Issue #8671: SECP521R1 not supported for Hyperdrive

Summary

Field	Value
State	OPEN
Created	2025-03-25
Updated	2025-10-30
Labels	bug, internal
Author	ktzug

Problem Description

The reporter is unable to connect Hyperdrive to a PostgreSQL database that uses SSL certificates signed with the SECP521R1 elliptic curve algorithm. This issue arises when using Coolify's auto-generated SSL certificates, which hardcode the SECP521R1 curve.

Error observed:

• Wrangler: Failed to connect to the provided database: Internal error. [code: 2015]
• PostgreSQL logs: could not accept SSL connection: no suitable signature algorithm

Analysis

Maintainer Response

A Cloudflare maintainer (@petebacondarwin) investigated and confirmed with the Hyperdrive team that ssl_ecdh_curve=secp521r1 is not currently supported. The feature has been added to their backlog for later in 2025.

Internal Tracking

The issue is being tracked internally at Jira ticket SQC-482.

Workaround Provided

@ReppCodes from the Hyperdrive team provided a workaround: users can generate their own SSL certificates using a supported curve (prime256v1) instead of relying on Coolify's auto-generated certificates that use the unsupported secp521r1 curve.

Key Points

1. This is a Hyperdrive platform limitation, not a workers-sdk bug
2. The issue is labeled with "internal" - requires support from the Cloudflare Platform team
3. The feature is on the Hyperdrive team's backlog
4. A workaround exists (use custom certificates with prime256v1 curve)

Recommendation

KEEP OPEN - This is a valid feature request/limitation that is being tracked internally (SQC-482). The issue is appropriately labeled and serves as a reference for other users who may encounter the same problem. The Hyperdrive team has acknowledged the limitation and indicated plans to add support for secp521r1 in their roadmap.

Confidence

HIGH - Clear maintainer acknowledgment of the limitation, internal tracking ticket created, and explicit statement that the feature is planned for the backlog.