How do I disable support for TLS 1.0 or 1.1 on a Heroku App?

Heroku offers several different ways to terminate TLS/SSL. Whether you can disable TLS 1.0 and/or 1.1 depends on which TLS termination method is configured for your app.

Common Runtime

Automated Certificate Management / Free Heroku SSL (SNI)

For applications using Automated Certificate Management or the free Heroku SSL (SNI) TLS 1.0 & TLS 1.1 cannot currently be configured but will have changes in the coming weeks, please see: TLS v1.0/v1.1 End Of Life Schedule

Private Spaces

The default suite supports TLSv1.1 and TLSv1.2 (but not TLSv1.0). It provides good security and is compatible with a large range of browsers and clients.

For more details and instructions on changing the cipher suites view the Private Spaces documentation.

Legacy Common Runtime

SSL Endpoint Add-on

The SSL Endpoint add-on is deprecated and can no longer be provisioned as of 2021-05-14

However, if your application already has the SSL Endpoint add-on provisioned we can disable any protocols you want on a per add-on basis. Some older browsers would no longer be able to connect to your app, so we'd ask you to perform your own investigation into whether this would impact your site's visitors before making this request.

If you'd like to proceed, you can open a ticket to request disabling TLS 1.0/1.1 for your app that's using the SSL Endpoint Add-on.

Please Note: Before opening a ticket please ensure you have the SSL endpoint add-on provisioned on your app and an SSL certificate uploaded to it. Please provide the Name of the SSL endpoint, shown when running heroku certs --app app-name and if you require just TLS 1.0 or both TLS 1.0 & TLS 1.1 disabled.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support