How ngrok's TLS Handshake Works

ngrok uses TLS 1.3 (the latest version) by default. If a client does not support TLS 1.3, ngrok will use the highest possible version that the client supports, down to TLS 1.1.

You may customize the minimum and maximum supported versions of TLS with the terminate-tls traffic policy action.

ALPN

https endpoints negotiate the next protocol via ALPN with the following default list in order of preference:

Loading…

SNI

ngrok endpoints do not support legacy clients which do not set the SNI extension. For example, the following clients (and others) will fail to work with ngrok endpoints:

Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 7 & 8 on Windows XP or earlier
Native browser on Android 2.X
Java <=1.6
Python 2.X, 3.0, 3.1 if required modules are not installed

Encrypted Client Hello

ngrok endpoints do not yet support the draft implementation of Encrypted Client Hello.

ALPN​

SNI​

Encrypted Client Hello​

ALPN

SNI

Encrypted Client Hello