From a4436229e3527c20fac32fcfb9b4c95a030fc6c5 Mon Sep 17 00:00:00 2001
From: ofekshenawa <104765379+ofekshenawa@users.noreply.github.com>
Date: Thu, 14 Aug 2025 11:37:53 +0300
Subject: [PATCH] Potential fix for code scanning alert no. 13: Insecure TLS
 configuration

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 options.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/options.go b/options.go
index f6982c28..c1bcba81 100644
--- a/options.go
+++ b/options.go
@@ -602,14 +602,17 @@ func setupConnParams(u *url.URL, o *Options) (*Options, error) {
 			if minVer < 0 || minVer > 65535 {
 				return nil, fmt.Errorf("redis: invalid tls_min_version: %d (must be between 0 and 65535)", minVer)
 			}
-			// Handle TLS version setting securely
+			// Always set MinVersion to at least TLS 1.2
 			if minVer == 0 {
-				// Don't set MinVersion, let Go use its secure default
+				o.TLSConfig.MinVersion = tls.VersionTLS12
 			} else if minVer < int(tls.VersionTLS12) {
 				return nil, fmt.Errorf("redis: tls_min_version %d is insecure (minimum allowed is TLS 1.2: %d)", minVer, tls.VersionTLS12)
 			} else {
 				o.TLSConfig.MinVersion = uint16(minVer)
 			}
+		} else {
+			// If not set, default to TLS 1.2
+			o.TLSConfig.MinVersion = tls.VersionTLS12
 		}
 		if q.has("tls_max_version") {
 			maxVer := q.int("tls_max_version")