diff --git a/server/opts.go b/server/opts.go
index cc5c08aca1..10b085492d 100644
--- a/server/opts.go
+++ b/server/opts.go
@@ -4342,6 +4342,7 @@ func overrideTLS(opts *Options) error {
 	tc.KeyFile = opts.TLSKey
 	tc.CaFile = opts.TLSCaCert
 	tc.Verify = opts.TLSVerify
+	tc.Ciphers = defaultCipherSuites()
 
 	var err error
 	opts.TLSConfig, err = GenTLSConfig(&tc)
diff --git a/server/opts_test.go b/server/opts_test.go
index 0c75b8e480..d79d001c2c 100644
--- a/server/opts_test.go
+++ b/server/opts_test.go
@@ -1522,6 +1522,10 @@ func TestConfigureOptions(t *testing.T) {
 	if opts.TLSConfig == nil || !opts.TLS {
 		t.Fatal("Expected TLSConfig to be set")
 	}
+	// Check that we use default TLS ciphers
+	if !reflect.DeepEqual(opts.TLSConfig.CipherSuites, defaultCipherSuites()) {
+		t.Fatalf("Default ciphers not set, expected %v, got %v", defaultCipherSuites(), opts.TLSConfig.CipherSuites)
+	}
 }
 
 func TestClusterPermissionsConfig(t *testing.T) {