diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 39b1a66236..34066587b6 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -289,7 +289,7 @@ be_tls_init(bool isServerStart)
 		goto error;
 
 	/* set up the allowed cipher list */
-	if (SSL_CTX_set_cipher_list(context, SSLCipherSuites) != 1)
+	if (SSL_CTX_set_cipher_list(context, SSLCipherLists) != 1)
 	{
 		ereport(isServerStart ? FATAL : LOG,
 				(errcode(ERRCODE_CONFIG_FILE_ERROR),
@@ -297,6 +297,15 @@ be_tls_init(bool isServerStart)
 		goto error;
 	}
 
+	/* set up the allowed cipher suites */
+	if (SSL_CTX_set_ciphersuites(context, SSLCipherSuites) != 1)
+	{
+		ereport(isServerStart ? FATAL : LOG,
+				(errcode(ERRCODE_CONFIG_FILE_ERROR),
+				 errmsg("could not set the cipher suites (no valid ciphers available)")));
+		goto error;
+	}
+
 	/* Let server choose order */
 	if (SSLPreferServerCiphers)
 		SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 1663f36b6b..aba0498d39 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -48,6 +48,7 @@ bool		ssl_loaded_verify_locations = false;
 
 /* GUC variable controlling SSL cipher list */
 char	   *SSLCipherSuites = NULL;
+char	   *SSLCipherLists = NULL;
 
 /* GUC variable for default ECHD curve. */
 char	   *SSLECDHCurve;
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
index 46c258be28..5b959783d1 100644
--- a/src/backend/utils/misc/guc_tables.c
+++ b/src/backend/utils/misc/guc_tables.c
@@ -4575,11 +4575,11 @@ struct config_string ConfigureNamesString[] =
 
 	{
 		{"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
-			gettext_noop("Sets the list of allowed SSL ciphers."),
+			gettext_noop("Sets the list of allowed SSL ciphers for TLS1.2 and lower."),
 			NULL,
 			GUC_SUPERUSER_ONLY
 		},
-		&SSLCipherSuites,
+		&SSLCipherLists,
 #ifdef USE_OPENSSL
 		"HIGH:MEDIUM:+3DES:!aNULL",
 #else
@@ -4588,6 +4588,21 @@ struct config_string ConfigureNamesString[] =
 		NULL, NULL, NULL
 	},
 
+	{
+		{"ssl_cipher_suites", PGC_SIGHUP, CONN_AUTH_SSL,
+			gettext_noop("Sets the list of allowed SSL cipher suites for TLS1.3."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&SSLCipherSuites,
+#ifdef USE_OPENSSL
+		"HIGH:MEDIUM:+3DES:!aNULL",
+#else
+		"none",
+#endif
+		NULL, NULL, NULL
+	},
+
 	{
 		{"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SSL,
 			gettext_noop("Sets the curve to use for ECDH."),
diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
index 142c98462e..5e0d796972 100644
--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
@@ -118,6 +118,7 @@ extern ssize_t secure_open_gssapi(Port *port);
 
 /* GUCs */
 extern PGDLLIMPORT char *SSLCipherSuites;
+extern PGDLLIMPORT char *SSLCipherLists;
 extern PGDLLIMPORT char *SSLECDHCurve;
 extern PGDLLIMPORT bool SSLPreferServerCiphers;
 extern PGDLLIMPORT int ssl_min_protocol_version;