We had to go the other direction temporarily and allow older TLS versions to connect. We did this by creating a proxysql-specific openssl.cnf file and then setting the min protocol version there, and also passing this as an env variable in our systemd unit file.
# cat proxysql-ssl.cnf
openssl_conf = default_conf
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=0
and then
/etc/systemd/system/proxysql.service.d# cat override.conf
# This file is managed by the proxysql-formula.
# Manual changes will be lost!
# NO DEBCONF UPDATES
[Service]
Environment=
Environment="OPENSSL_CONF=/etc/ssl/proxysql-ssl.cnf"
ExecStart=
ExecStart=/usr/bin/proxysql --idle-threads -c /etc/proxysql.cnf
Wondering if you could do something similar for your case, but replace MinProtocol there with TLSv1.2? You'll also likely need to change CipherString as well.
Josh