diff --git a/defaults/main.yml b/defaults/main.yml
index 01d1ca58..34bd82e9 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -118,6 +118,35 @@ rabbitmq_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansib
 #rabbitmq_user_ssl_key: <path to cert on ansible deployment host>
 #rabbitmq_user_ssl_ca_cert: <path to cert on ansible deployment host>
 
+# These are highly recommended for TLSv1.2 but cannot be used
+# with TLSv1.3. If TLSv1.3 is enabled, these lines will not be
+# inserted into the config
+rabbitmq_ssl_client_renegotiation: false
+rabbitmq_ssl_secure_renegotiate: true
+
+# Supported TLS protocol versions
+rabbitmq_ssl_tls_versions:
+  - "tlsv1.2"
+
+# Mutual TLS control
+rabbitmq_ssl_verify: "verify_none"
+rabbitmq_ssl_fail_if_no_peer_cert: False
+
+# Recommended ciphers taken from https://www.rabbitmq.com/ssl.html
+rabbitmq_ssl_ciphers:
+  - "ECDHE-ECDSA-AES256-GCM-SHA384"
+  - "ECDHE-RSA-AES256-GCM-SHA384"
+  - "ECDH-ECDSA-AES256-GCM-SHA384"
+  - "ECDH-RSA-AES256-GCM-SHA384"
+  - "DHE-RSA-AES256-GCM-SHA384"
+  - "DHE-DSS-AES256-GCM-SHA384"
+  - "ECDHE-ECDSA-AES128-GCM-SHA256"
+  - "ECDHE-RSA-AES128-GCM-SHA256"
+  - "ECDH-ECDSA-AES128-GCM-SHA256"
+  - "ECDH-RSA-AES128-GCM-SHA256"
+  - "DHE-RSA-AES128-GCM-SHA256"
+  - "DHE-DSS-AES128-GCM-SHA256"
+
 # RabbitMQ erlang VM parameters
 rabbitmq_async_threads: 128
 rabbitmq_process_limit: 1048576
diff --git a/templates/rabbitmq.config.j2 b/templates/rabbitmq.config.j2
index 6bbc78de..3c3a322e 100644
--- a/templates/rabbitmq.config.j2
+++ b/templates/rabbitmq.config.j2
@@ -14,16 +14,33 @@
       { ssl_options, [
           { certfile, "{{ rabbitmq_ssl_cert }}" },
           { keyfile, "{{ rabbitmq_ssl_key }}" },
+          { honor_cipher_order, true},
+          { honor_ecc_order, true},
+{% if "tlsv1.3" not in rabbitmq_ssl_tls_versions %}
+          { client_renegotiation, {{ rabbitmq_ssl_client_renegotiation | lower }} },
+          { secure_renegotiate, {{ rabbitmq_ssl_secure_renegotiate | lower }} },
+{% endif %}
 {% if rabbitmq_user_ssl_ca_cert is defined -%}
           { cacertfile, "{{ rabbitmq_ssl_ca_cert }}" },
 {% endif %}
           { versions, [
-              'tlsv1.2',
-              'tlsv1.1'
+{% for version in rabbitmq_ssl_tls_versions %}
+              '{{ version }}'{% if not loop.last -%},{%- endif %}
+
+{% endfor %}
             ]
           },
-          { verify, verify_none },
-          { fail_if_no_peer_cert, false }
+{% if rabbitmq_ssl_ciphers | length > 0 %}
+          { ciphers, [
+{%   for cipher in rabbitmq_ssl_ciphers %}
+              "{{ cipher }}"{% if not loop.last -%},{%- endif %}
+
+{%   endfor %}
+            ]
+          },
+{% endif %}
+          { verify, {{ rabbitmq_ssl_verify | lower }} },
+          { fail_if_no_peer_cert, {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }} }
         ]
       },
       { vm_memory_high_watermark, {{ rabbitmq_memory_high_watermark }} }