diff --git a/README.md b/README.md
index ee802416d..41c8bd47f 100644
--- a/README.md
+++ b/README.md
@@ -132,3 +132,16 @@ Devices and Firmware.
 
 For a Device to be considered eligible for a given Deployment, it must have
 *all* the tags in the Deployment's "tags" condition.
+
+### Potential SSL issues
+
+OTP > 24.2.2 switched to use TLS1.3 by default and made quite a few fixes/changes
+to how it is implemented in the `:ssl` module. This has affected the setup of
+client authentication in a few different ways depending on how you have your
+server and device configured:
+
+| Server | Client | Effect |
+| --- | --- | --- |
+|TLS1.3 | TLS1.3| `certificate_required` error (needs OTP 25.2 - see https://github.com/erlang/otp/issues/6106)  |
+|TLS1.3|TLS1.2|  `CLIENT ALERT: Fatal - Handshake Failure - :unacceptable_ecdsa_key` - Happens because the client is attempting to sign with `:she` as the signature algorithm. The workaround is to specify `ssl: [signature_algs: [{:sha256, :ecdsa},{:sha512, :ecdsa}]]`|
+|TLS1.2 | TLS1.3 or TLS1.2 | Successful|
diff --git a/apps/nerves_hub_device/config/release.exs b/apps/nerves_hub_device/config/release.exs
index f7138104f..bca4fa323 100644
--- a/apps/nerves_hub_device/config/release.exs
+++ b/apps/nerves_hub_device/config/release.exs
@@ -53,6 +53,7 @@ config :nerves_hub_device, NervesHubDeviceWeb.Endpoint,
     port: 443,
     otp_app: :nerves_hub_device,
     # Enable client SSL
+    versions: [:"tlsv1.2"],
     verify: :verify_peer,
     fail_if_no_peer_cert: true,
     keyfile: "/etc/ssl/#{host}-key.pem",
diff --git a/config/dev.exs b/config/dev.exs
index beecb61a3..697019fc9 100644
--- a/config/dev.exs
+++ b/config/dev.exs
@@ -43,6 +43,7 @@ config :nerves_hub_device, NervesHubDeviceWeb.Endpoint,
     port: 4001,
     otp_app: :nerves_hub_device,
     # Enable client SSL
+    versions: [:"tlsv1.2"],
     verify: :verify_peer,
     verify_fun: {&NervesHubDevice.SSL.verify_fun/3, nil},
     fail_if_no_peer_cert: true,