diff --git a/command/meta.go b/command/meta.go
index 51e382268a..baf8aa20e3 100644
--- a/command/meta.go
+++ b/command/meta.go
@@ -67,6 +67,7 @@ func (m *Meta) Client() (*api.Client, error) {
 	if m.flagCACert != "" || m.flagCAPath != "" || m.flagInsecure {
 		tlsConfig := &tls.Config{
 			InsecureSkipVerify: m.flagInsecure,
+			MinVersion:         tls.VersionTLS12,
 		}
 
 		// TODO: Root CAs
diff --git a/command/server/listener.go b/command/server/listener.go
index 7d1de552fd..4772606216 100644
--- a/command/server/listener.go
+++ b/command/server/listener.go
@@ -53,6 +53,7 @@ func listenerWrapTLS(
 	tlsConf := &tls.Config{}
 	tlsConf.Certificates = []tls.Certificate{cert}
 	tlsConf.NextProtos = []string{"http/1.1"}
+	tlsConf.MinVersion = tls.VersionTLS12 // Minimum version is TLS 1.2
 
 	ln = tls.NewListener(ln, tlsConf)
 	props["tls"] = "enabled"