diff --git a/NEWS b/NEWS
index cbaee11..58383b8 100644
--- a/NEWS
+++ b/NEWS
@@ -12,7 +12,8 @@ they are flagged on the source side.
 Renamed the ReNew/--renew/-N options to Upgrade/--upgrade/-u
 and Delete/--delete/-d to Gone/--gone/-g.
 
-Superseded SSLVersions option with TLSVersions.
+Superseded SSLVersions option with TLSVersions, and disabled TLS v1.0
+and v1.1 by default.
 
 Made the Channel side to expire with MaxMessages configurable.
 
diff --git a/src/drv_imap.c b/src/drv_imap.c
index da988f6..4a9c669 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -3711,7 +3711,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 	server->sconf.timeout = 20000;
 #ifdef HAVE_LIBSSL
 	server->ssl_type = -1;
-	server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3;
+	server->sconf.ssl_versions = TLSv1_2 | TLSv1_3;
 	server->sconf.system_certs = 1;
 #endif
 	server->max_in_progress = INT_MAX;
diff --git a/src/mbsync.1 b/src/mbsync.1
index 11bda41..518f110 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -419,7 +419,7 @@ Add/remove the specified TLS versions to/from the set of acceptable choices.
 Use old versions only when the server has problems with newer ones.
 Note that new versions are automatically enabled as soon as OpenSSL supports
 them, even if \fBmbsync\fR does not recognize them yet.
-(Default: All starting with 1.0).
+(Default: All starting with 1.2).
 .
 .TP
 \fBSystemCertificates\fR \fByes\fR|\fBno\fR