diff --git a/lib/constants.py b/lib/constants.py
index 5a57629f03196d78e27c92cbf167669cccc0d6a3..0a8f407cbe20282e6521aa7b04efc10345f72f84 100644
--- a/lib/constants.py
+++ b/lib/constants.py
@@ -204,6 +204,14 @@ SOCAT_ESCAPE_CODE = "0x1d"
 # 2010 on.
 RSA_KEY_BITS = 2048
 
+# Ciphers allowed for SSL connections. For the format, see ciphers(1). A better
+# way to disable ciphers would be to use the exclamation mark (!), but socat
+# versions below 1.5 can't parse exclamation marks in options properly. When
+# modifying the ciphers, ensure to not accidentially add something after it's
+# been removed. Use the "openssl" utility to check the allowed ciphers, e.g.
+# "openssl ciphers -v HIGH:-DES".
+OPENSSL_CIPHERS = "HIGH:-DES:-3DES:-EXPORT:-ADH"
+
 # Digest used to sign certificates ("openssl x509" uses SHA1 by default)
 X509_CERT_SIGN_DIGEST = "SHA1"
 
diff --git a/lib/http/__init__.py b/lib/http/__init__.py
index 2fc9cd20483b568924640e6b602dbdbfc75ee2e3..a42c496ef50024151d8da162e69e291dfaab9bdb 100644
--- a/lib/http/__init__.py
+++ b/lib/http/__init__.py
@@ -595,6 +595,7 @@ class HttpBase(object):
 
     ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
     ctx.set_options(OpenSSL.SSL.OP_NO_SSLv2)
+    ctx.set_cipher_list(constants.OPENSSL_CIPHERS)
 
     ctx.use_privatekey(self._ssl_key)
     ctx.use_certificate(self._ssl_cert)
diff --git a/lib/impexpd/__init__.py b/lib/impexpd/__init__.py
index b405f1bc1e8386b5e9d3d3234b608485b7afc184..5b14adcb35b5c2904a07a33cff568783cef6bef7 100644
--- a/lib/impexpd/__init__.py
+++ b/lib/impexpd/__init__.py
@@ -77,7 +77,8 @@ BUFSIZE = 1024 * 1024
 
 # Common options for socat
 SOCAT_TCP_OPTS = ["keepalive", "keepidle=60", "keepintvl=10", "keepcnt=5"]
-SOCAT_OPENSSL_OPTS = ["verify=1", "cipher=HIGH", "method=TLSv1"]
+SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLSv1",
+                      "cipher=%s" % constants.OPENSSL_CIPHERS]
 
 SOCAT_OPTION_MAXLEN = 400