diff --git a/ntpd/src/daemon/keyexchange.rs b/ntpd/src/daemon/keyexchange.rs
index e6f5f2b6b..ccae012a1 100644
--- a/ntpd/src/daemon/keyexchange.rs
+++ b/ntpd/src/daemon/keyexchange.rs
@@ -12,7 +12,10 @@ use libc::{ECONNABORTED, EMFILE, ENFILE, ENOBUFS, ENOMEM};
 use ntp_proto::{
     KeyExchangeClient, KeyExchangeError, KeyExchangeResult, KeyExchangeServer, KeySet,
 };
-use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use rustls::{
+    pki_types::{CertificateDer, PrivateKeyDer},
+    version::TLS13,
+};
 use tokio::{
     io::{AsyncRead, AsyncWrite, ReadBuf},
     net::TcpListener,
@@ -42,9 +45,11 @@ async fn build_client_config(
             .map_err(KeyExchangeError::Certificate)?;
     }
 
-    Ok(rustls::ClientConfig::builder()
-        .with_root_certificates(roots)
-        .with_no_client_auth())
+    Ok(
+        rustls::ClientConfig::builder_with_protocol_versions(&[&TLS13])
+            .with_root_certificates(roots)
+            .with_no_client_auth(),
+    )
 }
 
 pub(crate) async fn key_exchange_client(
@@ -149,7 +154,7 @@ fn build_server_config(
     certificate_chain: Vec<CertificateDer<'static>>,
     private_key: PrivateKeyDer<'static>,
 ) -> std::io::Result<Arc<rustls::ServerConfig>> {
-    let mut config = rustls::ServerConfig::builder()
+    let mut config = rustls::ServerConfig::builder_with_protocol_versions(&[&TLS13])
         .with_client_cert_verifier(Arc::new(
             #[cfg(not(feature = "unstable_nts-pool"))]
             rustls::server::NoClientAuth,
diff --git a/nts-pool-ke/src/lib.rs b/nts-pool-ke/src/lib.rs
index 6b688b60c..02d7a025e 100644
--- a/nts-pool-ke/src/lib.rs
+++ b/nts-pool-ke/src/lib.rs
@@ -12,7 +12,10 @@ use ntp_proto::{
     AeadAlgorithm, ClientToPoolData, KeyExchangeError, NtsRecord, PoolToServerData,
     PoolToServerDecoder, SupportedAlgorithmsDecoder,
 };
-use rustls::pki_types::{CertificateDer, ServerName};
+use rustls::{
+    pki_types::{CertificateDer, ServerName},
+    version::TLS13,
+};
 use tokio::{
     io::{AsyncReadExt, AsyncWriteExt},
     net::{TcpListener, ToSocketAddrs},
@@ -179,7 +182,7 @@ async fn pool_key_exchange_server(
 ) -> std::io::Result<()> {
     let listener = TcpListener::bind(address).await?;
 
-    let mut config = rustls::ServerConfig::builder()
+    let mut config = rustls::ServerConfig::builder_with_protocol_versions(&[&TLS13])
         .with_no_client_auth()
         .with_single_cert(certificate_chain.clone(), private_key.clone_key())
         .map_err(|err| std::io::Error::new(std::io::ErrorKind::InvalidInput, err))?;
@@ -459,7 +462,7 @@ fn pool_to_server_connector(
             .map_err(KeyExchangeError::Certificate)?;
     }
 
-    let config = rustls::ClientConfig::builder()
+    let config = rustls::ClientConfig::builder_with_protocol_versions(&[&TLS13])
         .with_root_certificates(roots)
         .with_client_auth_cert(certificate_chain, private_key)
         .unwrap();