diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 8896988..2755f55 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -876,12 +876,62 @@ include 'filename'
       </indexterm>
       <listitem>
        <para>
-        Specifies a list of <acronym>SSL</> ciphers that are allowed to be
+        Specifies a list of <acronym>SSL</> cipher suites that are allowed to be
         used on secure connections.  See
         the <citerefentry><refentrytitle>ciphers</></citerefentry> manual page
         in the <application>OpenSSL</> package for the syntax of this setting
-        and a list of supported values.  The default value is usually
-        reasonable, unless you have specific security requirements.
+        and a list of supported values.  The default value is
+        <literal>HIGH:MEDIUM:+3DES:!aNULL</>.  It is usually reasonable,
+        unless you have specific security requirements.
+       </para>
+       <para>
+        Explanation for default value:
+        <variablelist>
+         <varlistentry>
+          <term><literal>HIGH</literal></term>
+          <listitem>
+           <para>
+            Cipher suites that use ciphers from <literal>HIGH</> section.
+            (AES, Camellia, 3DES)
+           </para>
+          </listitem>
+         </varlistentry>
+         <varlistentry>
+          <term><literal>MEDIUM</literal></term>
+          <listitem>
+           <para>
+            Cipher suites that use ciphers from <literal>MEDIUM</> section.
+            (RC4, SEED)
+           </para>
+          </listitem>
+         </varlistentry>
+         <varlistentry>
+          <term><literal>+3DES</literal></term>
+          <listitem>
+           <para>
+            OpenSSL default order for <literal>HIGH</> is problematic as it orders 3DES
+            higher than AES128.  This is wrong as 3DES offers less security than AES128
+            and it is also much slower.  <literal>+3DES</> reorders it after all other
+            <literal>HIGH</> and <literal>MEDIUM</> ciphers.
+           </para>
+          </listitem>
+         </varlistentry>
+         <varlistentry>
+          <term><literal>!aNULL</literal></term>
+          <listitem>
+           <para>
+            Disables anonymous cipher suites that do no authentication.
+            Such cipher suites are vulnerable to a "man in the middle"
+            attack and so should not be used.
+           </para>
+          </listitem>
+         </varlistentry>
+        </variablelist>
+        Available cipher suite details will vary across OpenSSL versions, these values
+        are taken from <application>OpenSSL</> 1.0.1.  Use command
+        <literal>openssl ciphers -v 'HIGH:MEDIUM:+3DES:!aNULL'</literal>
+        to see actual details for currently installed <application>OpenSSL</> version.
+        Note that this list is filtered on runtime based on server key type.
        </para>
       </listitem>
      </varlistentry>
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index e69e132..0ad02e8 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -3156,7 +3156,7 @@ static struct config_string ConfigureNamesString[] =
 		},
 		&SSLCipherSuites,
 #ifdef USE_SSL
-		"DEFAULT:!LOW:!EXP:!MD5:@STRENGTH",
+		"HIGH:MEDIUM:+3DES:!aNULL",
 #else
 		"none",
 #endif
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index f8bdce3..aff9f84 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -79,7 +79,7 @@
 
 #authentication_timeout = 1min		# 1s-600s
 #ssl = off				# (change requires restart)
-#ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH'	# allowed SSL ciphers
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
 					# (change requires restart)
 #ssl_prefer_server_ciphers = on		# (change requires restart)
 #ssl_ecdh_curve = 'prime256v1'		# (change requires restart)