diff --git a/etc/openstack_deploy/user_variables.yml b/etc/openstack_deploy/user_variables.yml
index e174045155..05ed5e55a1 100644
--- a/etc/openstack_deploy/user_variables.yml
+++ b/etc/openstack_deploy/user_variables.yml
@@ -38,3 +38,16 @@ glance_swift_store_endpoint_type: internalURL
 ## Swift
 # This will allow all users to create containers and upload to swift if set to True
 swift_allow_all_users: False
+
+## Apache SSL Settings
+# These do not need to be configured unless you're creating certificates for
+# services running behind Apache (currently, Horizon and Keystone).
+ssl_protocol: "ALL -SSLv2 -SSLv3"
+# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
+# To override for Keystone only:
+#   - keystone_ssl_protocol
+#   - keystone_ssl_cipher_suite
+# To override for Horizon only:
+#   - horizon_ssl_protocol
+#   - horizon_ssl_cipher_suite
diff --git a/playbooks/roles/os_horizon/defaults/main.yml b/playbooks/roles/os_horizon/defaults/main.yml
index c85161f430..38a0ed62ca 100644
--- a/playbooks/roles/os_horizon/defaults/main.yml
+++ b/playbooks/roles/os_horizon/defaults/main.yml
@@ -60,6 +60,8 @@ horizon_enable_password_retrieve: False
 horizon_ssl_cert: /etc/ssl/certs/apache.cert
 horizon_ssl_key: /etc/ssl/private/apache.key
 horizon_ssl_cert_path: /etc/ssl/certs
+horizon_ssl_protocol: "{{ ssl_protocol }}"
+horizon_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
 
 ## Launch instance
 horizon_launch_instance_legacy: True
diff --git a/playbooks/roles/os_horizon/templates/openstack_dashboard.conf.j2 b/playbooks/roles/os_horizon/templates/openstack_dashboard.conf.j2
index 6cb8187966..4a4dc9c5d0 100644
--- a/playbooks/roles/os_horizon/templates/openstack_dashboard.conf.j2
+++ b/playbooks/roles/os_horizon/templates/openstack_dashboard.conf.j2
@@ -22,9 +22,10 @@
     SSLCertificateKeyFile {{ horizon_ssl_key }}
     SSLCACertificatePath  {{ horizon_ssl_cert_path }}
     SSLCARevocationPath   {{ horizon_ssl_cert_path }}
+    SSLCompression Off
     SSLProtocol All -SSLv2 -SSLv3
     SSLHonorCipherOrder On
-    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
+    SSLCipherSuite {{ horizon_ssl_cipher_suite }}
     SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
 
     WSGIScriptAlias / {{ horizon_lib_dir }}/openstack_dashboard/wsgi/django.wsgi
diff --git a/playbooks/roles/os_keystone/defaults/main.yml b/playbooks/roles/os_keystone/defaults/main.yml
index 54cd18856d..6ac5e89ee6 100644
--- a/playbooks/roles/os_keystone/defaults/main.yml
+++ b/playbooks/roles/os_keystone/defaults/main.yml
@@ -111,9 +111,8 @@ keystone_ssl_enabled: false
 keystone_ssl_cert: /etc/ssl/certs/apache.cert
 keystone_ssl_key: /etc/ssl/private/apache.key
 keystone_ssl_cert_path: /etc/ssl/certs
-keystone_ssl_protocol: "ALL -SSLv2 -SSLv3"
-# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
-keystone_ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
+keystone_ssl_protocol: "{{ ssl_protocol }}"
+keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
 
 ## Caching
 # If set this will enable dog pile cache for keystone.
diff --git a/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2 b/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2
index 4597623e32..a5fc9ed4bf 100644
--- a/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2
+++ b/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2
@@ -18,6 +18,7 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr
     SSLCARevocationPath   {{ keystone_ssl_cert_path }}
     SSLVerifyClient optional
     SSLVerifyDepth 10
+    SSLCompression Off
     SSLProtocol {{ keystone_ssl_protocol }}
     SSLHonorCipherOrder On
     SSLCipherSuite {{ keystone_ssl_cipher_suite }}
@@ -42,6 +43,7 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr
     SSLCARevocationPath   {{ keystone_ssl_cert_path }}
     SSLVerifyClient optional
     SSLVerifyDepth 10
+    SSLCompression Off
     SSLProtocol {{ keystone_ssl_protocol }}
     SSLHonorCipherOrder On
     SSLCipherSuite {{ keystone_ssl_cipher_suite }}