diff --git a/orderer/kafka/util.go b/orderer/kafka/util.go
index 03a0a15c9af..b4fb2471b74 100644
--- a/orderer/kafka/util.go
+++ b/orderer/kafka/util.go
@@ -48,7 +48,7 @@ func newBrokerConfig(kafkaVersion sarama.KafkaVersion, chosenStaticPartition int
 		brokerConfig.Net.TLS.Config = &tls.Config{
 			Certificates: []tls.Certificate{keyPair},
 			RootCAs:      rootCAs,
-			MinVersion:   0, // TLS 1.0 (no SSL support)
+			MinVersion:   tls.VersionTLS12,
 			MaxVersion:   0, // Latest supported TLS version
 		}
 	}
diff --git a/orderer/kafka/util_test.go b/orderer/kafka/util_test.go
index 74ce0c3a264..5e211dcf73e 100644
--- a/orderer/kafka/util_test.go
+++ b/orderer/kafka/util_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package kafka
 
 import (
+	"crypto/tls"
 	"testing"
 
 	"github.com/Shopify/sarama"
@@ -132,7 +133,7 @@ func TestTLSConfigEnabled(t *testing.T) {
 	assert.Len(t, config.Net.TLS.Config.Certificates, 1)
 	assert.Len(t, config.Net.TLS.Config.RootCAs.Subjects(), 1)
 	assert.Equal(t, uint16(0), config.Net.TLS.Config.MaxVersion)
-	assert.Equal(t, uint16(0), config.Net.TLS.Config.MinVersion)
+	assert.Equal(t, uint16(tls.VersionTLS12), config.Net.TLS.Config.MinVersion)
 }
 
 func TestTLSConfigDisabled(t *testing.T) {