,"children":950},{"class":273,"line":311},[951],{"type":26,"tag":271,"props":952,"children":953},{},[954],{"type":31,"value":955},"# In the console / network log:\n",{"type":26,"tag":271,"props":957,"children":958},{"class":273,"line":319},[959],{"type":26,"tag":271,"props":960,"children":961},{},[962],{"type":31,"value":963},"net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH\n",{"type":26,"tag":271,"props":965,"children":966},{"class":273,"line":328},[967],{"type":26,"tag":271,"props":968,"children":969},{"emptyLinePlaceholder":287},[970],{"type":31,"value":290},{"type":26,"tag":271,"props":972,"children":973},{"class":273,"line":478},[974],{"type":26,"tag":271,"props":975,"children":976},{},[977],{"type":31,"value":978},"# Firefox phrases it as:\n",{"type":26,"tag":271,"props":980,"children":982},{"class":273,"line":981},9,[983],{"type":26,"tag":271,"props":984,"children":985},{},[986],{"type":31,"value":987},"Secure Connection Failed — SSL_ERROR_UNSUPPORTED_VERSION\n",{"type":26,"tag":271,"props":989,"children":991},{"class":273,"line":990},10,[992],{"type":26,"tag":271,"props":993,"children":994},{},[995],{"type":31,"value":996},"SSL_ERROR_NO_CYPHER_OVERLAP\n",{"type":26,"tag":27,"props":998,"children":999},{},[1000,1004],{"type":26,"tag":34,"props":1001,"children":1002},{},[1003],{"type":31,"value":342},{"type":31,"value":1005}," the browser (which has dropped TLS 1.0/1.1 and weak ciphers) and the server share no protocol version or cipher. The server is usually too old or misconfigured.",{"type":26,"tag":27,"props":1007,"children":1008},{},[1009,1013],{"type":26,"tag":34,"props":1010,"children":1011},{},[1012],{"type":31,"value":352},{"type":31,"value":1014}," enable TLS 1.2/1.3 and a modern cipher suite on the server, and make sure the certificate isn't using a deprecated signature.",{"type":26,"tag":83,"props":1016,"children":1018},{"id":1017},"error-525-ssl-handshake-failed-cloudflare",[1019,1025],{"type":26,"tag":124,"props":1020,"children":1022},{"className":1021},[],[1023],{"type":31,"value":1024},"Error 525: SSL handshake failed",{"type":31,"value":1026}," (Cloudflare)",{"type":26,"tag":262,"props":1028,"children":1030},{"className":264,"code":1029,"language":31,"meta":7,"style":7},"Error 525: SSL handshake failed\n",[1031],{"type":26,"tag":124,"props":1032,"children":1033},{"__ignoreMap":7},[1034],{"type":26,"tag":271,"props":1035,"children":1036},{"class":273,"line":274},[1037],{"type":26,"tag":271,"props":1038,"children":1039},{},[1040],{"type":31,"value":1029},{"type":26,"tag":27,"props":1042,"children":1043},{},[1044,1048],{"type":26,"tag":34,"props":1045,"children":1046},{},[1047],{"type":31,"value":342},{"type":31,"value":1049}," Cloudflare (a modern TLS client) couldn't complete the handshake with your origin server — typically the origin requires an older protocol, presents an incomplete certificate chain, or isn't listening on 443.",{"type":26,"tag":27,"props":1051,"children":1052},{},[1053,1057],{"type":26,"tag":34,"props":1054,"children":1055},{},[1056],{"type":31,"value":352},{"type":31,"value":1058}," ensure the origin supports the TLS version Cloudflare offers and serves a complete, valid certificate chain.",{"type":26,"tag":83,"props":1060,"children":1062},{"id":1061},"remote-error-tls-protocol-version-not-supported-go",[1063,1069],{"type":26,"tag":124,"props":1064,"children":1066},{"className":1065},[],[1067],{"type":31,"value":1068},"remote error: tls: protocol version not supported",{"type":31,"value":1070}," (Go)",{"type":26,"tag":262,"props":1072,"children":1074},{"className":264,"code":1073,"language":31,"meta":7,"style":7},"remote error: tls: protocol version not supported\ntls: server selected unsupported protocol version 301\n",[1075],{"type":26,"tag":124,"props":1076,"children":1077},{"__ignoreMap":7},[1078,1086],{"type":26,"tag":271,"props":1079,"children":1080},{"class":273,"line":274},[1081],{"type":26,"tag":271,"props":1082,"children":1083},{},[1084],{"type":31,"value":1085},"remote error: tls: protocol version not supported\n",{"type":26,"tag":271,"props":1087,"children":1088},{"class":273,"line":283},[1089],{"type":26,"tag":271,"props":1090,"children":1091},{},[1092],{"type":31,"value":1093},"tls: server selected unsupported protocol version 301\n",{"type":26,"tag":27,"props":1095,"children":1096},{},[1097,1101,1103,1109,1111,1117,1119,1125],{"type":26,"tag":34,"props":1098,"children":1099},{},[1100],{"type":31,"value":342},{"type":31,"value":1102}," Go's ",{"type":26,"tag":124,"props":1104,"children":1106},{"className":1105},[],[1107],{"type":31,"value":1108},"crypto/tls",{"type":31,"value":1110}," sets ",{"type":26,"tag":124,"props":1112,"children":1114},{"className":1113},[],[1115],{"type":31,"value":1116},"MinVersion",{"type":31,"value":1118}," to TLS 1.2 by default, so it refuses an endpoint that offers only TLS 1.0 (version ",{"type":26,"tag":124,"props":1120,"children":1122},{"className":1121},[],[1123],{"type":31,"value":1124},"301",{"type":31,"value":1126},") or 1.1.",{"type":26,"tag":27,"props":1128,"children":1129},{},[1130,1134,1136,1142],{"type":26,"tag":34,"props":1131,"children":1132},{},[1133],{"type":31,"value":352},{"type":31,"value":1135}," only if you control the endpoint, set a lower ",{"type":26,"tag":124,"props":1137,"children":1139},{"className":1138},[],[1140],{"type":31,"value":1141},"tls.Config{MinVersion: tls.VersionTLS10}",{"type":31,"value":1143}," — but prefer upgrading the endpoint or bridging it.",{"type":26,"tag":83,"props":1145,"children":1147},{"id":1146},"certificate-verify-failed-self-signed-certificate-unable-to-verify-the-first-certificate",[1148,1153,1154,1159,1160],{"type":26,"tag":124,"props":1149,"children":1151},{"className":1150},[],[1152],{"type":31,"value":226},{"type":31,"value":131},{"type":26,"tag":124,"props":1155,"children":1157},{"className":1156},[],[1158],{"type":31,"value":233},{"type":31,"value":131},{"type":26,"tag":124,"props":1161,"children":1163},{"className":1162},[],[1164],{"type":31,"value":240},{"type":26,"tag":27,"props":1166,"children":1167},{},[1168,1170,1175],{"type":31,"value":1169},"A different failure mode: the protocol version is fine, but the client can't ",{"type":26,"tag":34,"props":1171,"children":1172},{},[1173],{"type":31,"value":1174},"verify the endpoint's certificate",{"type":31,"value":1176}," against a trusted CA.",{"type":26,"tag":262,"props":1178,"children":1180},{"className":264,"code":1179,"language":31,"meta":7,"style":7},"# curl\ncurl: (60) SSL certificate problem: self-signed certificate\ncurl: (60) SSL certificate problem: unable to get local issuer certificate\n\n# Node.js\nError: unable to verify the first certificate (UNABLE_TO_VERIFY_LEAF_SIGNATURE)\nError: self-signed certificate in certificate chain\n\n# Python\nssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED]\n  certificate verify failed: self signed certificate (_ssl.c:1007)\n\n# Go\nx509: certificate signed by unknown authority\n\n# Chrome\nNET::ERR_CERT_AUTHORITY_INVALID\n",[1181],{"type":26,"tag":124,"props":1182,"children":1183},{"__ignoreMap":7},[1184,1192,1200,1208,1215,1223,1231,1239,1246,1253,1261,1269,1277,1286,1295,1303,1312],{"type":26,"tag":271,"props":1185,"children":1186},{"class":273,"line":274},[1187],{"type":26,"tag":271,"props":1188,"children":1189},{},[1190],{"type":31,"value":1191},"# curl\n",{"type":26,"tag":271,"props":1193,"children":1194},{"class":273,"line":283},[1195],{"type":26,"tag":271,"props":1196,"children":1197},{},[1198],{"type":31,"value":1199},"curl: (60) SSL certificate problem: self-signed certificate\n",{"type":26,"tag":271,"props":1201,"children":1202},{"class":273,"line":293},[1203],{"type":26,"tag":271,"props":1204,"children":1205},{},[1206],{"type":31,"value":1207},"curl: (60) SSL certificate problem: unable to get local issuer certificate\n",{"type":26,"tag":271,"props":1209,"children":1210},{"class":273,"line":302},[1211],{"type":26,"tag":271,"props":1212,"children":1213},{"emptyLinePlaceholder":287},[1214],{"type":31,"value":290},{"type":26,"tag":271,"props":1216,"children":1217},{"class":273,"line":311},[1218],{"type":26,"tag":271,"props":1219,"children":1220},{},[1221],{"type":31,"value":1222},"# Node.js\n",{"type":26,"tag":271,"props":1224,"children":1225},{"class":273,"line":319},[1226],{"type":26,"tag":271,"props":1227,"children":1228},{},[1229],{"type":31,"value":1230},"Error: unable to verify the first certificate (UNABLE_TO_VERIFY_LEAF_SIGNATURE)\n",{"type":26,"tag":271,"props":1232,"children":1233},{"class":273,"line":328},[1234],{"type":26,"tag":271,"props":1235,"children":1236},{},[1237],{"type":31,"value":1238},"Error: self-signed certificate in certificate chain\n",{"type":26,"tag":271,"props":1240,"children":1241},{"class":273,"line":478},[1242],{"type":26,"tag":271,"props":1243,"children":1244},{"emptyLinePlaceholder":287},[1245],{"type":31,"value":290},{"type":26,"tag":271,"props":1247,"children":1248},{"class":273,"line":981},[1249],{"type":26,"tag":271,"props":1250,"children":1251},{},[1252],{"type":31,"value":452},{"type":26,"tag":271,"props":1254,"children":1255},{"class":273,"line":990},[1256],{"type":26,"tag":271,"props":1257,"children":1258},{},[1259],{"type":31,"value":1260},"ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED]\n",{"type":26,"tag":271,"props":1262,"children":1263},{"class":273,"line":14},[1264],{"type":26,"tag":271,"props":1265,"children":1266},{},[1267],{"type":31,"value":1268},"  certificate verify failed: self signed certificate (_ssl.c:1007)\n",{"type":26,"tag":271,"props":1270,"children":1272},{"class":273,"line":1271},12,[1273],{"type":26,"tag":271,"props":1274,"children":1275},{"emptyLinePlaceholder":287},[1276],{"type":31,"value":290},{"type":26,"tag":271,"props":1278,"children":1280},{"class":273,"line":1279},13,[1281],{"type":26,"tag":271,"props":1282,"children":1283},{},[1284],{"type":31,"value":1285},"# Go\n",{"type":26,"tag":271,"props":1287,"children":1289},{"class":273,"line":1288},14,[1290],{"type":26,"tag":271,"props":1291,"children":1292},{},[1293],{"type":31,"value":1294},"x509: certificate signed by unknown authority\n",{"type":26,"tag":271,"props":1296,"children":1298},{"class":273,"line":1297},15,[1299],{"type":26,"tag":271,"props":1300,"children":1301},{"emptyLinePlaceholder":287},[1302],{"type":31,"value":290},{"type":26,"tag":271,"props":1304,"children":1306},{"class":273,"line":1305},16,[1307],{"type":26,"tag":271,"props":1308,"children":1309},{},[1310],{"type":31,"value":1311},"# Chrome\n",{"type":26,"tag":271,"props":1313,"children":1315},{"class":273,"line":1314},17,[1316],{"type":26,"tag":271,"props":1317,"children":1318},{},[1319],{"type":31,"value":1320},"NET::ERR_CERT_AUTHORITY_INVALID\n",{"type":26,"tag":27,"props":1322,"children":1323},{},[1324,1328],{"type":26,"tag":34,"props":1325,"children":1326},{},[1327],{"type":31,"value":342},{"type":31,"value":1329}," the endpoint presents a certificate that isn't signed by a publicly trusted CA — a self-signed cert, a private/internal CA, an incomplete chain, or an expired certificate.",{"type":26,"tag":27,"props":1331,"children":1332},{},[1333,1337,1339,1344],{"type":26,"tag":34,"props":1334,"children":1335},{},[1336],{"type":31,"value":352},{"type":31,"value":1338}," install a publicly trusted certificate, or send the full chain (including intermediates). When the destination is an internal or legacy box you control and trust, ",{"type":26,"tag":74,"props":1340,"children":1341},{"href":76},[1342],{"type":31,"value":1343},"Webhook Relay can skip verification for that one destination",{"type":31,"value":893},{"type":26,"tag":83,"props":1346,"children":1348},{"id":1347},"how-webhook-relay-bridges-the-gap",[1349],{"type":31,"value":1350},"How Webhook Relay bridges the gap",{"type":26,"tag":27,"props":1352,"children":1353},{},[1354,1356,1361,1363,1368],{"type":31,"value":1355},"Webhook Relay terminates TLS independently on the way ",{"type":26,"tag":34,"props":1357,"children":1358},{},[1359],{"type":31,"value":1360},"in",{"type":31,"value":1362}," (the input that receives webhooks) and on the way ",{"type":26,"tag":34,"props":1364,"children":1365},{},[1366],{"type":31,"value":1367},"out",{"type":31,"value":1369}," (delivery to your destination), so the two legs don't have to share the same TLS settings. The controls live in two places.",{"type":26,"tag":1371,"props":1372,"children":1374},"h3",{"id":1373},"accept-legacy-senders-tls-compatibility-on-the-input",[1375],{"type":31,"value":1376},"Accept legacy senders — TLS compatibility on the input",{"type":26,"tag":27,"props":1378,"children":1379},{},[1380,1382,1387,1389,1394],{"type":31,"value":1381},"The version and cipher errors above happen when a ",{"type":26,"tag":34,"props":1383,"children":1384},{},[1385],{"type":31,"value":1386},"legacy sender",{"type":31,"value":1388}," can't complete a modern handshake. If that sender is delivering webhooks to you, you don't have to weaken anything else — just relax TLS on the ",{"type":26,"tag":34,"props":1390,"children":1391},{},[1392],{"type":31,"value":1393},"input",{"type":31,"value":1395}," it posts to.",{"type":26,"tag":27,"props":1397,"children":1398},{},[1399,1401,1406],{"type":31,"value":1400},"Each input has a ",{"type":26,"tag":34,"props":1402,"children":1403},{},[1404],{"type":31,"value":1405},"TLS compatibility",{"type":31,"value":1407}," setting with two controls:",{"type":26,"tag":626,"props":1409,"children":1410},{},[1411,1442],{"type":26,"tag":630,"props":1412,"children":1413},{},[1414,1419,1421,1426,1428,1433,1435,1440],{"type":26,"tag":34,"props":1415,"children":1416},{},[1417],{"type":31,"value":1418},"TLS version",{"type":31,"value":1420}," — the ",{"type":26,"tag":47,"props":1422,"children":1423},{},[1424],{"type":31,"value":1425},"minimum",{"type":31,"value":1427}," version the input accepts. The default is ",{"type":26,"tag":34,"props":1429,"children":1430},{},[1431],{"type":31,"value":1432},"TLS 1.3",{"type":31,"value":1434},"; lower it to ",{"type":26,"tag":34,"props":1436,"children":1437},{},[1438],{"type":31,"value":1439},"TLS 1.2",{"type":31,"value":1441}," for senders that still require it (PayPal webhooks, for example), or further when you must.",{"type":26,"tag":630,"props":1443,"children":1444},{},[1445,1450,1452,1457,1459,1464,1466,1471,1473,1478],{"type":26,"tag":34,"props":1446,"children":1447},{},[1448],{"type":31,"value":1449},"Legacy TLS compatibility (TLS 1.0 + wide ciphers)",{"type":31,"value":1451}," — a toggle that makes the input accept TLS versions ",{"type":26,"tag":34,"props":1453,"children":1454},{},[1455],{"type":31,"value":1456},"down to 1.0 and a wider legacy cipher set",{"type":31,"value":1458},", for the oldest systems that would otherwise fail with ",{"type":26,"tag":124,"props":1460,"children":1462},{"className":1461},[],[1463],{"type":31,"value":161},{"type":31,"value":1465},", ",{"type":26,"tag":124,"props":1467,"children":1469},{"className":1468},[],[1470],{"type":31,"value":129},{"type":31,"value":1472}," or ",{"type":26,"tag":124,"props":1474,"children":1476},{"className":1475},[],[1477],{"type":31,"value":144},{"type":31,"value":893},{"type":26,"tag":27,"props":1480,"children":1481},{},[1482],{"type":26,"tag":1483,"props":1484,"children":1487},"img",{"alt":1485,"src":1486},"Per-input TLS compatibility settings — a minimum TLS version dropdown and a \"Legacy TLS compatibility (TLS 1.0 + wide ciphers)\" toggle","/images/docs/webhooks/tls/tls_settings.png",[],{"type":26,"tag":27,"props":1489,"children":1490},{},[1491],{"type":31,"value":1492},"Webhook Relay accepts the old handshake on that input and forwards the event onward over modern TLS — so one legacy sender no longer forces you to lower TLS across your whole stack.",{"type":26,"tag":1494,"props":1495,"children":1496},"hint",{},[1497],{"type":26,"tag":27,"props":1498,"children":1499},{},[1500,1502,1507,1509,1513,1515,1520,1522,1527,1529,1534,1536,1542,1543,1549],{"type":31,"value":1501},"Legacy settings apply ",{"type":26,"tag":34,"props":1503,"children":1504},{},[1505],{"type":31,"value":1506},"per input domain",{"type":31,"value":1508}," and lower the security baseline, so enable them only on the inputs that genuinely need them. Setting a custom minimum ",{"type":26,"tag":34,"props":1510,"children":1511},{},[1512],{"type":31,"value":1418},{"type":31,"value":1514}," is available on ",{"type":26,"tag":34,"props":1516,"children":1517},{},[1518],{"type":31,"value":1519},"Business and Pro",{"type":31,"value":1521},"; the ",{"type":26,"tag":34,"props":1523,"children":1524},{},[1525],{"type":31,"value":1526},"Legacy TLS compatibility",{"type":31,"value":1528}," toggle (down to TLS 1.0 + wide ciphers) is available on ",{"type":26,"tag":34,"props":1530,"children":1531},{},[1532],{"type":31,"value":1533},"Pro",{"type":31,"value":1535},". See the ",{"type":26,"tag":74,"props":1537,"children":1539},{"href":1538},"/features/tls-compatibility",[1540],{"type":31,"value":1541},"TLS compatibility feature",{"type":31,"value":53},{"type":26,"tag":74,"props":1544,"children":1546},{"href":1545},"/pricing",[1547],{"type":31,"value":1548},"pricing",{"type":31,"value":893},{"type":26,"tag":1371,"props":1551,"children":1553},{"id":1552},"deliver-to-non-standard-certificates-tls-verification-on-the-output",[1554],{"type":31,"value":1555},"Deliver to non-standard certificates — TLS verification on the output",{"type":26,"tag":27,"props":1557,"children":1558},{},[1559,1561,1566,1568,1573,1575,1580,1582,1587,1588,1593],{"type":31,"value":1560},"On the delivery side the relevant control is ",{"type":26,"tag":34,"props":1562,"children":1563},{},[1564],{"type":31,"value":1565},"TLS verification",{"type":31,"value":1567},", found per destination under ",{"type":26,"tag":34,"props":1569,"children":1570},{},[1571],{"type":31,"value":1572},"Delivery controls",{"type":31,"value":1574},". Leave it on for normal endpoints; switch it ",{"type":26,"tag":34,"props":1576,"children":1577},{},[1578],{"type":31,"value":1579},"off",{"type":31,"value":1581}," to deliver to a destination whose certificate can't be verified against public CAs — a self-signed cert, an internal CA or a legacy box — instead of failing with ",{"type":26,"tag":124,"props":1583,"children":1585},{"className":1584},[],[1586],{"type":31,"value":226},{"type":31,"value":1472},{"type":26,"tag":124,"props":1589,"children":1591},{"className":1590},[],[1592],{"type":31,"value":240},{"type":31,"value":893},{"type":26,"tag":27,"props":1595,"children":1596},{},[1597],{"type":26,"tag":1483,"props":1598,"children":1601},{"alt":1599,"src":1600},"Per-output Delivery controls with a TLS verification toggle","/images/docs/webhooks/tls/tls_output_disable_verification.png",[],{"type":26,"tag":27,"props":1603,"children":1604},{},[1605],{"type":31,"value":1606},"Only disable verification for destinations you control and trust, typically on a private or internal network.",{"type":26,"tag":83,"props":1608,"children":1610},{"id":1609},"turn-it-on",[1611],{"type":31,"value":1612},"Turn it on",{"type":26,"tag":27,"props":1614,"children":1615},{},[1616],{"type":26,"tag":34,"props":1617,"children":1618},{},[1619],{"type":31,"value":1620},"To accept a legacy sender (input):",{"type":26,"tag":1622,"props":1623,"children":1624},"ol",{},[1625,1641,1657],{"type":26,"tag":630,"props":1626,"children":1627},{},[1628,1630,1634,1636,1640],{"type":31,"value":1629},"Open the ",{"type":26,"tag":34,"props":1631,"children":1632},{},[1633],{"type":31,"value":1393},{"type":31,"value":1635}," the sender delivers to and find ",{"type":26,"tag":34,"props":1637,"children":1638},{},[1639],{"type":31,"value":1405},{"type":31,"value":893},{"type":26,"tag":630,"props":1642,"children":1643},{},[1644,1646,1650,1652,1656],{"type":31,"value":1645},"Set the ",{"type":26,"tag":34,"props":1647,"children":1648},{},[1649],{"type":31,"value":1418},{"type":31,"value":1651}," to the lowest version that sender needs, and/or turn on ",{"type":26,"tag":34,"props":1653,"children":1654},{},[1655],{"type":31,"value":1449},{"type":31,"value":893},{"type":26,"tag":630,"props":1658,"children":1659},{},[1660,1665],{"type":26,"tag":34,"props":1661,"children":1662},{},[1663],{"type":31,"value":1664},"Save",{"type":31,"value":1666},", then have the sender retry — the handshake now succeeds and the webhook is relayed onward.",{"type":26,"tag":27,"props":1668,"children":1669},{},[1670],{"type":26,"tag":34,"props":1671,"children":1672},{},[1673],{"type":31,"value":1674},"To deliver to a self-signed or internal certificate (output):",{"type":26,"tag":1622,"props":1676,"children":1677},{},[1678,1694,1705],{"type":26,"tag":630,"props":1679,"children":1680},{},[1681,1682,1687,1689,1693],{"type":31,"value":1629},{"type":26,"tag":34,"props":1683,"children":1684},{},[1685],{"type":31,"value":1686},"output destination",{"type":31,"value":1688}," and find ",{"type":26,"tag":34,"props":1690,"children":1691},{},[1692],{"type":31,"value":1572},{"type":31,"value":893},{"type":26,"tag":630,"props":1695,"children":1696},{},[1697,1699,1703],{"type":31,"value":1698},"Turn ",{"type":26,"tag":34,"props":1700,"children":1701},{},[1702],{"type":31,"value":1565},{"type":31,"value":1704}," off.",{"type":26,"tag":630,"props":1706,"children":1707},{},[1708],{"type":31,"value":1709},"Re-send a webhook and confirm it's delivered in the request log.",{"type":26,"tag":83,"props":1711,"children":1713},{"id":1712},"frequently-asked-questions",[1714],{"type":31,"value":1715},"Frequently asked questions",{"type":26,"tag":1371,"props":1717,"children":1719},{"id":1718},"why-do-i-get-unsupported-protocol-even-though-both-sides-support-tls",[1720],{"type":31,"value":1721},"Why do I get \"unsupported protocol\" even though both sides support TLS?",{"type":26,"tag":27,"props":1723,"children":1724},{},[1725,1727,1732,1734,1739,1741,1746],{"type":31,"value":1726},"They support TLS, but not the ",{"type":26,"tag":47,"props":1728,"children":1729},{},[1730],{"type":31,"value":1731},"same version",{"type":31,"value":1733},". Modern clients disable TLS 1.0/1.1; if the server only offers those, there is no version in common and the handshake fails with ",{"type":26,"tag":124,"props":1735,"children":1737},{"className":1736},[],[1738],{"type":31,"value":129},{"type":31,"value":1740}," or a ",{"type":26,"tag":124,"props":1742,"children":1744},{"className":1743},[],[1745],{"type":31,"value":137},{"type":31,"value":1747}," alert. One side has to meet the other — which is what a Webhook Relay input does when you lower its minimum TLS version or enable legacy TLS compatibility for a legacy sender.",{"type":26,"tag":1371,"props":1749,"children":1751},{"id":1750},"is-wrong-version-number-a-tls-version-problem",[1752],{"type":31,"value":1753},"Is \"wrong version number\" a TLS version problem?",{"type":26,"tag":27,"props":1755,"children":1756},{},[1757,1759,1764,1766,1771],{"type":31,"value":1758},"Usually not. ",{"type":26,"tag":124,"props":1760,"children":1762},{"className":1761},[],[1763],{"type":31,"value":185},{"type":31,"value":1765}," almost always means a scheme/port mismatch — ",{"type":26,"tag":124,"props":1767,"children":1769},{"className":1768},[],[1770],{"type":31,"value":643},{"type":31,"value":1772}," pointed at a plaintext HTTP port (or a proxy terminating TLS early). Check the URL scheme and port first.",{"type":26,"tag":1371,"props":1774,"children":1776},{"id":1775},"is-enabling-legacy-tls-1011-safe",[1777],{"type":31,"value":1778},"Is enabling legacy TLS 1.0/1.1 safe?",{"type":26,"tag":27,"props":1780,"children":1781},{},[1782,1784,1788,1790,1795],{"type":31,"value":1783},"TLS 1.0 and 1.1 are deprecated and shouldn't be used on the public internet. Webhook Relay applies legacy TLS settings ",{"type":26,"tag":34,"props":1785,"children":1786},{},[1787],{"type":31,"value":1506},{"type":31,"value":1789},", so the safe pattern is to enable them ",{"type":26,"tag":34,"props":1791,"children":1792},{},[1793],{"type":31,"value":1794},"only on the one input a legacy sender needs",{"type":31,"value":1796}," and leave every other input on the modern TLS 1.3 default.",{"type":26,"tag":1371,"props":1798,"children":1800},{"id":1799},"can-i-force-a-minimum-tls-version-for-compliance",[1801],{"type":31,"value":1802},"Can I force a minimum TLS version for compliance?",{"type":26,"tag":27,"props":1804,"children":1805},{},[1806,1808,1812,1814,1818],{"type":31,"value":1807},"Yes. Set a custom minimum ",{"type":26,"tag":34,"props":1809,"children":1810},{},[1811],{"type":31,"value":1418},{"type":31,"value":1813}," on an input (Business or Pro) and Webhook Relay refuses handshakes below it. To deliver to an endpoint whose certificate can't be verified, use the per-output ",{"type":26,"tag":34,"props":1815,"children":1816},{},[1817],{"type":31,"value":1565},{"type":31,"value":1819}," toggle instead.",{"type":26,"tag":83,"props":1821,"children":1823},{"id":1822},"related",[1824],{"type":31,"value":1825},"Related",{"type":26,"tag":626,"props":1827,"children":1828},{},[1829,1837,1846,1855],{"type":26,"tag":630,"props":1830,"children":1831},{},[1832],{"type":26,"tag":74,"props":1833,"children":1834},{"href":1538},[1835],{"type":31,"value":1836},"TLS compatibility — feature overview",{"type":26,"tag":630,"props":1838,"children":1839},{},[1840],{"type":26,"tag":74,"props":1841,"children":1843},{"href":1842},"/docs/webhooks/durable-webhooks",[1844],{"type":31,"value":1845},"Durable webhooks — reliable delivery with automatic retries",{"type":26,"tag":630,"props":1847,"children":1848},{},[1849],{"type":26,"tag":74,"props":1850,"children":1852},{"href":1851},"/docs/webhooks/custom-domains",[1853],{"type":31,"value":1854},"Custom webhook domains",{"type":26,"tag":630,"props":1856,"children":1857},{},[1858],{"type":26,"tag":74,"props":1859,"children":1860},{"href":1545},[1861],{"type":31,"value":1862},"Pricing",{"type":26,"tag":1864,"props":1865,"children":1866},"style",{},[1867],{"type":31,"value":1868},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":7,"searchDepth":293,"depth":293,"links":1870},[1871,1872,1873,1874,1875,1876,1878,1880,1882,1884,1886,1888,1892,1893,1899],{"id":85,"depth":283,"text":88},{"id":248,"depth":283,"text":255},{"id":387,"depth":283,"text":394},{"id":505,"depth":283,"text":512},{"id":559,"depth":283,"text":566},{"id":685,"depth":283,"text":1877},"received fatal alert: protocol_version (Java)",{"id":804,"depth":283,"text":1879},"[SSL: NO_PROTOCOLS_AVAILABLE] no protocols available (Python)",{"id":896,"depth":283,"text":1881},"ERR_SSL_VERSION_OR_CIPHER_MISMATCH (Chrome / Edge)",{"id":1017,"depth":283,"text":1883},"Error 525: SSL handshake failed (Cloudflare)",{"id":1061,"depth":283,"text":1885},"remote error: tls: protocol version not supported (Go)",{"id":1146,"depth":283,"text":1887},"certificate verify failed / self-signed certificate / unable to verify the first certificate",{"id":1347,"depth":283,"text":1350,"children":1889},[1890,1891],{"id":1373,"depth":293,"text":1376},{"id":1552,"depth":293,"text":1555},{"id":1609,"depth":283,"text":1612},{"id":1712,"depth":283,"text":1715,"children":1894},[1895,1896,1897,1898],{"id":1718,"depth":293,"text":1721},{"id":1750,"depth":293,"text":1753},{"id":1775,"depth":293,"text":1778},{"id":1799,"depth":293,"text":1802},{"id":1822,"depth":283,"text":1825},"markdown","content:docs:webhooks:tls-ssl-errors.md","content","docs/webhooks/tls-ssl-errors.md","docs/webhooks/tls-ssl-errors","md",{"loc":4},[1908],{"_path":1909,"title":1910},"/docs/webhooks/internal/localhost","Receiving webhooks on localhost",[1912,1915,1918,1921],{"_path":1913,"title":1914},"/docs/webhooks/auth/username-password","Username and password",{"_path":1916,"title":1917},"/docs/webhooks/auth/hmac","HMAC",{"_path":1919,"title":1920},"/docs/webhooks/auth/jwt","JWT authentication",{"_path":1922,"title":1923},"/docs/webhooks/auth/http-method","Auth using request method",[1925,1928,1931,1934,1937,1940,1943,1946],{"_path":1926,"title":1927},"/docs/installation/cli","CLI",{"_path":1929,"title":1930},"/docs/installation/docker","Docker container",{"_path":1932,"title":1933},"/docs/installation/docker-compose","Docker Compose",{"_path":1935,"title":1936},"/docs/installation/kubernetes","Kubernetes",{"_path":1938,"title":1939},"/docs/installation/autostart-windows","Autostart (Windows)",{"_path":1941,"title":1942},"/docs/installation/autostart-linux","Autostart (Linux)",{"_path":1944,"title":1945},"/docs/installation/autostart-macos","Autostart (MacOS)",{"_path":1947,"title":1948},"/docs/installation/behind-proxy","HTTP proxy configuration",[1950,1953],{"_path":1951,"title":1952},"/docs/webhooks/public/public-destination","Forward to public URL",{"_path":1954,"title":1955},"/docs/webhooks/public/multiple-destination-urls","Multiple destinations",[1957,1960,1963,1966],{"_path":1958,"title":1959},"/docs/account/account-management","Account management",{"_path":1961,"title":1962},"/docs/account/mfa","Multi-factor authentication (MFA)",{"_path":1964,"title":1965},"/docs/account/team","Teams and sub-accounts",{"_path":1967,"title":1968},"/docs/account/billing-and-subscriptions","Billing & subscriptions",[1970,1973],{"_path":1971,"title":1972},"/docs/tunnels/demoing-your-website","Demoing your website",{"_path":1974,"title":1975},"/docs/tunnels/regions","Regions",[1977,1980,1983,1986,1989,1992],{"_path":1978,"title":1979},"/docs/tutorials/cicd/jenkins-bitbucket","Jenkins and Bitbucket",{"_path":1981,"title":1982},"/docs/tutorials/cicd/jenkins-github","Jenkins and GitHub",{"_path":1984,"title":1985},"/docs/tutorials/cicd/jenkins-plugin","Jenkins Plugin",{"_path":1987,"title":1988},"/docs/tutorials/cicd/kubernetes-operator","Kubernetes Operator",{"_path":1990,"title":1991},"/docs/tutorials/cicd/terraform-atlantis","Terraform Atlantis",{"_path":1993,"title":1994},"/docs/tutorials/cicd/webhook-exec","Execute scripts on webhook",[1996,1999,2002],{"_path":1997,"title":1998},"/docs/tutorials/edge/home-assistant","Home Assistant",{"_path":2000,"title":2001},"/docs/tutorials/edge/javascript-app","JavaScript app",{"_path":2003,"title":2004},"/docs/tutorials/edge/node-red","Node-RED",[2006,2009,2012,2015,2018,2021,2024],{"_path":2007,"title":2008},"/docs/service-connections","Service Connections",{"_path":2010,"title":2011},"/docs/service-connections/aws_s3","AWS S3",{"_path":2013,"title":2014},"/docs/service-connections/aws_sns","AWS SNS",{"_path":2016,"title":2017},"/docs/service-connections/aws_sqs","AWS SQS",{"_path":2019,"title":2020},"/docs/service-connections/azure","Azure",{"_path":2022,"title":2023},"/docs/service-connections/gcp_gcs","GCP Cloud Storage",{"_path":2025,"title":2026},"/docs/service-connections/gcp_pubsub","GCP Pub/Sub",[2028],{"_path":2029,"title":2030},"/docs/tutorials/warehouse/bigquery","GCP BigQuery",[2032,2035],{"_path":2033,"title":2034},"/docs/tutorials/transform/docker-to-slack","DockerHub webhook to Slack notification",{"_path":2036,"title":2037},"/docs/tutorials/transform/enrich-webhooks","Enrich webhooks from APIs",[2039],{"_path":2040,"title":2041},"/docs/webhooks/cron/using-cron-webhooks","Schedule recurring webhooks",[2043,2046,2049,2052,2055,2058,2061,2064,2067,2070,2072,2075],{"_path":2044,"title":2045},"/docs/webhooks/functions/manipulating-json","JSON encoding",{"_path":2047,"title":2048},"/docs/webhooks/functions/make-http-request","Make HTTP request",{"_path":2050,"title":2051},"/docs/webhooks/functions/modify-request","Read, write request data",{"_path":2053,"title":2054},"/docs/webhooks/functions/multipart-form-data","Multipart form to JSON",{"_path":2056,"title":2057},"/docs/webhooks/functions/url-encoded-data","URL Encoded Form",{"_path":2059,"title":2060},"/docs/webhooks/functions/working-with-time","Working with time",{"_path":2062,"title":2063},"/docs/webhooks/functions/send-emails","Sending emails",{"_path":2065,"title":2066},"/docs/webhooks/functions/crypto-functions","Base64, encryption",{"_path":2068,"title":2069},"/docs/webhooks/functions/integrate-into-cicd","Integrating into CI/CD",{"_path":2071,"title":2030},"/docs/webhooks/functions/big-query",{"_path":2073,"title":2074},"/docs/webhooks/functions/accessing-metadata","Accessing metadata",{"_path":2076,"title":2077},"/docs/webhooks/functions","Functions",1782398372587]