Why am I seeing "unsupported protocol" errors from my apps using SSL?

Issue

When sending requests to your application you're seeing errors like:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol

The client and server don't support a common SSL protocol version or cipher suite.

Resolution

This issue often happens when your SSL certificate uses elliptic curve algorithms either for the hash function used to sign the certificate when generating it or when generating the key. A certificate can be generated and signed using elliptic curve hash functions while not generating a key using an elliptic curve algorithm. If either is the case (or both), the certificate will not work on the Heroku platform.

You can check your certificate by running:

openssl x509 -noout -text -in ~/path/to/your/certificate.crt

A line like this indicates that your certificate was signed using an elliptic curve hash function (the ec in ecdsa indicates 'elliptic curve'):

Signature Algorithm: ecdsa-with-SHA256

You can also look for a line mentioning ASN1 OID, which indicates that the key was generated using an elliptic curve (the value is the named curve that was used).

If you see that your SSL certificate is using elliptic curve, contact the certificate issuer you used to see if they can issue you an RSA certificate instead.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support