diff --git a/defaults/main.yml b/defaults/main.yml
index b94112a..05a7c86 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -115,7 +115,7 @@ nginx_load_modules: []
 #
 nginx_dh: null
 nginx_dh_path: '{{ nginx_ssl_dir }}/dhparam.pem'
-nginx_dh_length: 2048
+nginx_dh_length: 4096
 
 #
 # acme.sh
diff --git a/templates/etc/nginx/helper/ssl-legacy.j2 b/templates/etc/nginx/helper/ssl-legacy.j2
index e0aab8b..5c324ad 100644
--- a/templates/etc/nginx/helper/ssl-legacy.j2
+++ b/templates/etc/nginx/helper/ssl-legacy.j2
@@ -3,12 +3,13 @@
 #
 
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2{% if nginx_version.stdout is version('1.13.0', 'ge') %} TLSv1.3{% endif %};
+ssl_protocols TLSv1.1 TLSv1.2{% if nginx_version.stdout is version('1.13.0', 'ge') %} TLSv1.3{% endif %};
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout is version('1.7.5', 'ge') %} always{% endif %};
+ssl_session_tickets off;
 ssl_stapling on;
 ssl_stapling_verify on;
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout is version('1.7.5', 'ge') %} always{% endif %};
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
 ssl_dhparam {{ nginx_dh_path }};
diff --git a/templates/etc/nginx/helper/ssl-strong.j2 b/templates/etc/nginx/helper/ssl-strong.j2
index 3527fac..13fc97b 100644
--- a/templates/etc/nginx/helper/ssl-strong.j2
+++ b/templates/etc/nginx/helper/ssl-strong.j2
@@ -2,13 +2,16 @@
 # {{ ansible_managed }}
 #
 
-ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2{% if nginx_version.stdout is version('1.13.0', 'ge') %} TLSv1.3{% endif %};
+ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384";
+ssl_protocols TLSv1.2{% if nginx_version.stdout is version('1.13.0', 'ge') %} TLSv1.3{% endif %};
 ssl_prefer_server_ciphers on;
+ssl_ecdh_curve secp384r1;
+ssl_session_timeout 10m;
 ssl_session_cache shared:SSL:10m;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout is version('1.7.5', 'ge') %} always{% endif %};
+ssl_session_tickets off;
 ssl_stapling on;
 ssl_stapling_verify on;
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout is version('1.7.5', 'ge') %} always{% endif %};
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
 ssl_dhparam {{ nginx_dh_path }};