diff --git a/core/host/proxy.go b/core/host/proxy.go
index 0714f4fb..81c1a005 100644
--- a/core/host/proxy.go
+++ b/core/host/proxy.go
@@ -22,7 +22,7 @@ import (
 // Look `ProxyHandlerRemote` too.
 func ProxyHandler(target *url.URL, config *tls.Config) *httputil.ReverseProxy {
 	if config == nil {
-		config = &tls.Config{}
+		config = &tls.Config{MinVersion: tls.VersionTLS11}
 	}
 
 	director := func(req *http.Request) {
@@ -89,7 +89,7 @@ func modifyProxiedRequest(req *http.Request, target *url.URL) {
 // Look `ProxyHandler` too.
 func ProxyHandlerRemote(target *url.URL, config *tls.Config) *httputil.ReverseProxy {
 	if config == nil {
-		config = &tls.Config{}
+		config = &tls.Config{MinVersion: tls.VersionTLS11}
 	}
 
 	director := func(req *http.Request) {
diff --git a/core/host/proxy_test.go b/core/host/proxy_test.go
index 96070219..9d5cfd0a 100644
--- a/core/host/proxy_test.go
+++ b/core/host/proxy_test.go
@@ -27,6 +27,7 @@ func TestProxy(t *testing.T) {
 
 	config := &tls.Config{
 		InsecureSkipVerify: true,
+		MinVersion:         tls.VersionTLS11,
 		MaxVersion:         tls.VersionTLS12,
 	}
 	proxy := host.NewProxy("", u, config)
diff --git a/core/host/supervisor_test.go b/core/host/supervisor_test.go
index 380b7a7f..a5f784be 100644
--- a/core/host/supervisor_test.go
+++ b/core/host/supervisor_test.go
@@ -25,7 +25,7 @@ func newTester(t *testing.T, baseURL string, handler http.Handler) *httpexpect.E
 
 	if strings.HasPrefix(baseURL, "http") { // means we are testing real serve time
 		transporter = &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true, MinVersion: tls.VersionTLS11},
 		}
 	} else { // means we are testing the handler itself
 		transporter = httpexpect.NewBinder(handler)
diff --git a/core/netutil/tcp.go b/core/netutil/tcp.go
index 05e6fe52..9f33ee81 100644
--- a/core/netutil/tcp.go
+++ b/core/netutil/tcp.go
@@ -145,7 +145,7 @@ func LETSENCRYPT(addr string, reuse bool, serverName string, cacheDirOptional ..
 	} else {
 		m.Cache = autocert.DirCache(cacheDir)
 	}
-	tlsConfig := &tls.Config{GetCertificate: m.GetCertificate}
+	tlsConfig := &tls.Config{GetCertificate: m.GetCertificate, MinVersion: tls.VersionTLS13}
 
 	// use InsecureSkipVerify or ServerName to a value
 	if serverName == "" {
diff --git a/httptest/httptest.go b/httptest/httptest.go
index 9467ca95..3db87c0d 100644
--- a/httptest/httptest.go
+++ b/httptest/httptest.go
@@ -153,7 +153,7 @@ func NewInsecure(t *testing.T, setters ...OptionSetter) *httpexpect.Expect {
 		setter.Set(conf)
 	}
 	transport := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // lint:ignore
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true, MinVersion: tls.VersionTLS11}, // lint:ignore
 	}
 
 	testConfiguration := httpexpect.Config{