diff --git a/internal/envoy/v3/auth.go b/internal/envoy/v3/auth.go
index 2d7669500e2..411e9060462 100644
--- a/internal/envoy/v3/auth.go
+++ b/internal/envoy/v3/auth.go
@@ -34,25 +34,22 @@ func UpstreamTLSContext(peerValidationContext *dag.PeerValidationContext, sni st
 		}}
 	}
 
-	tlsParams := &envoy_v3_tls.TlsParameters{}
-
-	if upstreamTLS != nil {
-		tlsParams = &envoy_v3_tls.TlsParameters{
-			TlsMinimumProtocolVersion: ParseTLSVersion(upstreamTLS.MinimumProtocolVersion),
-			TlsMaximumProtocolVersion: ParseTLSVersion(upstreamTLS.MaximumProtocolVersion),
-			CipherSuites:              tlsParams.CipherSuites,
-		}
-	}
-
 	context := &envoy_v3_tls.UpstreamTlsContext{
 		CommonTlsContext: &envoy_v3_tls.CommonTlsContext{
-			TlsParams:                      tlsParams,
 			AlpnProtocols:                  alpnProtocols,
 			TlsCertificateSdsSecretConfigs: clientSecretConfigs,
 		},
 		Sni: sni,
 	}
 
+	if upstreamTLS != nil {
+		context.CommonTlsContext.TlsParams = &envoy_v3_tls.TlsParameters{
+			TlsMinimumProtocolVersion: ParseTLSVersion(upstreamTLS.MinimumProtocolVersion),
+			TlsMaximumProtocolVersion: ParseTLSVersion(upstreamTLS.MaximumProtocolVersion),
+			CipherSuites:              upstreamTLS.CipherSuites,
+		}
+	}
+
 	if peerValidationContext.GetCACertificate() != nil && len(peerValidationContext.GetSubjectName()) > 0 {
 		// We have to explicitly assign the value from validationContext
 		// to context.CommonTlsContext.ValidationContextType because the