From 8177070673e2a234cd46f739d4850824828d8ae5 Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Sat, 25 Feb 2023 22:46:19 +0000
Subject: [PATCH] Set minimum TLS version to 1.2

---
 CHANGELOG.md   | 1 +
 src/net/tls.rs | 6 ++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ba24f2c2df..e2d91b6756 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 ### Changes
 - Make smeared timestamp generation non-async. #4075
+- Set minimum TLS version to 1.2. #4096
 
 ### Fixes
 - Do not block async task executor while decrypting the messages. #4079
diff --git a/src/net/tls.rs b/src/net/tls.rs
index 980504416d..7bb6badfed 100644
--- a/src/net/tls.rs
+++ b/src/net/tls.rs
@@ -1,7 +1,7 @@
 //! TLS support.
 
 use anyhow::Result;
-use async_native_tls::{Certificate, TlsConnector, TlsStream};
+use async_native_tls::{Certificate, Protocol, TlsConnector, TlsStream};
 use once_cell::sync::Lazy;
 use tokio::io::{AsyncRead, AsyncWrite};
 
@@ -15,7 +15,9 @@ static LETSENCRYPT_ROOT: Lazy<Certificate> = Lazy::new(|| {
 });
 
 pub fn build_tls(strict_tls: bool) -> TlsConnector {
-    let tls_builder = TlsConnector::new().add_root_certificate(LETSENCRYPT_ROOT.clone());
+    let tls_builder = TlsConnector::new()
+        .min_protocol_version(Some(Protocol::Tlsv12))
+        .add_root_certificate(LETSENCRYPT_ROOT.clone());
 
     if strict_tls {
         tls_builder