Skip to content

ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY

Key idea:

ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY — Chrome refused an HTTP/2 connection because the TLS setup does not meet RFC 7540 requirements: TLS 1.2 minimum, AEAD cipher (GCM, CCM, ChaCha20-Poly1305), ECDHE key exchange. Legacy ciphers (RC4, AES-CBC, 3DES) are forbidden in HTTP/2. Fix: nginx modern ssl_ciphers.

Below: causes, fixes, FAQ.

Check your site's SSL →

Common Causes

  • TLS 1.1 or lower used with HTTP/2
  • AES-CBC ciphers (non-AEAD) — forbidden for HTTP/2
  • No ECDHE ciphers — only RSA key exchange
  • Blocked cipher list RFC 7540 (long list)
  • nginx older than 1.13 with legacy cipher defaults

Step-by-Step Fix

  1. nginx modern: ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
  2. TLS 1.3 cipher suites are HTTP/2-compliant automatically
  3. ssl_prefer_server_ciphers on; + modern config
  4. Enterno SSL Checker shows the cipher list
  5. Or temporarily disable HTTP/2: listen 443 ssl; without http2

Check SSL Certificate →

Related SSL Errors

TL;DR

The SSL error ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY indicates that your server is attempting to establish an HTTP/2 connection using a TLS version or cipher suite that is deemed insecure. To resolve this, ensure that your server supports TLS 1.2 or higher and only uses strong cipher suites, such as AES-GCM. Review your server configuration and update it accordingly to avoid this error.

Understanding ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY

The ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY error occurs when a client attempts to establish an HTTP/2 connection, but the server's configuration does not meet the security requirements of the protocol. HTTP/2 mandates the use of secure connections via TLS, and as security standards evolve, older versions of TLS (like TLS 1.0 and 1.1) and weak cipher suites are increasingly being deprecated.

Specifically, the HTTP/2 specification requires that a secure connection be established with TLS 1.2 or above. If the server is configured to use an outdated version of TLS or weak ciphers, clients will reject the connection, resulting in this error. This is particularly relevant as browsers and other clients continuously update their security policies, often dropping support for older, less secure protocols.

To ensure compliance, it is important to regularly audit your server's SSL/TLS configuration. You can utilize tools like Qualys SSL Labs' SSL Test, which provides a comprehensive analysis of your SSL configuration and highlights any areas of concern.

Additionally, many compliance frameworks and regulatory bodies (such as PCI DSS) require the use of strong encryption protocols, making it essential for websites handling sensitive information to adhere to these standards.

Practical Steps to Resolve the Error

To resolve the ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY error, follow these steps to ensure your server is configured correctly:

  1. Check Your TLS Version: Ensure that your server supports TLS 1.2 or higher. You can check the supported protocols using the following command:
openssl s_client -connect yourdomain.com:443 -tls1_2

If you receive a successful connection response, your server supports TLS 1.2. If not, you will need to update your server configuration.

  1. Update Cipher Suites: Review the cipher suites enabled on your server. You should disable weak ciphers and only allow strong ciphers. For example, on an Nginx server, you can specify supported ciphers in your configuration file:
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256';

This configuration enforces the use of secure ciphers for TLS connections. Make sure to restart the server after making changes.

  1. Enable HTTP/2: If your server is not already configured to support HTTP/2, you can enable it by adding the following directive to your Nginx configuration:
listen 443 ssl http2;

Ensure that this line is present in your server block configuration to allow HTTP/2 connections over SSL.

  1. Test Your Configuration: After making the necessary changes, test your server configuration again using the same SSL testing tool to ensure that it meets the required standards for HTTP/2.

By following these steps, you can mitigate the risk of encountering the ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY error and ensure that your server is compliant with modern security practices.

CertificateExpiry, issuer, domains (SAN)
ChainIntermediate and root CA validation
TLS ProtocolTLS version and cipher suite
VulnerabilitiesHeartbleed, POODLE, weak ciphers

Why teams trust us

TLS 1.3
supported
Full
CA chain check
<2s
result
30/14/7
days-to-expiry alerts

How it works

1

Enter domain

2

TLS chain verified

3

Expiry date & vulnerabilities

What Does the SSL Check Cover?

SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.

Certificate Details

Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).

Chain of Trust

Full chain verification: from leaf certificate through intermediates to root CA.

TLS Analysis

Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.

Expiry Alerts

Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.

DV vs OV vs EV Certificates

DV (Domain Validation)
  • Confirms domain ownership only
  • Issued in minutes automatically
  • Free via Let's Encrypt
  • Suitable for most websites
  • Most common certificate type
OV / EV
  • Organization (OV) or Extended Validation (EV)
  • Issued in 1-5 business days
  • Costs $50 to $500/year
  • For finance, e-commerce, government sites
  • Increases user trust

Who uses this

DevOps

SSL certificate monitoring

Security

TLS config audit

SEO

HTTPS as ranking factor

E-commerce

customer trust

Common Mistakes

Expired certificateBrowsers block sites with expired SSL. Set up auto-renewal or monitoring.
Incomplete certificate chainWithout intermediate CA, some browsers and bots cannot verify the certificate.
Mixed content on HTTPS siteHTTP resources on an HTTPS page — the browser lock icon disappears, reducing trust.
Using TLS 1.0/1.1Legacy TLS versions have known vulnerabilities. Use TLS 1.2+ or 1.3.
Domain mismatch in certificateThe certificate must cover all site domains, including www and subdomains.

Best Practices

Set up auto-renewalLet's Encrypt + certbot with cron — certificate renews automatically every 60-90 days.
Enable HSTSStrict-Transport-Security header forces browsers to always use HTTPS.
Use TLS 1.3TLS 1.3 is faster (1-RTT handshake) and safer — legacy ciphers removed.
Monitor expiration datesCreate a monitor on Enterno.io — get notified well before expiration.
Verify chain after renewalAfter certificate renewal, confirm that intermediate certificates are installed.

Get more with a free account

SSL certificate monitoring, check history and alerts 30 days before expiry.

Sign up free

Learn more

Sources

Frequently Asked Questions

Why strict HTTP/2 cipher requirements?

RFC 7540 prohibits vulnerable ciphers at the protocol level. Even if TLS accepted the cipher, HTTP/2 rejects it for defence-in-depth.

Does HTTP/3 have the same requirements?

Similar, through QUIC. TLS 1.3 only for QUIC.

Backwards compatibility?

HTTP/1.1 fallback works for old clients. But HTTP/2 — strict cipher requirements.

Mozilla SSL Config Generator?

Use for correct config: ssl-config.mozilla.org. Pick Modern or Intermediate.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.