From 047ce723b068d292eb78f67a5409abf0d57b3e28 Mon Sep 17 00:00:00 2001
From: matthew-pilot <matthew@vulturelabs.io>
Date: Sat, 30 May 2026 11:09:44 +0000
Subject: [PATCH] fix(registry): bump TLS MinVersion from 1.2 to 1.3
 (PILOT-337)

Both the production cert-file path and the self-signed-cert path
in accept.go still set MinVersion to tls.VersionTLS12. TLS 1.3
eliminates residual CBC-mode risk in some 1.2 cipher suites,
though the cipher allowlist is already ECDHE+AEAD-only so
practical risk is near-zero.

Closes PILOT-337
---
 accept/accept.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/accept/accept.go b/accept/accept.go
index fe33491..3d13c20 100644
--- a/accept/accept.go
+++ b/accept/accept.go
@@ -529,7 +529,7 @@ func (a *Acceptor) SetTLS(certFile, keyFile string) error {
 		}
 		a.tlsConfig = &tls.Config{
 			Certificates: []tls.Certificate{cert},
-			MinVersion:   tls.VersionTLS12,
+			MinVersion:   tls.VersionTLS13,
 			CipherSuites: []uint16{
 				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
@@ -553,7 +553,7 @@ func (a *Acceptor) SetTLS(certFile, keyFile string) error {
 	}
 	a.tlsConfig = &tls.Config{
 		Certificates: []tls.Certificate{cert},
-		MinVersion:   tls.VersionTLS12,
+		MinVersion:   tls.VersionTLS13,
 		CipherSuites: []uint16{
 			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,