diff --git a/osscluster_test.go b/osscluster_test.go
index 4c3ec6a5..a9ee373b 100644
--- a/osscluster_test.go
+++ b/osscluster_test.go
@@ -1637,7 +1637,7 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 		}, {
 			test: "ParseRedissURL",
 			url:  "rediss://localhost:123",
-			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost"}},
+			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12}},
 		}, {
 			test: "MissingRedisPort",
 			url:  "redis://localhost",
@@ -1653,7 +1653,7 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 		}, {
 			test: "MultipleRedissURLs",
 			url:  "rediss://localhost:123?addr=localhost:1234&addr=localhost:12345",
-			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123", "localhost:1234", "localhost:12345"}, TLSConfig: &tls.Config{ServerName: "localhost"}},
+			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123", "localhost:1234", "localhost:12345"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12}},
 		}, {
 			test: "RedissTLSParams",
 			url:  "rediss://localhost:123?tls_server_name=abc&tls_min_version=771&tls_max_version=772&skip_verify=true",
@@ -1661,11 +1661,11 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 		}, {
 			test: "RedissTLSCert",
 			url:  "rediss://localhost:123?tls_cert_file=./testdata/testcert.pem&tls_key_file=./testdata/testkey.pem",
-			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", Certificates: []tls.Certificate{testCert}}},
+			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12, Certificates: []tls.Certificate{testCert}}},
 		}, {
 			test: "RedissSkipVerify",
 			url:  "rediss://localhost:123?skip_verify=true",
-			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", InsecureSkipVerify: true}},
+			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12, InsecureSkipVerify: true}},
 		}, {
 			test: "OnlyPassword",
 			url:  "redis://:bar@localhost:123",
diff --git a/sentinel.go b/sentinel.go
index 6ec7cad8..1f854c6c 100644
--- a/sentinel.go
+++ b/sentinel.go
@@ -439,15 +439,17 @@ func setupFailoverConnParams(u *url.URL, o *FailoverOptions) (*FailoverOptions,
 			if minVer < 0 || minVer > 65535 {
 				return nil, fmt.Errorf("redis: invalid tls_min_version: %d (must be between 0 and 65535)", minVer)
 			}
-			// Handle TLS version setting securely
+			// Always enforce TLS 1.2 as minimum
 			if minVer == 0 {
-				// Explicitly set MinVersion to TLS 1.2 for security
 				o.TLSConfig.MinVersion = tls.VersionTLS12
 			} else if minVer < int(tls.VersionTLS12) {
 				return nil, fmt.Errorf("redis: tls_min_version %d is insecure (minimum allowed is TLS 1.2: %d)", minVer, tls.VersionTLS12)
 			} else {
 				o.TLSConfig.MinVersion = uint16(minVer)
 			}
+		} else {
+			// If not specified, always set minimum to TLS 1.2
+			o.TLSConfig.MinVersion = tls.VersionTLS12
 		}
 		if q.has("tls_max_version") {
 			maxVer := q.int("tls_max_version")