diff --git a/Cargo.lock b/Cargo.lock
index 23e81e3..801a506 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -19,6 +19,7 @@ dependencies = [
  "tokio",
  "tokio-rustls",
  "url",
+ "webpki",
 ]
 
 [[package]]
diff --git a/Cargo.toml b/Cargo.toml
index 0a2c7f4..126f6d8 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -29,6 +29,7 @@ configparser = "2.0"
 assert_cmd = "1.0"
 gemini-fetch = { version = "0.2.1", git = "https://github.com/Johann150/gemini-fetch.git" }
 anyhow = "1.0"
+webpki = "0.21.4"
 
 [profile.release]
 lto = true
diff --git a/tests/tests.rs b/tests/tests.rs
index 9606094..9f046bf 100644
--- a/tests/tests.rs
+++ b/tests/tests.rs
@@ -254,3 +254,25 @@ fn serve_secret() {
 
     assert_eq!(page.header.status, Status::Success);
 }
+
+#[test]
+#[should_panic(expected = "AlertReceived(ProtocolVersion)")]
+fn explicit_tls_version() {
+    use rustls::{ClientSession, ProtocolVersion};
+    use std::io::Read;
+    use std::net::TcpStream;
+
+    let _server = Server::new(&["--addr", "[::]:1976", "-3"]);
+
+    let mut config = rustls::ClientConfig::new();
+    // try to connect using only TLS 1.2
+    config.versions = vec![ProtocolVersion::TLSv1_2];
+
+    let dns_name = webpki::DNSNameRef::try_from_ascii_str("localhost").unwrap();
+    let mut session = ClientSession::new(&std::sync::Arc::new(config), dns_name);
+    let mut tcp = TcpStream::connect(addr(1976)).unwrap();
+    let mut tls = rustls::Stream::new(&mut session, &mut tcp);
+
+    let mut buf = [0; 10];
+    tls.read(&mut buf).unwrap();
+}