--- lib/IO/Socket/SSL.pm
+++ lib/IO/Socket/SSL.pm
@@ -89,9 +89,7 @@ my %DEFAULT_SSL_ARGS = (
     SSL_verifycn_publicsuffix => undef,  # fallback default list verification
     #SSL_verifycn_name => undef,   # use from PeerAddr/PeerHost - do not override in set_args_filter_hack 'use_defaults'
     SSL_npn_protocols => undef,    # meaning depends whether on server or client side
-    SSL_cipher_list =>
-	'EECDH+AESGCM+ECDSA EECDH+AESGCM EECDH+ECDSA +AES256 EECDH EDH+AESGCM '.
-	'EDH ALL +SHA +3DES +RC4 !LOW !EXP !eNULL !aNULL !DES !MD5 !PSK !SRP',
+    SSL_cipher_list => 'DEFAULT',
 );
 
 my %DEFAULT_SSL_CLIENT_ARGS = (
@@ -101,42 +99,6 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
     SSL_ca_file => undef,
     SSL_ca_path => undef,
 
-    # older versions of F5 BIG-IP hang when getting SSL client hello >255 bytes
-    # http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13037.html
-    # http://guest:guest@rt.openssl.org/Ticket/Display.html?id=2771
-    # Debian works around this by disabling TLSv1_2 on the client side
-    # Chrome and IE11 use TLSv1_2 but use only a few ciphers, so that packet
-    # stays small enough
-    # The following list is taken from IE11, except that we don't do RC4-MD5,
-    # RC4-SHA is already bad enough. Also, we have a different sort order
-    # compared to IE11, because we put ciphers supporting forward secrecy on top
-
-    SSL_cipher_list => join(" ",
-	qw(
-	    ECDHE-ECDSA-AES128-GCM-SHA256
-	    ECDHE-ECDSA-AES128-SHA256
-	    ECDHE-ECDSA-AES256-GCM-SHA384
-	    ECDHE-ECDSA-AES256-SHA384
-	    ECDHE-ECDSA-AES128-SHA
-	    ECDHE-ECDSA-AES256-SHA
-	    ECDHE-RSA-AES128-SHA256
-	    ECDHE-RSA-AES128-SHA
-	    ECDHE-RSA-AES256-SHA
-	    DHE-DSS-AES128-SHA256
-	    DHE-DSS-AES128-SHA
-	    DHE-DSS-AES256-SHA256
-	    DHE-DSS-AES256-SHA
-	    AES128-SHA256
-	    AES128-SHA
-	    AES256-SHA256
-	    AES256-SHA
-	    EDH-DSS-DES-CBC3-SHA
-	    DES-CBC3-SHA
-	    RC4-SHA
-	),
-	# just to make sure, that we don't accidentely add bad ciphers above
-	"!EXP !LOW !eNULL !aNULL !DES !MD5 !PSK !SRP"
-    )
 );
 
 # set values inside _init to work with perlcc, RT#95452
--- lib/IO/Socket/SSL.pod
+++ lib/IO/Socket/SSL.pod
@@ -929,12 +929,8 @@ documentation (L<http://www.openssl.org/
 for more details.
 
 Unless you fail to contact your peer because of no shared ciphers it is
-recommended to leave this option at the default setting. The default setting
-prefers ciphers with forward secrecy, disables anonymous authentication and
-disables known insecure ciphers like MD5, DES etc. This gives a grade A result
-at the tests of SSL Labs.
-To use the less secure OpenSSL builtin default (whatever this is) set
-SSL_cipher_list to ''.
+recommended to leave this option at the default setting, which honors the
+system-wide DEFAULT cipher list.
 
 =item SSL_honor_cipher_order