diff --git a/src/main/java/io/asyncer/r2dbc/mysql/client/SslBridgeHandler.java b/src/main/java/io/asyncer/r2dbc/mysql/client/SslBridgeHandler.java
index 0ac8e0599..952be3917 100644
--- a/src/main/java/io/asyncer/r2dbc/mysql/client/SslBridgeHandler.java
+++ b/src/main/java/io/asyncer/r2dbc/mysql/client/SslBridgeHandler.java
@@ -220,11 +220,13 @@ static MySqlSslContextSpec forClient(MySqlSslConfiguration ssl, ConnectionContex
                 .applicationProtocolConfig(null);
             String[] tlsProtocols = ssl.getTlsVersion();
 
-            if (tlsProtocols.length > 0) {
-                builder.protocols(tlsProtocols);
-            } else if (ssl.getSslMode() != SslMode.TUNNEL && isTls13Enabled(context)) {
+            if (tlsProtocols.length > 0 || ssl.getSslMode() == SslMode.TUNNEL) {
+                if (tlsProtocols.length > 0) {
+                    builder.protocols(tlsProtocols);
+                }
+            } else if (isTls13Enabled(context)) {
                 builder.protocols(TLS_PROTOCOLS);
-            } else if (ssl.getSslMode() != SslMode.TUNNEL){
+            } else {
                 // Not sure if we need to check the JDK version, suggest not.
                 if (logger.isWarnEnabled()) {
                     logger.warn("{} {} does not support TLS1.2, TLS1.1 is disabled in latest JDKs",