diff --git a/manifests/init.pp b/manifests/init.pp
index 054e979..4a14184 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -238,6 +238,14 @@
 #   SSL Key location
 #   default: /etc/ssl/private/ssl-cert-snakeoil.key
 #
+# [*gitlab_ssl_protocols*]
+#   Nginx SSL enabled protocols
+#   default: 'TLSv1.2 TLSv1.1 TLSv1'
+#
+# [*gitlab_ssl_ciphers*]
+#   Nginx SSL enabled ciphers
+#   default: 'AES:HIGH:!aNULL:!RC4:!MD5:!ADH:!MDF'
+#
 # [*gitlab_ssl_self_signed*]
 #   Set true if your SSL Cert is self signed
 #   default: false
@@ -511,6 +519,8 @@
     $gitlab_ssl               = $gitlab::params::gitlab_ssl,
     $gitlab_ssl_cert          = $gitlab::params::gitlab_ssl_cert,
     $gitlab_ssl_key           = $gitlab::params::gitlab_ssl_key,
+    $gitlab_ssl_protocols     = $gitlab::params::gitlab_ssl_protocols,
+    $gitlab_ssl_ciphers       = $gitlab::params::gitlab_ssl_ciphers,
     $gitlab_ssl_self_signed   = $gitlab::params::gitlab_ssl_self_signed,
     $gitlab_projects          = $gitlab::params::gitlab_projects,
     $gitlab_username_change   = $gitlab::params::gitlab_username_change,
diff --git a/manifests/params.pp b/manifests/params.pp
index a10497e..e8377ff 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -59,6 +59,8 @@
   $gitlab_email_display_name= 'GitLab'
   $gitlab_support_email     = 'support@localhost'
   $gitlab_ssl               = false
+  $gitlab_ssl_protocols     = 'TLSv1.2 TLSv1.1 TLSv1'
+  $gitlab_ssl_ciphers       = 'AES:HIGH:!aNULL:!RC4:!MD5:!ADH:!MDF'
   $gitlab_ssl_cert          = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
   $gitlab_ssl_key           = '/etc/ssl/private/ssl-cert-snakeoil.key'
   $gitlab_ssl_self_signed   = false
diff --git a/spec/classes/gitlab_config_spec.rb b/spec/classes/gitlab_config_spec.rb
index e52b5a6..a09407f 100644
--- a/spec/classes/gitlab_config_spec.rb
+++ b/spec/classes/gitlab_config_spec.rb
@@ -123,6 +123,8 @@
           it { is_expected.to contain_file('/etc/nginx/conf.d/gitlab.conf').with_content(/^\s*listen 443;$/)}
           it { is_expected.to contain_file('/etc/nginx/conf.d/gitlab.conf').with_content(/^\s*ssl_certificate               \/etc\/ssl\/certs\/ssl-cert-snakeoil.pem;$/)}
           it { is_expected.to contain_file('/etc/nginx/conf.d/gitlab.conf').with_content(/^\s*ssl_certificate_key           \/etc\/ssl\/private\/ssl-cert-snakeoil.key;$/)}
+          it { is_expected.to contain_file('/etc/nginx/conf.d/gitlab.conf').with_content(/^\s*ssl_protocols                 TLSv1.2 TLSv1.1 TLSv1;$/)}
+          it { is_expected.to contain_file('/etc/nginx/conf.d/gitlab.conf').with_content(/^\s*ssl_ciphers                   AES:HIGH:!aNULL:!RC4:!MD5:!ADH:!MDF;$/)}
           it { is_expected.to contain_file('/etc/nginx/conf.d/gitlab.conf').with_content(/^\s*proxy_set_header   X-Forwarded-Ssl   on;$/)}
         end
         ["hostname1", "hostname1 hostname2.example.com hostname3.example.org"].each do |domain_alias|
diff --git a/templates/nginx-gitlab.conf.erb b/templates/nginx-gitlab.conf.erb
index 0486748..58be709 100644
--- a/templates/nginx-gitlab.conf.erb
+++ b/templates/nginx-gitlab.conf.erb
@@ -49,9 +49,11 @@ server {
   ssl_certificate               <%= @gitlab_ssl_cert %>;
   ssl_certificate_key           <%= @gitlab_ssl_key %>;
   # please see https://github.com/sbadia/puppet-gitlab/pull/104
-  ssl_protocols                 TLSv1.2 TLSv1.1 TLSv1;
-  ssl_ciphers                   AES:HIGH:!aNULL:!RC4:!MD5:!ADH:!MDF;
+  # ssl_protocols                 TLSv1.2 TLSv1.1 TLSv1;
+  # ssl_ciphers                   AES:HIGH:!aNULL:!RC4:!MD5:!ADH:!MDF;
   ssl_prefer_server_ciphers     on;
+  ssl_protocols                 <%= @gitlab_ssl_protocols %>;
+  ssl_ciphers                   <%= @gitlab_ssl_ciphers %>;
 <% end %>
 
   # individual nginx logs for this gitlab vhost