diff --git a/Dockerfile b/Dockerfile
index 80b4fcb..99d7a11 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -41,4 +41,3 @@ RUN chmod a+x /entrypoint.sh
 ENTRYPOINT ["/sbin/tini", "--", "/entrypoint.sh"]
 
 CMD ["--help"]
-
diff --git a/main.go b/main.go
index 0d70fa0..d77945e 100644
--- a/main.go
+++ b/main.go
@@ -141,7 +141,7 @@ func start_app(config Config) {
 	if config.Trusted_Root_Ca_File != "" {
 		content, err := ioutil.ReadFile(config.Trusted_Root_Ca_File)
 		if err != nil {
-			log.Fatalf("Failed to read file Trusted Root CA %s", config.Trusted_Root_Ca_File)
+			log.Fatalf("Failed to read file Trusted Root CA %s, %v", config.Trusted_Root_Ca_File, err)
 		}
 		ok := certp.AppendCertsFromPEM([]byte(content))
 		if !ok {
@@ -149,11 +149,26 @@ func start_app(config Config) {
 		}
 	}
 
-	mTlsConfig := &tls.Config{}
-	mTlsConfig.PreferServerCipherSuites = true
-	mTlsConfig.MinVersion = tls.VersionTLS10
-	mTlsConfig.MaxVersion = tls.VersionTLS12
-	mTlsConfig.RootCAs = certp
+	mTlsConfig := &tls.Config{
+		MinVersion: tls.VersionTLS12, // minimum TLS 1.2
+		// P curve order does not matter, as breaking one means all others can be brute-forced as well:
+		// Golang developers prefer:
+		CurvePreferences:         []tls.CurveID{tls.X25519, tls.CurveP256, tls.CurveP384, tls.CurveP521},
+		PreferServerCipherSuites: true, // Server chooses ciphersuite, order matters below:
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_CHACHA20_POLY1305_SHA256, // TLS 1.3
+			tls.TLS_AES_256_GCM_SHA384,       // TLS 1.3
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_AES_128_GCM_SHA256, // TLS 1.3
+		},
+		RootCAs: certp,
+	}
 
 	tr := &http.Transport{
 		TLSClientConfig: mTlsConfig,