diff --git a/CHANGELOG.md b/CHANGELOG.md
index ba24f2c2d..e2d91b675 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 ### Changes
 - Make smeared timestamp generation non-async. #4075
+- Set minimum TLS version to 1.2. #4096
 
 ### Fixes
 - Do not block async task executor while decrypting the messages. #4079
diff --git a/src/net/tls.rs b/src/net/tls.rs
index 980504416..7bb6badfe 100644
--- a/src/net/tls.rs
+++ b/src/net/tls.rs
@@ -1,7 +1,7 @@
 //! TLS support.
 
 use anyhow::Result;
-use async_native_tls::{Certificate, TlsConnector, TlsStream};
+use async_native_tls::{Certificate, Protocol, TlsConnector, TlsStream};
 use once_cell::sync::Lazy;
 use tokio::io::{AsyncRead, AsyncWrite};
 
@@ -15,7 +15,9 @@ static LETSENCRYPT_ROOT: Lazy<Certificate> = Lazy::new(|| {
 });
 
 pub fn build_tls(strict_tls: bool) -> TlsConnector {
-    let tls_builder = TlsConnector::new().add_root_certificate(LETSENCRYPT_ROOT.clone());
+    let tls_builder = TlsConnector::new()
+        .min_protocol_version(Some(Protocol::Tlsv12))
+        .add_root_certificate(LETSENCRYPT_ROOT.clone());
 
     if strict_tls {
         tls_builder