diff --git a/client/client.go b/client/client.go
index 3217be68e..bedfe4c1c 100644
--- a/client/client.go
+++ b/client/client.go
@@ -26,6 +26,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"connectrpc.com/connect"
@@ -718,18 +719,20 @@ func (c *Client) broadcast(ctx context.Context, doc *document.Document, topic st
 	return nil
 }
 
-// NewClientTLSFromFile
+/**
+* newTLSConfigFromFile returns a new tls.Config from the given certFile.
+ */
 func newTLSConfigFromFile(certFile, serverNameOverride string) (*tls.Config, error) {
-	b, err := os.ReadFile(certFile)
+	b, err := os.ReadFile(filepath.Clean(certFile))
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("credentials: failed to read TLS config file %q: %w", certFile, err)
 	}
 	cp := x509.NewCertPool()
 	if !cp.AppendCertsFromPEM(b) {
 		return nil, fmt.Errorf("credentials: failed to append certificates")
 	}
 
-	return &tls.Config{ServerName: serverNameOverride, RootCAs: cp}, nil
+	return &tls.Config{ServerName: serverNameOverride, RootCAs: cp, MinVersion: tls.VersionTLS13}, nil
 }
 
 /**
diff --git a/server/rpc/server.go b/server/rpc/server.go
index e9930ab95..c762538c0 100644
--- a/server/rpc/server.go
+++ b/server/rpc/server.go
@@ -123,12 +123,11 @@ func (s *Server) listenAndServe() error {
 				logging.DefaultLogger().Errorf("HTTP server ListenAndServeTLS: %v", err)
 			}
 			return
-		} else {
-			if err := s.httpServer.ListenAndServe(); err != http.ErrServerClosed {
-				logging.DefaultLogger().Errorf("HTTP server ListenAndServe: %v", err)
-			}
-			return
 		}
+		if err := s.httpServer.ListenAndServe(); err != http.ErrServerClosed {
+			logging.DefaultLogger().Errorf("HTTP server ListenAndServe: %v", err)
+		}
+		return
 	}()
 	return nil
 }