diff --git a/Cargo.toml b/Cargo.toml
index 9e606cb2..a95c7fb3 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -16,11 +16,12 @@ exclude = ["/cargo_deny.sh", "/deny.toml", "/test.sh"]
 rust-version = "1.67"
 
 [package.metadata.docs.rs]
-features = ["rustls", "native-tls", "socks-proxy", "cookies", "gzip", "brotli", "charset", "json", "_test"]
+features = ["rustls", "rustls-tls12", "native-tls", "socks-proxy", "cookies", "gzip", "brotli", "charset", "json", "_test"]
 
 [features]
-default = ["rustls", "gzip", "json"]
+default = ["rustls", "rustls-tls12", "gzip", "json"]
 rustls = ["dep:rustls", "_tls", "dep:rustls-platform-verifier", "dep:webpki-roots"]
+rustls-tls12 = ["rustls/tls12"]
 native-tls = ["dep:native-tls", "dep:der", "_tls", "dep:webpki-root-certs"]
 socks-proxy = ["dep:socks"]
 cookies = ["dep:cookie_store", "_url"]
@@ -52,7 +53,7 @@ webpki-roots = { version = "0.26.3", optional = true, default-features = false }
 webpki-root-certs = { version = "0.26.4", optional = true, default-features = false }
 
 # ring has a higher chance of compiling cleanly without additional developer environment
-rustls = { version = "0.23.11", optional = true, default-features = false, features = ["ring", "logging", "std", "tls12"] }
+rustls = { version = "0.23.11", optional = true, default-features = false, features = ["ring", "logging", "std"] }
 native-tls = { version = "0.2.12", optional = true, default-features = false }
 der = { version = "0.7.9", optional = true, default-features = false, features = ["pem", "std"] }
 
diff --git a/README.md b/README.md
index 0641216d..71750d26 100644
--- a/README.md
+++ b/README.md
@@ -144,10 +144,12 @@ You can control them when including ureq as a dependency.
 
 `ureq = { version = "3", features = ["socks-proxy", "charset"] }`
 
-The default enabled features are: **rustls**, **gzip** and **json**.
+The default enabled features are: **rustls**, **rustls-tls12**, **gzip** and **json**.
 
-* **rustls** enabled the rustls TLS implementation. This is the default for the the crate level
+* **rustls** enables the rustls TLS implementation. This is the default for the the crate level
   convenience calls (`ureq::get` etc).
+* **rustls-tls12** enables TLS1.2 compatibility for rustls (in addition to TLS1.3). This is
+  enabled by default to maximize compatibility.
 * **native-tls** enables the native tls backend for TLS. Due to the risk of diamond dependencies
   accidentally switching on an unwanted TLS implementation, `native-tls` is never picked up as
   a default or used by the crate level convenience calls (`ureq::get` etc) – it must be configured
@@ -344,4 +346,3 @@ let agent: Agent = Config {
 // This is proxied.
 let resp = agent.get("http://cool.server").call()?;
 ```
-
diff --git a/src/lib.rs b/src/lib.rs
index 28a3dd20..6509eb3d 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -136,10 +136,12 @@
 //!
 //! `ureq = { version = "3", features = ["socks-proxy", "charset"] }`
 //!
-//! The default enabled features are: **rustls**, **gzip** and **json**.
+//! The default enabled features are: **rustls**, **rustls-tls12**, **gzip** and **json**.
 //!
-//! * **rustls** enabled the rustls TLS implementation. This is the default for the the crate level
+//! * **rustls** enables the rustls TLS implementation. This is the default for the the crate level
 //!   convenience calls (`ureq::get` etc).
+//! * **rustls-tls12** enables TLS1.2 compatibility for rustls (in addition to TLS1.3). This is
+//!   enabled by default to maximize compatibility.
 //! * **native-tls** enables the native tls backend for TLS. Due to the risk of diamond dependencies
 //!   accidentally switching on an unwanted TLS implementation, `native-tls` is never picked up as
 //!   a default or used by the crate level convenience calls (`ureq::get` etc) – it must be configured