Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

API Gateway: "Received fatal alert: protocol_version" with TLS 1.3 - HTTP 500

0

Title

HTTP 500 — Execution failed due to configuration error: Received fatal alert: protocol_version

Context

  • Service: Amazon Web Services API Gateway (REST, regional)
  • Error: HTTP 500
  • Log: AWS Execution failed due to configuration error: Received fatal alert: protocol_version

Architecture

  • API Gateway (regional)

    • SSL policy: SecurityPolicy_TLS13_1_3_2025_09
    • Endpoint access mode: Basic

  • Lambda token authorizer

    • Runtime: Node.js 18.x
    • API type: REST
    • Authorization: custom (TOKEN authorizer)

  • Integration

    • Type: HTTP
    • Response transfer mode: Buffered
    • HTTP proxy integration: False

  • Custom domain

    • Regional (API mappings only)
    • AWS-issued RSA2048 certificate
    • SSL policy: SecurityPolicy_TLS13_1_3_2025_09
    • Endpoint access mode: Basic

Additional Context / Question

Traffic to the custom domain is proxied through Cloudflare.

When TLS 1.3 is enforced on the Cloudflare side, the request fails with:

  • HTTP status: 500
  • Header: x-amzn-errortype: AuthorizerConfigurationException
  • Log: AWS Execution failed due to configuration error: Received fatal alert: protocol_version

When TLS 1.3 is not enforced, the request succeeds.

Question: Could enforcing TLS 1.3 on the Cloudflare → API Gateway connection trigger this protocol_version error and the AuthorizerConfigurationException in Amazon Web Services API Gateway, given the architecture described above? If so, which component in this setup is most likely rejecting the TLS version during the request flow?

Topics
ServerlessFront-End Web & MobileInternet of Things (IoT)ComputeNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Application Load BalancerTransport Layer Security (TLS)Amazon API GatewayAmazon CognitoAWS Lambda
Language
English
asked 2 months ago91 views
2 Answers
0

Hello ,

The failure happens during the Lambda authorizer execution, not at the custom domain TLS boundary, according to the AuthorizerConfigurationException. The error Received fatal alert: protocol version typically indicates that the downstream endpoint rejected the TLS version during the handshake when the authorizer sends an HTTPS request to an external service .The problem is probably between the Lambda authorizer (or API Gateway during authorizer execution) and the external HTTPS endpoint because this TLS negotiation is not dependent on the client → Cloudflare → API Gateway connection.

Checkout here for more info

Sources

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html

https://docs.aws.amazon.com/apigateway/latest/developerguide/supported-ciphers.html

https://datatracker.ietf.org/doc/html/rfc8446

answered 2 months ago
  • Ariel
    2 months ago

    I've checked that and fixed the authorizer. Now another error code is returning: x-amzn-errortype: InternalServerErrorException Here are the logs: https://jpst.it/4VdEd

0

https://jpst.it/4VdEd

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content