diff -r 89aa669dcc61 Lib/ssl.py
--- a/Lib/ssl.py	Thu Mar 20 18:00:35 2014 -0500
+++ b/Lib/ssl.py	Thu Mar 20 20:32:39 2014 -0400
@@ -162,14 +162,43 @@
 
 # Disable weak or insecure ciphers by default
 # (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
-_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'
+# Enable a better set of ciphers by default
+# This list has been explicitly chosen to:
+#   * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
+#   * Prefer ECDHE over DHE for better performance
+#   * Prefer any AES-GCM over any AES-CBC for better performance and security
+#   * Then Use HIGH cipher suites as a fallback
+#   * Then Use 3DES as fallback which is secure but slow
+#   * Finally use RC4 as a fallback which is problematic but needed for
+#   * compatability some times.
+#   * Disable NULL authentication, NULL encryption, MD5 MACs and DSS for
+#     security reasons
+_DEFAULT_CIPHERS = (
+    'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:'
+    'DH+HIGH:RSA+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:ECDH+RC4:'
+    'DH+RC4:RSA+RC4:!aNULL:!eNULL:!MD5:!DSS'
+)
 
 # restricted and more secure ciphers
 # HIGH: high encryption cipher suites with key length >= 128 bits (no MD5)
 # !aNULL: only authenticated cipher suites (no anonymous DH)
 # !RC4: no RC4 streaming cipher, RC4 is broken
 # !DSS: RSA is preferred over DSA
-_RESTRICTED_CIPHERS = 'HIGH:!aNULL:!RC4:!DSS'
+# This list has been explicitly chosen to:
+#   * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
+#   * Prefer ECDHE over DHE for better performance
+#   * Prefer any AES-GCM over any AES-CBC for better performance and security
+#   * Then Use HIGH cipher suites as a fallback
+#   * Then Use 3DES as fallback which is secure but slow
+#   * Disable RC4 as it's problematic, fragile, and the key stream bias
+#     a fairly serious security issue
+#   * Disable NULL authentication, NULL encryption, MD5 MACs, DSS, and RC4 for
+#     security reasons
+_RESTRICTED_CIPHERS = (
+    'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:'
+    'DH+HIGH:RSA+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:'
+    '!eNULL:!MD5:!DSS:!RC4'
+)
 
 
 class CertificateError(ValueError):