[{"data":1,"prerenderedAt":428},["ShallowReactive",2],{"content-query-TcQKui6QbY":3},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"layout":10,"plan":11,"cover":12,"body":13,"_type":421,"_id":422,"_source":423,"_file":424,"_stem":425,"_extension":426,"sitemap":427},"/features/tls-compatibility","features",false,"","TLS Compatibility: Custom & Legacy TLS Versions","Receive webhooks from legacy systems that can't speak modern TLS. Webhook Relay lets you set a custom minimum TLS version per input, accept legacy TLS 1.0/1.1 with a wider cipher set for old senders, and disable TLS verification per destination to deliver to self-signed or internal endpoints.","feature","Business","/images/docs/webhooks/tls/tls_settings.png",{"type":14,"children":15,"toc":413},"root",[16,45,52,57,105,119,125,143,178,186,191,197,232,240,245,251,309,315,358,364,385,407],{"type":17,"tag":18,"props":19,"children":20},"element","p",{},[21,28,30,36,38,43],{"type":17,"tag":22,"props":23,"children":24},"strong",{},[25],{"type":26,"value":27},"text","Some systems are stuck in the past — your security baseline shouldn't be.",{"type":26,"value":29}," A legacy device, an old ERP, or an on-prem appliance that can only speak TLS 1.0/1.1 (or an outdated cipher) simply ",{"type":17,"tag":31,"props":32,"children":33},"em",{},[34],{"type":26,"value":35},"can't deliver",{"type":26,"value":37}," a webhook to a modern endpoint that has, correctly, disabled those protocols. Webhook Relay's ",{"type":17,"tag":22,"props":39,"children":40},{},[41],{"type":26,"value":42},"TLS compatibility",{"type":26,"value":44}," lets that one old sender through — on a single input — while everything else stays on modern TLS.",{"type":17,"tag":46,"props":47,"children":49},"h2",{"id":48},"the-problem-a-legacy-sender-meets-a-modern-endpoint",[50],{"type":26,"value":51},"The problem: a legacy sender meets a modern endpoint",{"type":17,"tag":18,"props":53,"children":54},{},[55],{"type":26,"value":56},"When an old system tries to POST a webhook over a TLS version or cipher the receiver has disabled, neither side will budge, and the delivery dies with one of these:",{"type":17,"tag":58,"props":59,"children":62},"pre",{"className":60,"code":61,"language":26,"meta":7,"style":7},"language-text shiki shiki-themes github-dark","curl: (35) error:0A000102:SSL routines::unsupported protocol\nerror:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure\njavax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version\nERR_SSL_VERSION_OR_CIPHER_MISMATCH\n",[63],{"type":17,"tag":64,"props":65,"children":66},"code",{"__ignoreMap":7},[67,78,87,96],{"type":17,"tag":68,"props":69,"children":72},"span",{"class":70,"line":71},"line",1,[73],{"type":17,"tag":68,"props":74,"children":75},{},[76],{"type":26,"value":77},"curl: (35) error:0A000102:SSL routines::unsupported protocol\n",{"type":17,"tag":68,"props":79,"children":81},{"class":70,"line":80},2,[82],{"type":17,"tag":68,"props":83,"children":84},{},[85],{"type":26,"value":86},"error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure\n",{"type":17,"tag":68,"props":88,"children":90},{"class":70,"line":89},3,[91],{"type":17,"tag":68,"props":92,"children":93},{},[94],{"type":26,"value":95},"javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version\n",{"type":17,"tag":68,"props":97,"children":99},{"class":70,"line":98},4,[100],{"type":17,"tag":68,"props":101,"children":102},{},[103],{"type":26,"value":104},"ERR_SSL_VERSION_OR_CIPHER_MISMATCH\n",{"type":17,"tag":18,"props":106,"children":107},{},[108,110,117],{"type":26,"value":109},"The usual \"fix\" is to lower TLS everywhere the old sender might reach — weakening your whole stack for one stubborn box. (For a full reference of these errors and what each means, see the ",{"type":17,"tag":111,"props":112,"children":114},"a",{"href":113},"/docs/webhooks/tls-ssl-errors",[115],{"type":26,"value":116},"TLS/SSL error guide",{"type":26,"value":118},".)",{"type":17,"tag":46,"props":120,"children":122},{"id":121},"the-solution-relax-tls-on-one-input-not-everywhere",[123],{"type":26,"value":124},"The solution: relax TLS on one input, not everywhere",{"type":17,"tag":18,"props":126,"children":127},{},[128,130,135,137,141],{"type":26,"value":129},"Give the legacy sender a Webhook Relay ",{"type":17,"tag":22,"props":131,"children":132},{},[133],{"type":26,"value":134},"input",{"type":26,"value":136}," and set the TLS policy on that input alone. Each input has a ",{"type":17,"tag":22,"props":138,"children":139},{},[140],{"type":26,"value":42},{"type":26,"value":142}," setting with two controls:",{"type":17,"tag":144,"props":145,"children":146},"ul",{},[147,163],{"type":17,"tag":148,"props":149,"children":150},"li",{},[151,156,158],{"type":17,"tag":22,"props":152,"children":153},{},[154],{"type":26,"value":155},"Custom minimum TLS version",{"type":26,"value":157}," — the lowest version the input will accept. The default is TLS 1.3; lower it to TLS 1.2 for senders that still require it (PayPal webhooks, for example). ",{"type":17,"tag":31,"props":159,"children":160},{},[161],{"type":26,"value":162},"(Business and Pro)",{"type":17,"tag":148,"props":164,"children":165},{},[166,171,173],{"type":17,"tag":22,"props":167,"children":168},{},[169],{"type":26,"value":170},"Legacy TLS compatibility (TLS 1.0 + wide ciphers)",{"type":26,"value":172}," — one toggle that makes the input accept TLS versions down to 1.0 and a wider legacy cipher set, for the oldest systems that can't do anything newer. ",{"type":17,"tag":31,"props":174,"children":175},{},[176],{"type":26,"value":177},"(Pro)",{"type":17,"tag":18,"props":179,"children":180},{},[181],{"type":17,"tag":182,"props":183,"children":185},"img",{"alt":184,"src":12},"Per-input TLS compatibility settings — a minimum TLS version dropdown and a \"Legacy TLS compatibility (TLS 1.0 + wide ciphers)\" toggle",[],{"type":17,"tag":18,"props":187,"children":188},{},[189],{"type":26,"value":190},"Webhook Relay completes the old handshake on that input, then forwards the event onward over modern TLS. The legacy sender finally gets through, and the rest of your traffic never leaves TLS 1.2/1.3.",{"type":17,"tag":46,"props":192,"children":194},{"id":193},"deliver-to-self-signed-and-internal-certificates",[195],{"type":26,"value":196},"Deliver to self-signed and internal certificates",{"type":17,"tag":18,"props":198,"children":199},{},[200,202,208,210,216,218,223,225,230],{"type":26,"value":201},"The other half of the gap is on the delivery side. When you forward to an internal service or legacy box whose certificate isn't signed by a public CA, strict clients fail with ",{"type":17,"tag":64,"props":203,"children":205},{"className":204},[],[206],{"type":26,"value":207},"certificate verify failed",{"type":26,"value":209}," or ",{"type":17,"tag":64,"props":211,"children":213},{"className":212},[],[214],{"type":26,"value":215},"unable to verify the first certificate",{"type":26,"value":217},". Webhook Relay exposes a per-destination ",{"type":17,"tag":22,"props":219,"children":220},{},[221],{"type":26,"value":222},"TLS verification",{"type":26,"value":224}," toggle under ",{"type":17,"tag":22,"props":226,"children":227},{},[228],{"type":26,"value":229},"Delivery controls",{"type":26,"value":231}," — switch it off for that one endpoint and the webhook is delivered.",{"type":17,"tag":18,"props":233,"children":234},{},[235],{"type":17,"tag":182,"props":236,"children":239},{"alt":237,"src":238},"Per-output Delivery controls with a TLS verification toggle","/images/docs/webhooks/tls/tls_output_disable_verification.png",[],{"type":17,"tag":18,"props":241,"children":242},{},[243],{"type":26,"value":244},"Only disable verification for destinations you control and trust, typically on a private network.",{"type":17,"tag":46,"props":246,"children":248},{"id":247},"why-a-relay-is-the-right-place-to-solve-it",[249],{"type":26,"value":250},"Why a relay is the right place to solve it",{"type":17,"tag":144,"props":252,"children":253},{},[254,264,281,291],{"type":17,"tag":148,"props":255,"children":256},{},[257,262],{"type":17,"tag":22,"props":258,"children":259},{},[260],{"type":26,"value":261},"One input, not a fleet of clients.",{"type":26,"value":263}," Relax TLS on the single input a legacy sender uses, instead of lowering the security baseline everywhere it might connect.",{"type":17,"tag":148,"props":265,"children":266},{},[267,272,274,279],{"type":17,"tag":22,"props":268,"children":269},{},[270],{"type":26,"value":271},"Contain the risk.",{"type":26,"value":273}," Legacy settings apply ",{"type":17,"tag":22,"props":275,"children":276},{},[277],{"type":26,"value":278},"per input domain",{"type":26,"value":280},", so the rest of your inputs keep enforcing modern TLS 1.3.",{"type":17,"tag":148,"props":282,"children":283},{},[284,289],{"type":17,"tag":22,"props":285,"children":286},{},[287],{"type":26,"value":288},"Enforce a minimum, too.",{"type":26,"value":290}," Pin a custom minimum TLS version on an input to satisfy a compliance requirement and reject anything weaker.",{"type":17,"tag":148,"props":292,"children":293},{},[294,299,301,307],{"type":17,"tag":22,"props":295,"children":296},{},[297],{"type":26,"value":298},"Reach internal endpoints.",{"type":26,"value":300}," Deliver onward to services behind your firewall through the ",{"type":17,"tag":111,"props":302,"children":304},{"href":303},"/features/webhook-to-internal-server",[305],{"type":26,"value":306},"Webhook Relay agent",{"type":26,"value":308}," — self-signed certificate and all.",{"type":17,"tag":46,"props":310,"children":312},{"id":311},"where-it-earns-its-keep",[313],{"type":26,"value":314},"Where it earns its keep",{"type":17,"tag":144,"props":316,"children":317},{},[318,328,338,348],{"type":17,"tag":148,"props":319,"children":320},{},[321,326],{"type":17,"tag":22,"props":322,"children":323},{},[324],{"type":26,"value":325},"Legacy on-prem and IoT senders.",{"type":26,"value":327}," Appliances, controllers and old ERPs that will never get a TLS upgrade but still need to emit events.",{"type":17,"tag":148,"props":329,"children":330},{},[331,336],{"type":17,"tag":22,"props":332,"children":333},{},[334],{"type":26,"value":335},"Integrations pinned to TLS 1.2.",{"type":26,"value":337}," Senders like PayPal that require a specific older version to connect.",{"type":17,"tag":148,"props":339,"children":340},{},[341,346],{"type":17,"tag":22,"props":342,"children":343},{},[344],{"type":26,"value":345},"Compliance-driven minimums.",{"type":26,"value":347}," Enforce a floor on accepted TLS versions without auditing every producer.",{"type":17,"tag":148,"props":349,"children":350},{},[351,356],{"type":17,"tag":22,"props":352,"children":353},{},[354],{"type":26,"value":355},"Internal and self-signed destinations.",{"type":26,"value":357}," Forward to a service whose certificate a public CA would never vouch for.",{"type":17,"tag":46,"props":359,"children":361},{"id":360},"better-together",[362],{"type":26,"value":363},"Better together",{"type":17,"tag":18,"props":365,"children":366},{},[367,369,375,377,383],{"type":26,"value":368},"TLS compatibility pairs naturally with ",{"type":17,"tag":111,"props":370,"children":372},{"href":371},"/features/durable-retries",[373],{"type":26,"value":374},"durable retries",{"type":26,"value":376}," — persist and retry until the event lands — and ",{"type":17,"tag":111,"props":378,"children":380},{"href":379},"/features/throttling",[381],{"type":26,"value":382},"throttling",{"type":26,"value":384},", so a fragile legacy system is never overwhelmed.",{"type":17,"tag":18,"props":386,"children":387},{},[388,390,398,400,405],{"type":26,"value":389},"Ready to let your legacy systems through? ",{"type":17,"tag":111,"props":391,"children":395},{"href":392,"rel":393},"https://my.webhookrelay.com/register",[394],"nofollow",[396],{"type":26,"value":397},"Create a free account",{"type":26,"value":399},", or read the ",{"type":17,"tag":111,"props":401,"children":402},{"href":113},[403],{"type":26,"value":404},"TLS/SSL error reference",{"type":26,"value":406}," to match the exact error you're seeing.",{"type":17,"tag":408,"props":409,"children":410},"style",{},[411],{"type":26,"value":412},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":7,"searchDepth":89,"depth":89,"links":414},[415,416,417,418,419,420],{"id":48,"depth":80,"text":51},{"id":121,"depth":80,"text":124},{"id":193,"depth":80,"text":196},{"id":247,"depth":80,"text":250},{"id":311,"depth":80,"text":314},{"id":360,"depth":80,"text":363},"markdown","content:features:tls-compatibility.md","content","features/tls-compatibility.md","features/tls-compatibility","md",{"loc":4},1782398396929]