From 377a9351957ae2e9a83269cf30775fc4c22c68d7 Mon Sep 17 00:00:00 2001
From: Lucas Alvares Gomes <lucasagomes@gmail.com>
Date: Tue, 10 Mar 2026 13:27:57 +0000
Subject: [PATCH] Enforce the minimum TLS version to 1.3

Based on the QPC analysis tool we should enforce the minimum version of
TLS to 1.3 as older TLS versions are vulnerable to quantum attacks.

Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
---
 cmd/main.go | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/cmd/main.go b/cmd/main.go
index 1f71bf5e..8c0505d3 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -90,14 +90,14 @@ func main() {
 	// Rapid Reset CVEs. For more information see:
 	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
 	// - https://github.com/advisories/GHSA-4374-p667-p6c8
-	disableHTTP2 := func(c *tls.Config) {
-		setupLog.Info("disabling http/2")
-		c.NextProtos = []string{"http/1.1"}
-	}
-
-	if !enableHTTP2 {
-		tlsOpts = append(tlsOpts, disableHTTP2)
-	}
+	tlsOpts = append(tlsOpts, func(c *tls.Config) {
+		setupLog.Info("enforcing minimum TLS version 1.3")
+		c.MinVersion = tls.VersionTLS13
+		if !enableHTTP2 {
+			setupLog.Info("disabling http/2")
+			c.NextProtos = []string{"http/1.1"}
+		}
+	})
 
 	webhookServer := webhook.NewServer(webhook.Options{
 		TLSOpts: tlsOpts,