diff --git a/defaults/main.yml b/defaults/main.yml
index 84786f58..a5900b95 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -192,6 +192,10 @@ consul_tls_verify_incoming_https: false
 consul_tls_verify_server_hostname: false
 consul_tls_files_remote_src: false
 
+consul_tls_min_version: "{{ lookup('env','CONSUL_TLS_MIN_VERSION') | default('tls12', true) }}"
+consul_tls_cipher_suites: ""
+consul_tls_prefer_server_cipher_suites: "{{ lookup('env','CONSUL_TLS_PREFER_SERVER_CIPHER_SUITES') | default('false', true) }}"
+
 ## DNS
 consul_delegate_datacenter_dns: "{{ lookup('env','CONSUL_DELEGATE_DATACENTER_DNS') | default(false, true) }}"
 consul_dnsmasq_enable: "{{ lookup('env','CONSUL_DNSMASQ_ENABLE') | default(false, true) }}"
diff --git a/templates/config.json.j2 b/templates/config.json.j2
index f4f83178..c41a066a 100644
--- a/templates/config.json.j2
+++ b/templates/config.json.j2
@@ -77,6 +77,11 @@
     "verify_outgoing": {{ consul_tls_verify_outgoing | bool | to_json }},
     "verify_incoming_https": {{consul_tls_verify_incoming_https | bool| to_json }},
     "verify_server_hostname": {{ consul_tls_verify_server_hostname | bool | to_json }},
+    "tls_min_version": "{{ consul_tls_min_version }}",
+    {% if consul_tls_cipher_suites is defined and consul_tls_cipher_suites %}
+    "tls_cipher_suites": "{{ vault_tls_cipher_suites}}",
+    {% endif %}
+    "tls_prefer_server_cipher_suites": {{ vault_tls_prefer_server_cipher_suites | bool | to_json }},
     {% endif %}
 
     {## LAN Join ##}