geerlingguy · divialth · Feb 25, 2026
diff --git a/README.md b/README.md
@@ -101,6 +101,7 @@ Whether to print SSL-related task output to the console when running the playboo
 ```yaml
 apache_ssl_protocol: "All -SSLv2 -SSLv3"
 apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
+apache_ssl_honor_cipher_order: "On"
 ```
 
 The SSL protocols and cipher suites that are used/allowed when clients make secure connections to your server. These are secure/sane defaults, but for maximum security, performand, and/or compatibility, you may need to adjust these settings.

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -40,6 +40,7 @@ apache_ignore_missing_ssl_certificate: true
 apache_ssl_no_log: true
 apache_ssl_protocol: "All -SSLv2 -SSLv3"
 apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
+apache_ssl_honor_cipher_order: "On"
 
 # Only used on Debian/Ubuntu/Redhat.
 apache_mods_enabled:

diff --git a/templates/vhosts.conf.j2 b/templates/vhosts.conf.j2
@@ -48,7 +48,7 @@
   SSLEngine on
   SSLCipherSuite {{ apache_ssl_cipher_suite }}
   SSLProtocol {{ apache_ssl_protocol }}
-  SSLHonorCipherOrder On
+  SSLHonorCipherOrder {{ apache_ssl_honor_cipher_order }}
 {% if apache_vhosts_version == "2.4" %}
   SSLCompression off
 {% endif %}