Use only TLS 1.3 when connecting to the API

2 files changed, 3 insertions, 1 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c89daa4b0e..e0714f35fe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,6 +37,7 @@ Line wrap the file at 100 chars.                                              Th
   security patches.
 - Allow provider constraint to specify multiple hosting providers.
 - Only download a new relay list if it has been modified.
+- Connect to the API only via TLS 1.3
 
 #### Android
 - WireGuard key is now rotated sooner: every four days instead of seven.
diff --git a/mullvad-rpc/src/https_client_with_sni.rs b/mullvad-rpc/src/https_client_with_sni.rs
index b80b2db95b..c8ac8e833d 100644
--- a/mullvad-rpc/src/https_client_with_sni.rs
+++ b/mullvad-rpc/src/https_client_with_sni.rs
@@ -25,7 +25,7 @@ use std::{
 };
 
 use tokio::{net::TcpStream as TokioTcpStream, runtime::Handle, time::timeout};
-use tokio_rustls::rustls;
+use tokio_rustls::rustls::{self, ProtocolVersion};
 use webpki::DNSNameRef;
 
 // Old LetsEncrypt root certificate
@@ -65,6 +65,7 @@ impl HttpsConnectorWithSni {
         let mut config = rustls::ClientConfig::new();
         config.enable_sni = true;
         config.root_store = Self::read_cert_store();
+        config.versions = vec![ProtocolVersion::TLSv1_3];
 
         HttpsConnectorWithSni {
             next_socket_id: 0,