diff --git a/gpdb-doc/dita/ref_guide/config_params/guc-list.xml b/gpdb-doc/dita/ref_guide/config_params/guc-list.xml
index 59e204cad1845b9b93f171933f3da4981711b471..4e37cfda9cb1c4ecb44c505e51cf9092ce6dd2d8 100644
--- a/gpdb-doc/dita/ref_guide/config_params/guc-list.xml
+++ b/gpdb-doc/dita/ref_guide/config_params/guc-list.xml
@@ -8410,8 +8410,16 @@
   <topic id="ssl_ciphers">
     <title>ssl_ciphers</title>
     <body>
-      <p>Specifies a list of SSL ciphers that are allowed to be used on secure connections. See the
-        openssl manual page for a list of supported ciphers. </p>
+      <p>Specifies a list of SSL ciphers that are allowed to be used on secure connections.
+          <codeph>ssl_ciphers</codeph>
+        <i>overrides</i> any ciphers string specified in <codeph>/etc/openssl.cnf</codeph>. The
+        default value <codeph>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</codeph> enables all ciphers except
+        for ADH, LOW, EXP, and MD5 ciphers, and prioritizes ciphers by their strength. </p>
+      <note>With TLS 1.2 some ciphers in MEDIUM and HIGH strength still use NULL encryption (no
+        encryption for transport), which the default <codeph>ssl_ciphers</codeph> string allows. To
+        bypass NULL ciphers with TLS 1.2 use a string such as
+        <codeph>TLSv1.2:!eNULL:!aNULL</codeph>.</note>
+      <p>See the openssl manual page for a list of supported ciphers.</p>
       <table id="ssl_ciphers_table">
         <tgroup cols="3">
           <colspec colnum="1" colname="col1" colwidth="1*"/>
@@ -8427,7 +8435,7 @@
           <tbody>
             <row>
               <entry colname="col1">string</entry>
-              <entry colname="col2">ALL</entry>
+              <entry colname="col2">ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</entry>
               <entry colname="col3">master<p>system</p><p>restart</p></entry>
             </row>
           </tbody>
diff --git a/gpdb-doc/dita/security-guide/topics/Authenticate.xml b/gpdb-doc/dita/security-guide/topics/Authenticate.xml
index b1264b161f7f95e0de5bc82ff1db76449f1ad15b..4db07b50e92fc6339c054ceaaa3042c15b54bb6a 100644
--- a/gpdb-doc/dita/security-guide/topics/Authenticate.xml
+++ b/gpdb-doc/dita/security-guide/topics/Authenticate.xml
@@ -532,7 +532,15 @@ Hostssl testdb all 192.168.0.0/16 cert map=gpuser
             <li><codeph>ssl_renegotiation_limit</codeph>
               <i>integer</i>. Specifies the data limit before key renegotiation.</li>
             <li><codeph>ssl_ciphers</codeph>
-              <i>string</i>. Lists SSL ciphers that are allowed.</li>
+              <i>string</i>. Configures the list SSL ciphers that are allowed.
+                <codeph>ssl_ciphers</codeph>
+              <i>overrides</i> any ciphers string specified in <codeph>/etc/openssl.cnf</codeph>.
+              The default value <codeph>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</codeph> enables all
+              ciphers except for ADH, LOW, EXP, and MD5 ciphers, and prioritizes ciphers by their
+                strength.<note>With TLS 1.2 some ciphers in MEDIUM and HIGH strength still use NULL
+                encryption (no encryption for transport), which the default
+                  <codeph>ssl_ciphers</codeph> string allows. To bypass NULL ciphers with TLS 1.2
+                use a string such as <codeph>TLSv1.2:!eNULL:!aNULL</codeph>.</note></li>
           </ul></p>
         <p>The following SSL server files can be found in the Master Data Directory: <ul
             id="ul_gzs_b22_jr">