diff --git a/options.go b/options.go
index fc380638..f6982c28 100644
--- a/options.go
+++ b/options.go
@@ -602,22 +602,28 @@ func setupConnParams(u *url.URL, o *Options) (*Options, error) {
 			if minVer < 0 || minVer > 65535 {
 				return nil, fmt.Errorf("redis: invalid tls_min_version: %d (must be between 0 and 65535)", minVer)
 			}
-			// Enforce minimum TLS 1.2 for security
-			if minVer > 0 && minVer < int(tls.VersionTLS12) {
+			// Handle TLS version setting securely
+			if minVer == 0 {
+				// Don't set MinVersion, let Go use its secure default
+			} else if minVer < int(tls.VersionTLS12) {
 				return nil, fmt.Errorf("redis: tls_min_version %d is insecure (minimum allowed is TLS 1.2: %d)", minVer, tls.VersionTLS12)
+			} else {
+				o.TLSConfig.MinVersion = uint16(minVer)
 			}
-			o.TLSConfig.MinVersion = uint16(minVer)
 		}
 		if q.has("tls_max_version") {
 			maxVer := q.int("tls_max_version")
 			if maxVer < 0 || maxVer > 65535 {
 				return nil, fmt.Errorf("redis: invalid tls_max_version: %d (must be between 0 and 65535)", maxVer)
 			}
-			// Ensure max version is not lower than TLS 1.2
-			if maxVer > 0 && maxVer < int(tls.VersionTLS12) {
+			// Handle TLS max version setting securely
+			if maxVer == 0 {
+				// Don't set MaxVersion, let Go use its secure default
+			} else if maxVer < int(tls.VersionTLS12) {
 				return nil, fmt.Errorf("redis: tls_max_version %d is insecure (minimum allowed is TLS 1.2: %d)", maxVer, tls.VersionTLS12)
+			} else {
+				o.TLSConfig.MaxVersion = uint16(maxVer)
 			}
-			o.TLSConfig.MaxVersion = uint16(maxVer)
 		}
 
 		tlsServerName := q.string("tls_server_name")
diff --git a/options_test.go b/options_test.go
index 97a8f700..5dff8205 100644
--- a/options_test.go
+++ b/options_test.go
@@ -77,6 +77,9 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 		}, {
 			url: "rediss://localhost:123?tls_min_version=70000",
 			err: errors.New("redis: invalid tls_min_version: 70000 (must be between 0 and 65535)"),
+		}, {
+			url: "rediss://localhost:123?tls_min_version=0",
+			o:   &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12}},
 		}, {
 			url: "rediss://localhost:123/?skip_verify=true",
 			o:   &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12, InsecureSkipVerify: true}},
diff --git a/osscluster.go b/osscluster.go
index c560d411..6e57bef8 100644
--- a/osscluster.go
+++ b/osscluster.go
@@ -329,22 +329,28 @@ func setupClusterQueryParams(u *url.URL, o *ClusterOptions) (*ClusterOptions, er
 			if minVer < 0 || minVer > 65535 {
 				return nil, fmt.Errorf("redis: invalid tls_min_version: %d (must be between 0 and 65535)", minVer)
 			}
-			// Enforce minimum TLS 1.2 for security
-			if minVer > 0 && minVer < int(tls.VersionTLS12) {
+			// Handle TLS version setting securely
+			if minVer == 0 {
+				// Don't set MinVersion, let Go use its secure default
+			} else if minVer < int(tls.VersionTLS12) {
 				return nil, fmt.Errorf("redis: tls_min_version %d is insecure (minimum allowed is TLS 1.2: %d)", minVer, tls.VersionTLS12)
+			} else {
+				o.TLSConfig.MinVersion = uint16(minVer)
 			}
-			o.TLSConfig.MinVersion = uint16(minVer)
 		}
 		if q.has("tls_max_version") {
 			maxVer := q.int("tls_max_version")
 			if maxVer < 0 || maxVer > 65535 {
 				return nil, fmt.Errorf("redis: invalid tls_max_version: %d (must be between 0 and 65535)", maxVer)
 			}
-			// Ensure max version is not lower than TLS 1.2
-			if maxVer > 0 && maxVer < int(tls.VersionTLS12) {
+			// Handle TLS max version setting securely
+			if maxVer == 0 {
+				// Don't set MaxVersion, let Go use its secure default
+			} else if maxVer < int(tls.VersionTLS12) {
 				return nil, fmt.Errorf("redis: tls_max_version %d is insecure (minimum allowed is TLS 1.2: %d)", maxVer, tls.VersionTLS12)
+			} else {
+				o.TLSConfig.MaxVersion = uint16(maxVer)
 			}
-			o.TLSConfig.MaxVersion = uint16(maxVer)
 		}
 
 		tlsServerName := q.string("tls_server_name")
diff --git a/sentinel.go b/sentinel.go
index e7005ded..e672d9c8 100644
--- a/sentinel.go
+++ b/sentinel.go
@@ -439,22 +439,28 @@ func setupFailoverConnParams(u *url.URL, o *FailoverOptions) (*FailoverOptions,
 			if minVer < 0 || minVer > 65535 {
 				return nil, fmt.Errorf("redis: invalid tls_min_version: %d (must be between 0 and 65535)", minVer)
 			}
-			// Enforce minimum TLS 1.2 for security
-			if minVer > 0 && minVer < int(tls.VersionTLS12) {
+			// Handle TLS version setting securely
+			if minVer == 0 {
+				// Don't set MinVersion, let Go use its secure default
+			} else if minVer < int(tls.VersionTLS12) {
 				return nil, fmt.Errorf("redis: tls_min_version %d is insecure (minimum allowed is TLS 1.2: %d)", minVer, tls.VersionTLS12)
+			} else {
+				o.TLSConfig.MinVersion = uint16(minVer)
 			}
-			o.TLSConfig.MinVersion = uint16(minVer)
 		}
 		if q.has("tls_max_version") {
 			maxVer := q.int("tls_max_version")
 			if maxVer < 0 || maxVer > 65535 {
 				return nil, fmt.Errorf("redis: invalid tls_max_version: %d (must be between 0 and 65535)", maxVer)
 			}
-			// Ensure max version is not lower than TLS 1.2
-			if maxVer > 0 && maxVer < int(tls.VersionTLS12) {
+			// Handle TLS max version setting securely
+			if maxVer == 0 {
+				// Don't set MaxVersion, let Go use its secure default
+			} else if maxVer < int(tls.VersionTLS12) {
 				return nil, fmt.Errorf("redis: tls_max_version %d is insecure (minimum allowed is TLS 1.2: %d)", maxVer, tls.VersionTLS12)
+			} else {
+				o.TLSConfig.MaxVersion = uint16(maxVer)
 			}
-			o.TLSConfig.MaxVersion = uint16(maxVer)
 		}
 
 		tlsServerName := q.string("tls_server_name")