diff --git a/CHANGELOG.md b/CHANGELOG.md
index ca8f961c43..843116caf6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,28 +1,31 @@
-## 2.35.0-rc1 / 2022-04-14
+## 2.35.0 / 2022-04-21
 
-* [ENHANCEMENT] Update package `uber.go/auomaxprocs` to support `cgroups2` #10584
-* [BUGFIX] Tracing/GRPC: Set TLS credentials only when insecure is false. #10592
-* [BUGFIX] Agent: Fix ID collision when loading a WAL with multiple segments. #10587
-* [BUGFIX] Revoke storing target and metadata cache in context. This can fix a memory link introduced in `2.35.0-rc0` #10590
+This Prometheus release is built with go1.18, which contains two noticeable changes related to TLS:
 
-## 2.35.0-rc0 / 2022-04-08
+* [TLS 1.0 and 1.1 disabled by default client-side](https://go.dev/doc/go1.18#tls10). 
+Prometheus users can override this with the `min_version` parameter of [tls_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#tls_config).
+* [Certificates signed with the SHA-1 hash function are rejected](https://go.dev/doc/go1.18#sha1). This doesn't apply to self-signed root certificates.
 
 * [CHANGE] TSDB: Delete `*.tmp` WAL files when Prometheus starts. #10317
 * [CHANGE] promtool: Add new flag `--lint` (enabled by default) for the commands `check rules` and `check config`, resulting in a new exit code (`3`) for linter errors. #10435
-* [FEATURE] Support for automatically setting the variable `GOMAXPROCS` to the container CPU limit. Enable with the flag `--enable-feature=auto-gomaxprocs` #10498
+* [FEATURE] Support for automatically setting the variable `GOMAXPROCS` to the container CPU limit. Enable with the flag `--enable-feature=auto-gomaxprocs`. #10498
 * [FEATURE] PromQL: Extend statistics with total and peak number of samples in a query. Additionally, per-step statistics are available with  --enable-feature=promql-per-step-stats and using `stats=all` in the query API. 
-Enable with the flag `--enable-feature=per-step-stats` #10369
+Enable with the flag `--enable-feature=per-step-stats`. #10369
 * [ENHANCEMENT] Prometheus is built with Go 1.18. #10501
 * [ENHANCEMENT] TSDB: more efficient sorting of postings read from WAL at startup. #10500
-* [ENHANCEMENT] Azure SD: Add metric to track Azure SD failures #10476
+* [ENHANCEMENT] Azure SD: Add metric to track Azure SD failures. #10476
 * [ENHANCEMENT] Azure SD: Add an optional `resource_group` configuration. #10365
 * [ENHANCEMENT] Kubernetes SD: Support `discovery.k8s.io/v1` `EndpointSlice` (previously only `discovery.k8s.io/v1beta1` `EndpointSlice` was supported). #9570
 * [ENHANCEMENT] Kubernetes SD: Allow attaching node metadata to discovered pods. #10080
 * [ENHANCEMENT] OAuth2: Support for using a proxy URL to fetch OAuth2 tokens. #10492
 * [ENHANCEMENT] Configuration: Add the ability to disable HTTP2. #10492
+* [ENHANCEMENT] Config: Support overriding minimum TLS version. #10610
 * [BUGFIX] Kubernetes SD: Explicitly include gcp auth from k8s.io. #10516
 * [BUGFIX] Fix OpenMetrics parser to sort uppercase labels correctly. #10510
 * [BUGFIX] UI: Fix scrape interval and duration tooltip not showing on target page. #10545
+* [BUGFIX] Tracing/GRPC: Set TLS credentials only when insecure is false. #10592
+* [BUGFIX] Agent: Fix ID collision when loading a WAL with multiple segments. #10587
+* [BUGFIX] Remote-write: Fix a deadlock between Batch and flushing the queue. #10608
 
 ## 2.34.0 / 2022-03-15
 
diff --git a/VERSION b/VERSION
index 925692b07c..aa5388f637 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.35.0-rc1
+2.35.0
diff --git a/config/config_test.go b/config/config_test.go
index 822185dbad..65a8110007 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -14,6 +14,7 @@
 package config
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"io/ioutil"
 	"net/url"
@@ -179,6 +180,9 @@ var expectedConf = &Config{
 				},
 				FollowRedirects: true,
 				EnableHTTP2:     true,
+				TLSConfig: config.TLSConfig{
+					MinVersion: config.TLSVersion(tls.VersionTLS10),
+				},
 			},
 
 			ServiceDiscoveryConfigs: discovery.Configs{
diff --git a/config/testdata/conf.good.yml b/config/testdata/conf.good.yml
index 33e9639d61..58ef791af7 100644
--- a/config/testdata/conf.good.yml
+++ b/config/testdata/conf.good.yml
@@ -91,6 +91,9 @@ scrape_configs:
     authorization:
       credentials_file: valid_token_file
 
+    tls_config:
+      min_version: TLS10
+
   - job_name: service-x
 
     basic_auth:
diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md
index 4386a5cb5a..cde1a03b9d 100644
--- a/docs/configuration/configuration.md
+++ b/docs/configuration/configuration.md
@@ -369,6 +369,12 @@ A `tls_config` allows configuring TLS connections.
 
 # Disable validation of the server certificate.
 [ insecure_skip_verify: <boolean> ]
+
+# Minimum acceptable TLS version. Accepted values: TLS10 (TLS 1.0), TLS11 (TLS
+# 1.1), TLS12 (TLS 1.2), TLS13 (TLS 1.3).
+# If unset, Prometheus will use Go default minimum version, which is TLS 1.2.
+# See MinVersion in https://pkg.go.dev/crypto/tls#Config.
+[ min_version: <string> ]
 ```
 
 ### `<oauth2>`
diff --git a/go.mod b/go.mod
index 9fecc16ad5..cf9e9dbb3d 100644
--- a/go.mod
+++ b/go.mod
@@ -48,7 +48,7 @@ require (
 	github.com/prometheus/alertmanager v0.24.0
 	github.com/prometheus/client_golang v1.12.1
 	github.com/prometheus/client_model v0.2.0
-	github.com/prometheus/common v0.33.0
+	github.com/prometheus/common v0.34.0
 	github.com/prometheus/common/assets v0.1.0
 	github.com/prometheus/common/sigv4 v0.1.0
 	github.com/prometheus/exporter-toolkit v0.7.1
diff --git a/go.sum b/go.sum
index 2e3f5a14ee..54e138a5d5 100644
--- a/go.sum
+++ b/go.sum
@@ -1063,8 +1063,8 @@ github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9
 github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
 github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
 github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
-github.com/prometheus/common v0.33.0 h1:rHgav/0a6+uYgGdNt3jwz8FNSesO/Hsang3O0T9A5SE=
-github.com/prometheus/common v0.33.0/go.mod h1:gB3sOl7P0TvJabZpLY5uQMpUqRCPPCyRLCZYc7JZTNE=
+github.com/prometheus/common v0.34.0 h1:RBmGO9d/FVjqHT0yUGQwBJhkwKV+wPCn7KGpvfab0uE=
+github.com/prometheus/common v0.34.0/go.mod h1:gB3sOl7P0TvJabZpLY5uQMpUqRCPPCyRLCZYc7JZTNE=
 github.com/prometheus/common/assets v0.1.0 h1:8WlWPDRjbfff4FWCBjaUF0NEIgDD2Mv2anoKfwG+Ums=
 github.com/prometheus/common/assets v0.1.0/go.mod h1:D17UVUE12bHbim7HzwUvtqm6gwBEaDQ0F+hIGbFbccI=
 github.com/prometheus/common/sigv4 v0.1.0 h1:qoVebwtwwEhS85Czm2dSROY5fTo2PAPEVdDeppTwGX4=
diff --git a/storage/remote/queue_manager.go b/storage/remote/queue_manager.go
index 215537e4f0..46bd7e1ff2 100644
--- a/storage/remote/queue_manager.go
+++ b/storage/remote/queue_manager.go
@@ -1116,21 +1116,35 @@ func (q *queue) ReturnForReuse(batch []sampleOrExemplar) {
 // FlushAndShutdown stops the queue and flushes any samples. No appends can be
 // made after this is called.
 func (q *queue) FlushAndShutdown(done <-chan struct{}) {
-	q.batchMtx.Lock()
-	defer q.batchMtx.Unlock()
-
-	if len(q.batch) > 0 {
-		select {
-		case q.batchQueue <- q.batch:
-		case <-done:
-			// The shard has been hard shut down, so no more samples can be
-			// sent. Drop everything left in the queue.
-		}
+	for q.tryEnqueueingBatch(done) {
+		time.Sleep(time.Second)
 	}
 	q.batch = nil
 	close(q.batchQueue)
 }
 
+// tryEnqueueingBatch tries to send a batch if necessary. If sending needs to
+// be retried it will return true.
+func (q *queue) tryEnqueueingBatch(done <-chan struct{}) bool {
+	q.batchMtx.Lock()
+	defer q.batchMtx.Unlock()
+	if len(q.batch) == 0 {
+		return false
+	}
+
+	select {
+	case q.batchQueue <- q.batch:
+		return false
+	case <-done:
+		// The shard has been hard shut down, so no more samples can be sent.
+		// No need to try again as we will drop everything left in the queue.
+		return false
+	default:
+		// The batchQueue is full, so we need to try again later.
+		return true
+	}
+}
+
 func (q *queue) newBatch(capacity int) []sampleOrExemplar {
 	q.poolMtx.Lock()
 	defer q.poolMtx.Unlock()
diff --git a/storage/remote/queue_manager_test.go b/storage/remote/queue_manager_test.go
index 0f8f9f4495..ff3f1aaf20 100644
--- a/storage/remote/queue_manager_test.go
+++ b/storage/remote/queue_manager_test.go
@@ -1183,3 +1183,29 @@ func TestQueueManagerMetrics(t *testing.T) {
 	err = client_testutil.GatherAndCompare(reg, strings.NewReader(""))
 	require.NoError(t, err)
 }
+
+func TestQueue_FlushAndShutdownDoesNotDeadlock(t *testing.T) {
+	capacity := 100
+	batchSize := 10
+	queue := newQueue(batchSize, capacity)
+	for i := 0; i < capacity+batchSize; i++ {
+		queue.Append(sampleOrExemplar{})
+	}
+
+	done := make(chan struct{})
+	go queue.FlushAndShutdown(done)
+	go func() {
+		// Give enough time for FlushAndShutdown to acquire the lock. queue.Batch()
+		// should not block forever even if the lock is acquired.
+		time.Sleep(10 * time.Millisecond)
+		queue.Batch()
+		close(done)
+	}()
+	select {
+	case <-done:
+	case <-time.After(2 * time.Second):
+		t.Error("Deadlock in FlushAndShutdown detected")
+		pprof.Lookup("goroutine").WriteTo(os.Stdout, 1)
+		t.FailNow()
+	}
+}