diff --git a/DEPLOYMENT_GUIDE.md b/DEPLOYMENT_GUIDE.md
index fd597fe..36be06d 100644
--- a/DEPLOYMENT_GUIDE.md
+++ b/DEPLOYMENT_GUIDE.md
@@ -181,7 +181,7 @@ tls:
   ca_cert: "/etc/linux_patch_api/certs/ca.pem"
   server_cert: "/etc/linux_patch_api/certs/server.pem"
   server_key: "/etc/linux_patch_api/certs/server.key"
-  min_tls_version: "1.3"
+  # TLS 1.3 is the only supported version (hardcoded, not configurable)
 
 jobs:
   max_concurrent: 5
diff --git a/README.md b/README.md
index 7b542c6..9e03ffb 100644
--- a/README.md
+++ b/README.md
@@ -395,7 +395,7 @@ tls:
   ca_cert: "/etc/linux_patch_api/certs/ca.pem"
   server_cert: "/etc/linux_patch_api/certs/server.pem"
   server_key: "/etc/linux_patch_api/certs/server.key"
-  min_tls_version: "1.3"
+  # TLS 1.3 is the only supported version (hardcoded, not configurable)
 
 # Job Configuration
 jobs:
diff --git a/configs/config.yaml.example b/configs/config.yaml.example
index e09d5e8..583b3dc 100644
--- a/configs/config.yaml.example
+++ b/configs/config.yaml.example
@@ -14,7 +14,7 @@ tls:
   ca_cert: "/etc/linux_patch_api/certs/ca.pem"
   server_cert: "/etc/linux_patch_api/certs/server.pem"
   server_key: "/etc/linux_patch_api/certs/server.key"
-  min_tls_version: "1.3"
+  # TLS 1.3 is the only supported version (hardcoded, not configurable)
 
 # Job Configuration
 jobs:
diff --git a/src/auth/mtls.rs b/src/auth/mtls.rs
index 38063b9..d9264c1 100644
--- a/src/auth/mtls.rs
+++ b/src/auth/mtls.rs
@@ -143,12 +143,14 @@ impl ClientCertVerifier for CrlAwareVerifier {
 }
 
 /// mTLS Configuration
+///
+/// TLS 1.3 is the only supported protocol version — this is hardcoded
+/// in `build_rustls_config()` and cannot be configured via this struct.
 #[derive(Debug, Clone)]
 pub struct MtlsConfig {
     pub ca_cert_path: String,
     pub server_cert_path: String,
     pub server_key_path: String,
-    pub min_tls_version: String,
 }
 
 /// Build a rustls ServerConfig with client certificate verification.
diff --git a/src/config/loader.rs b/src/config/loader.rs
index 704ee7b..1d5be86 100644
--- a/src/config/loader.rs
+++ b/src/config/loader.rs
@@ -33,8 +33,6 @@ pub struct TlsConfig {
     pub ca_cert: String,
     pub server_cert: String,
     pub server_key: String,
-    #[serde(default = "default_tls_version")]
-    pub min_tls_version: String,
     /// Path to persist the CRL fetched from the manager.
     /// Defaults to /etc/linux_patch_api/certs/crl.pem
     #[serde(default = "default_crl_path")]
@@ -49,10 +47,6 @@ fn default_true() -> bool {
     true
 }
 
-fn default_tls_version() -> String {
-    "1.3".to_string()
-}
-
 /// Jobs configuration
 #[derive(Debug, Deserialize, Serialize, Clone)]
 pub struct JobsConfig {
@@ -501,6 +495,19 @@ impl AppConfig {
         let content = std::fs::read_to_string(path)
             .with_context(|| format!("Failed to read config file: {}", path))?;
 
+        // Check for deprecated fields before typed parsing
+        if let Ok(value) = serde_yaml::from_str::<serde_yaml::Value>(&content) {
+            if let Some(tls) = value.get("tls") {
+                if tls.get("min_tls_version").is_some() {
+                    tracing::warn!(
+                        "Config contains deprecated 'tls.min_tls_version' field. \
+                         This field is ignored — TLS 1.3 is the only supported version. \
+                         Remove it from your config to silence this warning."
+                    );
+                }
+            }
+        }
+
         let config: AppConfig = serde_yaml::from_str(&content)
             .with_context(|| format!("Failed to parse config file: {}", path))?;
 
diff --git a/src/config/mod.rs b/src/config/mod.rs
index 38bb382..a0769ca 100644
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -8,4 +8,5 @@
 pub mod loader;
 pub use loader::{validate_certs, AppConfig, CertStatus, EnrollmentConfig, RateLimitConfig};
 pub mod validator;
+pub use validator::validate_config_warnings;
 pub mod watcher;
diff --git a/src/config/validator.rs b/src/config/validator.rs
index de60a67..94926f9 100644
--- a/src/config/validator.rs
+++ b/src/config/validator.rs
@@ -1,3 +1,25 @@
 //! Configuration Validator
 //!
-//! Placeholder - implementation in future phases
+//! Validates configuration values and warns about deprecated fields.
+
+use tracing::warn;
+
+/// Validate configuration for deprecated or unknown fields.
+///
+/// This is called after config loading to emit warnings for fields
+/// that are no longer functional but may still be present in operator
+/// config files.
+pub fn validate_config_warnings(config_yaml: &str) {
+    // Check for deprecated tls.min_tls_version field
+    if let Ok(value) = serde_yaml::from_str::<serde_yaml::Value>(config_yaml) {
+        if let Some(tls) = value.get("tls") {
+            if tls.get("min_tls_version").is_some() {
+                warn!(
+                    "Config contains deprecated 'tls.min_tls_version' field. \
+                     This field is ignored — TLS 1.3 is the only supported version. \
+                     Remove it from your config to silence this warning."
+                );
+            }
+        }
+    }
+}
diff --git a/src/main.rs b/src/main.rs
index 758c043..a646a5f 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -368,16 +368,15 @@ async fn main() -> Result<()> {
             ca_cert = %tls_config.ca_cert,
             server_cert = %tls_config.server_cert,
             server_key = %tls_config.server_key,
-            min_tls_version = %tls_config.min_tls_version,
             crl_path = %tls_config.crl_path,
-            "Initializing mTLS authentication with TLS binding"
+            "Initializing mTLS authentication with TLS 1.3 binding"
         );
 
+        // TLS 1.3 is the only supported version — hardcoded in build_rustls_config()
         let mtls_config = mtls::MtlsConfig {
             ca_cert_path: tls_config.ca_cert.clone(),
             server_cert_path: tls_config.server_cert.clone(),
             server_key_path: tls_config.server_key.clone(),
-            min_tls_version: tls_config.min_tls_version.clone(),
         };
 
         // Load CRL from disk into the shared CRL state
diff --git a/tests/e2e/test_enrollment_e2e.rs b/tests/e2e/test_enrollment_e2e.rs
index 7387082..3716215 100644
--- a/tests/e2e/test_enrollment_e2e.rs
+++ b/tests/e2e/test_enrollment_e2e.rs
@@ -77,7 +77,6 @@ fn build_tls_config(cert_dir: &std::path::Path) -> TlsConfig {
             .join("server.key.pem")
             .to_string_lossy()
             .to_string(),
-        min_tls_version: "1.3".to_string(),
         crl_path: String::new(), // No CRL in E2E tests
     }
 }
diff --git a/tests/integration/auth_test.rs b/tests/integration/auth_test.rs
index c121111..3c41c56 100644
--- a/tests/integration/auth_test.rs
+++ b/tests/integration/auth_test.rs
@@ -15,7 +15,6 @@ mod mtls_tests {
             ca_cert_path: "/etc/linux_patch_api/certs/ca.pem".to_string(),
             server_cert_path: "/etc/linux_patch_api/certs/server.pem".to_string(),
             server_key_path: "/etc/linux_patch_api/certs/server.key".to_string(),
-            min_tls_version: "1.3".to_string(),
         };
 
         assert_eq!(config.ca_cert_path, "/etc/linux_patch_api/certs/ca.pem");
@@ -27,7 +26,6 @@ mod mtls_tests {
             config.server_key_path,
             "/etc/linux_patch_api/certs/server.key"
         );
-        assert_eq!(config.min_tls_version, "1.3");
     }
 
     #[test]