From b687f51840a855d3c08989799b27c503b670193a Mon Sep 17 00:00:00 2001
From: Ervin Hegedus <airween@gmail.com>
Date: Sat, 27 Jan 2024 17:09:43 +0100
Subject: [PATCH] Set the minimum security protocol version for SecRemoteRules

---
 CHANGES                    | 2 ++
 apache2/msc_remote_rules.c | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3a75c62c..517e76b7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
 DD mmm YYYY - 2.9.x (to be released)
 -------------------
 
+ * Set the minimum security protocol version for SecRemoteRules
+   [Issue security/code-scanning/2 - @airween]
  * Allow lua version 5.4
    [Issue #2996 - @3eka, @martinhsv]
  * Configure: do not check for pcre1 if pcre2 requested
diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c
index 99968f04..37b88648 100644
--- a/apache2/msc_remote_rules.c
+++ b/apache2/msc_remote_rules.c
@@ -331,8 +331,8 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key
             headers_chunk = curl_slist_append(headers_chunk, header_key);
         }
 
-        /* Make it TLS 1.x only. */
-        curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
+        /* Make it TLS 1.2 at least. */
+        curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
 
 #ifdef WIN32
         res_len = SearchPathA(NULL, "curl-ca-bundle.crt", NULL, (2048 + 1), buf, &ptr);