From 2e34cdfed3a849c38b324ec99e5af1c7d0a1f98d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=BA=90=E6=96=87=E9=9B=A8?=
 <41315874+fumiama@users.noreply.github.com>
Date: Mon, 6 Oct 2025 10:51:44 +0800
Subject: [PATCH] feat: limit tls minversion to 1.2

---
 dns/dns.go      | 5 ++++-
 dns/dns_test.go | 5 ++++-
 http/http.go    | 2 ++
 terasu_test.go  | 2 ++
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/dns/dns.go b/dns/dns.go
index 1d19636..dd76dd2 100644
--- a/dns/dns.go
+++ b/dns/dns.go
@@ -179,7 +179,10 @@ func (ds *DNSList) DialContext(ctx context.Context, dialer *net.Dialer, firstFra
 				}
 				continue
 			}
-			tlsConn = tls.Client(conn, &tls.Config{ServerName: host})
+			tlsConn = tls.Client(conn, &tls.Config{
+				ServerName: host,
+				MinVersion: tls.VersionTLS12,
+			})
 			if firstFragmentLen > 0 {
 				err = terasu.Use(tlsConn).HandshakeContext(ctx, firstFragmentLen)
 			} else {
diff --git a/dns/dns_test.go b/dns/dns_test.go
index 4edbefa..a1052a7 100644
--- a/dns/dns_test.go
+++ b/dns/dns_test.go
@@ -114,7 +114,10 @@ func (ds *DNSList) test() {
 			if err != nil {
 				continue
 			}
-			tlsConn := tls.Client(conn, &tls.Config{ServerName: host})
+			tlsConn := tls.Client(conn, &tls.Config{
+				ServerName: host,
+				MinVersion: tls.VersionTLS12,
+			})
 			err = terasu.Use(tlsConn).Handshake(4)
 			_ = tlsConn.Close()
 			if err == nil {
diff --git a/http/http.go b/http/http.go
index 913031c..547f633 100644
--- a/http/http.go
+++ b/http/http.go
@@ -60,6 +60,7 @@ var DefaultClient = http.Client{
 				}
 				tlsConn = tls.Client(conn, &tls.Config{
 					ServerName: host,
+					MinVersion: tls.VersionTLS12,
 				})
 				if terasu.DefaultFirstFragmentLen > 0 {
 					err = terasu.Use(tlsConn).HandshakeContext(ctx, terasu.DefaultFirstFragmentLen)
@@ -77,6 +78,7 @@ var DefaultClient = http.Client{
 				}
 				tlsConn = tls.Client(conn, &tls.Config{
 					ServerName: host,
+					MinVersion: tls.VersionTLS12,
 				})
 				err = tlsConn.HandshakeContext(ctx)
 				if err == nil {
diff --git a/terasu_test.go b/terasu_test.go
index b282910..4c072db 100644
--- a/terasu_test.go
+++ b/terasu_test.go
@@ -19,6 +19,7 @@ func TestHTTPDialTLS13(t *testing.T) {
 				t.Log("net.Dial succeeded")
 				tlsConn := tls.Client(conn, &tls.Config{
 					ServerName:         "huggingface.co",
+					MinVersion:         tls.VersionTLS12,
 					InsecureSkipVerify: true,
 				})
 				err = Use(tlsConn).Handshake(4)
@@ -57,6 +58,7 @@ func TestHTTPDialTLS12(t *testing.T) {
 				tlsConn := tls.Client(conn, &tls.Config{
 					ServerName:         "huggingface.co",
 					InsecureSkipVerify: true,
+					MinVersion:         tls.VersionTLS12,
 					MaxVersion:         tls.VersionTLS12,
 				})
 				err = Use(tlsConn).Handshake(4)