diff --git a/ocis-pkg/service/grpc/client.go b/ocis-pkg/service/grpc/client.go
index 06b8649d33..f35ef2616d 100644
--- a/ocis-pkg/service/grpc/client.go
+++ b/ocis-pkg/service/grpc/client.go
@@ -81,7 +81,9 @@ func NewClient(opts ...ClientOption) (client.Client, error) {
 		}
 		cOpts = append(cOpts, mgrpcc.AuthTLS(tlsConfig))
 	case "on":
-		tlsConfig = &tls.Config{}
+		tlsConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
 		// Note: If caCert is empty we use the system's default set of trusted CAs
 		if options.caCert != "" {
 			certs := x509.NewCertPool()
diff --git a/ocis/pkg/command/benchmark.go b/ocis/pkg/command/benchmark.go
index 3439619c92..28c7ecde0d 100644
--- a/ocis/pkg/command/benchmark.go
+++ b/ocis/pkg/command/benchmark.go
@@ -207,7 +207,10 @@ func client(o clientOptions) error {
 	for i := 0; i < o.jobs; i++ {
 		go func(i int) {
 			tr := &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: o.insecure},
+				TLSClientConfig: &tls.Config{
+					MinVersion:         tls.VersionTLS12,
+					InsecureSkipVerify: o.insecure,
+				},
 			}
 			client := &http.Client{Transport: tr}
 
diff --git a/services/collaboration/pkg/connector/contentconnector.go b/services/collaboration/pkg/connector/contentconnector.go
index 273937561d..0332b09bfd 100644
--- a/services/collaboration/pkg/connector/contentconnector.go
+++ b/services/collaboration/pkg/connector/contentconnector.go
@@ -148,6 +148,7 @@ func (c *ContentConnector) GetFile(ctx context.Context, w http.ResponseWriter) e
 	httpClient := http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
+				MinVersion:         tls.VersionTLS12,
 				InsecureSkipVerify: c.cfg.CS3Api.DataGateway.Insecure,
 			},
 		},
@@ -312,6 +313,7 @@ func (c *ContentConnector) PutFile(ctx context.Context, stream io.Reader, stream
 		httpClient := http.Client{
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{
+					MinVersion:         tls.VersionTLS12,
 					InsecureSkipVerify: c.cfg.CS3Api.DataGateway.Insecure,
 				},
 			},
diff --git a/services/collaboration/pkg/helpers/discovery.go b/services/collaboration/pkg/helpers/discovery.go
index 3f61aa2767..db7b51aee6 100644
--- a/services/collaboration/pkg/helpers/discovery.go
+++ b/services/collaboration/pkg/helpers/discovery.go
@@ -22,6 +22,7 @@ func GetAppURLs(cfg *config.Config, logger log.Logger) (map[string]map[string]st
 	httpClient := http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
+				MinVersion:         tls.VersionTLS12,
 				InsecureSkipVerify: cfg.App.Insecure,
 			},
 		},
diff --git a/services/collaboration/pkg/proofkeys/handler.go b/services/collaboration/pkg/proofkeys/handler.go
index 2ecbd6fe50..37d039bf19 100644
--- a/services/collaboration/pkg/proofkeys/handler.go
+++ b/services/collaboration/pkg/proofkeys/handler.go
@@ -198,6 +198,7 @@ func (vh *VerifyHandler) fetchPublicKeys(logger *zerolog.Logger) (*PubKeys, erro
 	httpClient := http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
+				MinVersion:         tls.VersionTLS12,
 				InsecureSkipVerify: vh.insecure,
 			},
 		},