diff --git a/templates/certbot/options-ssl-nginx.conf b/templates/certbot/options-ssl-nginx.conf
index 447ff32..d55891b 100644
--- a/templates/certbot/options-ssl-nginx.conf
+++ b/templates/certbot/options-ssl-nginx.conf
@@ -4,10 +4,11 @@
 # the up-to-date file that you will need to refer to when manually updating
 # this file.
 
-ssl_session_cache shared:le_nginx_SSL:1m;
+ssl_session_cache shared:le_nginx_SSL:10m;
 ssl_session_timeout 1440m;
+ssl_session_tickets off;
 
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_prefer_server_ciphers on;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
 
 ssl_ciphers "{{ common__certbot__nginx_ssl_ciphers | join(':') }}";
diff --git a/vars/main.yml b/vars/main.yml
index a427281..958e977 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -21,34 +21,11 @@ common__apache__enabled_dir: '{{ common__apache__conf_dir }}/sites-enabled'
 common__apache__snippets_dir: '{{ common__apache__conf_dir }}/snippets'
 
 common__certbot__nginx_ssl_ciphers:
-  - 'ECDHE-ECDSA-CHACHA20-POLY1305'
-  - 'ECDHE-RSA-CHACHA20-POLY1305'
   - 'ECDHE-ECDSA-AES128-GCM-SHA256'
   - 'ECDHE-RSA-AES128-GCM-SHA256'
   - 'ECDHE-ECDSA-AES256-GCM-SHA384'
   - 'ECDHE-RSA-AES256-GCM-SHA384'
+  - 'ECDHE-ECDSA-CHACHA20-POLY1305'
+  - 'ECDHE-RSA-CHACHA20-POLY1305'
   - 'DHE-RSA-AES128-GCM-SHA256'
   - 'DHE-RSA-AES256-GCM-SHA384'
-  - 'ECDHE-ECDSA-AES128-SHA256'
-  - 'ECDHE-RSA-AES128-SHA256'
-  - 'ECDHE-ECDSA-AES128-SHA'
-  - 'ECDHE-RSA-AES256-SHA384'
-  - 'ECDHE-RSA-AES128-SHA'
-  - 'ECDHE-ECDSA-AES256-SHA384'
-  - 'ECDHE-ECDSA-AES256-SHA'
-  - 'ECDHE-RSA-AES256-SHA'
-  - 'DHE-RSA-AES128-SHA256'
-  - 'DHE-RSA-AES128-SHA'
-  - 'DHE-RSA-AES256-SHA256'
-  - 'DHE-RSA-AES256-SHA'
-  - 'ECDHE-ECDSA-DES-CBC3-SHA'
-  - 'ECDHE-RSA-DES-CBC3-SHA'
-  - 'EDH-RSA-DES-CBC3-SHA'
-  - 'AES128-GCM-SHA256'
-  - 'AES256-GCM-SHA384'
-  - 'AES128-SHA256'
-  - 'AES256-SHA256'
-  - 'AES128-SHA'
-  - 'AES256-SHA'
-  - 'DES-CBC3-SHA'
-  - '!DSS'