diff --git a/manifests/mod_ssl.pp b/manifests/mod_ssl.pp
index 73a6509966fffa014953ba5b777cb240180ad684..d7a0bb5ed850b4b1491df1a4169b2a30f55b10c9 100644
--- a/manifests/mod_ssl.pp
+++ b/manifests/mod_ssl.pp
@@ -21,8 +21,13 @@ class apache::mod_ssl($options={}, $directives=[])
 	'SSLRandomSeed startup'	 => 'file:/dev/urandom 256',
 	'SSLRandomSeed connect'	 => 'builtin',
 	'SSLCryptoDevice'	 => 'builtin',
-	# Both SSLv2 and SSLv3 are broken, security-wise
-	'SSLProtocol'		 => 'all -SSLv2 -SSLv3',
+	# Both SSLv2 and SSLv3 are broken, security-wise.  TLS 1 and 1.1
+	# also have security problems
+	'SSLProtocol'		 => 'all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1',
+	# Default to only use reasonably secure ciphersuite.
+	# (But this list is likely to become obosolete in the future...)
+	'SSLCipherSuite' => 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH',
+	'SSLHonorCipherOrder' => 'on',
     }
     package {
 	'mod_ssl':