diff --git a/doc/RELEASE-NOTES.md b/doc/RELEASE-NOTES.md
index a637616f0..93cdece7a 100644
--- a/doc/RELEASE-NOTES.md
+++ b/doc/RELEASE-NOTES.md
@@ -15,6 +15,18 @@ If you want a stable IRCd, download 6.0.4 or upgrade to it via `./unrealircd upg
 * [JSON-RPC](https://www.unrealircd.org/docs/JSON-RPC) API for UnrealIRCd.
   This is work in progress.
 
+### Changes:
+* SSL/TLS: By default we now require TLSv1.2 or later and a modern cipher
+  with forward secrecy. Otherwise the connection is refused.
+  * Since UnrealIRCd 4.2.2 (March 2019) users see an on-connect notice with
+    a warning when they use an outdated TLS protocol or cipher that does not
+    meet these requirements.
+  * This move also reflects the phase out of TLSv1.2 that happened in
+    browsers in 2020/2021.
+  * If you want to revert back to the previous less secure settings, then
+    look under ''Previous less secure setting'' in
+    [TLS Ciphers and protocols](https://www.unrealircd.org/docs/TLS_Ciphers_and_protocols).
+
 UnrealIRCd 6.0.4.2
 -------------------
 Another small update to 6.0.4.x:
diff --git a/include/config.h b/include/config.h
index 9156eb781..486714453 100644
--- a/include/config.h
+++ b/include/config.h
@@ -275,7 +275,7 @@
 /* Default TLS cipherlist (except for TLS1.3, see further down).
  * This can be changed via set::ssl::options::ciphers in the config file.
  */
-#define UNREALIRCD_DEFAULT_CIPHERS "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA"
+#define UNREALIRCD_DEFAULT_CIPHERS "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES+SHA384 EECDH+AES+SHA256"
 
 /* Default TLS 1.3 ciphersuites.
  * This can be changed via set::ssl::options::ciphersuites in the config file.
diff --git a/src/conf.c b/src/conf.c
index 63a2f9968..b243f334a 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -1733,7 +1733,7 @@ void config_setdefaultsettings(Configuration *i)
 	safe_strdup(i->tls_options->trusted_ca_file, tmp);
 	safe_strdup(i->tls_options->ciphers, UNREALIRCD_DEFAULT_CIPHERS);
 	safe_strdup(i->tls_options->ciphersuites, UNREALIRCD_DEFAULT_CIPHERSUITES);
-	i->tls_options->protocols = TLS_PROTOCOL_ALL;
+	i->tls_options->protocols = TLS_PROTOCOL_TLSV1_2|TLS_PROTOCOL_TLSV1_3; /* TLSv1.2 & TLSv1.3 */
 #ifdef HAS_SSL_CTX_SET1_CURVES_LIST
 	safe_strdup(i->tls_options->ecdh_curves, UNREALIRCD_DEFAULT_ECDH_CURVES);
 #endif
diff --git a/src/tls.c b/src/tls.c
index 6153e3c12..6d04507d5 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -215,7 +215,7 @@ void disable_ssl_protocols(SSL_CTX *ctx, TLSOptions *tlsoptions)
 	if ((tlsoptions->protocols & TLS_PROTOCOL_TLSV1) ||
 	    (tlsoptions->protocols & TLS_PROTOCOL_TLSV1_1))
 	{
-		SSL_CTX_set_security_level(ctx, 1);
+		SSL_CTX_set_security_level(ctx, 0);
 	}
 #endif