Encrypting network traffic is low-hanging fruit when securing IT infrastructure. MinIO follows a pragmatic approach when it comes to TLS. It has to be secure, it has to be performant and it has to be simple.
If there is a network encryption issue, in at least 9 out of 10 cases, it is caused by suboptimal choices for one or multiple of the above items. However, MinIO tries to make TLS a smooth experience and something that just works instead of causing headaches.
MinIO only supports TLS 1.2 and 1.3. Both are enabled by default. If the S3 client supports TLS 1.3, the connection will use TLS 1.3. Older TLS versions are not supported simply because they are not secure.
In a nutshell, TLS 1.3 is faster and more secure than TLS 1.2. For example, TLS 1.3 handshakes require a single round-trip instead of two before transmitting application data. Further, TLS 1.3 cleaned up some design choices carried through previous TLS versions. It specifies only a small set of transport ciphers, all of which are using well-understood and fast authenticated encryption constructions and provide forward secrecy.
During the TLS handshake, MinIO and the S3 client have to agree on a transport cipher. In the case of TLS 1.3, there are no "bad choices". MinIO and the S3 client will pick the cipher that performs best on the particular hardware. Case closed.