diff --git a/depends/packages/openssl.mk b/depends/packages/openssl.mk
index 5a2a70138..6f939f0fa 100644
--- a/depends/packages/openssl.mk
+++ b/depends/packages/openssl.mk
@@ -15,7 +15,7 @@ $(package)_config_opts+=no-blake2
 $(package)_config_opts+=no-camellia
 #$(package)_config_opts+=no-capieng
 $(package)_config_opts+=no-cast
-$(package)_config_opts+=no-chacha
+#$(package)_config_opts+=no-chacha
 $(package)_config_opts+=no-cmac
 $(package)_config_opts+=no-cms
 #$(package)_config_opts+=no-comp
@@ -45,7 +45,7 @@ $(package)_config_opts+=no-multiblock
 $(package)_config_opts+=no-nextprotoneg
 $(package)_config_opts+=no-ocb
 #$(package)_config_opts+=no-ocsp
-$(package)_config_opts+=no-poly1305
+#$(package)_config_opts+=no-poly1305
 #$(package)_config_opts+=no-posix-io
 $(package)_config_opts+=no-psk
 $(package)_config_opts+=no-rc2
diff --git a/src/hush/tlsmanager.cpp b/src/hush/tlsmanager.cpp
index 199b9e0ea..fb2edd523 100644
--- a/src/hush/tlsmanager.cpp
+++ b/src/hush/tlsmanager.cpp
@@ -205,6 +205,16 @@ SSL_CTX* TLSManager::initCtx(
         }
     }
 
+    SSL_CTX_set_cipher_list(tlsCtx, ""); // removes all <= TLS1.2 ciphers
+    SSL_CTX_set_ciphersuites(tlsCtx, "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"); // default is "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+
+    STACK_OF(SSL_CIPHER) *sk = SSL_CTX_get_ciphers(tlsCtx);
+    for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++)
+    {
+        const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
+        LogPrintf("DEBUG TLS: AVAILABLE CIPHER %s\n", SSL_CIPHER_get_name(c));
+    }
+
     return tlsCtx;
 }
 /**