From ec8e800a6a7a4e8addfa8d0be50cacf9009733bc Mon Sep 17 00:00:00 2001
From: Ervin Hegedus <airween@gmail.com>
Date: Sat, 27 Jan 2024 17:27:00 +0100
Subject: [PATCH] Set the minimum security protocol version for SecRemoteRules

---
 CHANGES                   | 2 ++
 src/utils/https_client.cc | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 423571e6..8e49d571 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
 v3.x.y - YYYY-MMM-DD (to be released)
 -------------------------------------
 
+  - Set the minimum security protocol version for SecRemoteRules
+    [Issue security/code-scanning/2 - @airween]
 
 v3.0.11 - 2023-Dec-06
 ---------------------
diff --git a/src/utils/https_client.cc b/src/utils/https_client.cc
index 1ba5fd86..9ee84b15 100644
--- a/src/utils/https_client.cc
+++ b/src/utils/https_client.cc
@@ -87,8 +87,8 @@ bool HttpsClient::download(const std::string &uri) {
         headers_chunk = curl_slist_append(headers_chunk, m_key.c_str());
     }
 
-    /* Make it TLS 1.x only. */
-    curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
+    /* Make it TLS 1.2 at least. */
+    curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
 
     /* those are the default options, but lets make sure */
     curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);