diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml
new file mode 100644
index 0000000..40c5721
--- /dev/null
+++ b/roles/haproxy/defaults/main.yml
@@ -0,0 +1,2 @@
+haproxy_ssl_default_ciphers: '{{ haproxy_default_ssl_default_ciphers }}'
+haproxy_ssl_default_server_ciphers: '{{ haproxy_default_ssl_default_server_ciphers|d("") }}'
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
index b195792..28ce10b 100644
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -1,3 +1,9 @@
+- name: load distribution-specific values
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_distribution }}.yml'
+  - defaults.yml
+
 - name: ensure haproxy is installed
   package:
     name=haproxy
diff --git a/roles/haproxy/templates/global.cfg.j2 b/roles/haproxy/templates/global.cfg.j2
index 67ea847..f5f5bda 100644
--- a/roles/haproxy/templates/global.cfg.j2
+++ b/roles/haproxy/templates/global.cfg.j2
@@ -14,5 +14,10 @@ global
     stats socket /var/lib/haproxy/stats
 
     # utilize system-wide crypto-policies
-    ssl-default-bind-ciphers PROFILE=SYSTEM
-    ssl-default-server-ciphers PROFILE=SYSTEM
+    ssl-default-bind-ciphers {{ haproxy_ssl_default_ciphers }}
+{% if haproxy_ssl_default_server_ciphers|d %}
+    ssl-default-server-ciphers {{ haproxy_ssl_default_server_ciphers }}
+{% endif %}
+{% if haproxy_ssl_default_bind_options %}
+    ssl-default-bind-options {{ haproxy_ssl_default_bind_options }}
+{% endif %}
diff --git a/roles/haproxy/vars/Debian.yml b/roles/haproxy/vars/Debian.yml
new file mode 100644
index 0000000..75f7863
--- /dev/null
+++ b/roles/haproxy/vars/Debian.yml
@@ -0,0 +1,2 @@
+haproxy_ssl_default_bind_options: no-sslv3
+haproxy_default_ssl_default_ciphers: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
diff --git a/roles/haproxy/vars/defaults.yml b/roles/haproxy/vars/defaults.yml
new file mode 100644
index 0000000..bd3a06c
--- /dev/null
+++ b/roles/haproxy/vars/defaults.yml
@@ -0,0 +1,2 @@
+haproxy_default_ssl_default_ciphers: PROFILE=SYSTEM
+haproxy_default_ssl_default_server_ciphers: PROFILE=SYSTEM