diff --git a/main.go b/main.go
index 50c3411..1be99a1 100644
--- a/main.go
+++ b/main.go
@@ -29,6 +29,7 @@ type CLIArgs struct {
 	timeout           time.Duration
 	cert, key, cafile string
 	list_ciphers      bool
+	ciphers           string
 }
 
 func list_ciphers() {
@@ -48,6 +49,7 @@ func parse_args() CLIArgs {
 	flag.StringVar(&args.key, "key", "", "key for TLS certificate")
 	flag.StringVar(&args.cafile, "cafile", "", "CA file to authenticate clients with certificates")
 	flag.BoolVar(&args.list_ciphers, "list-ciphers", false, "list ciphersuites")
+	flag.StringVar(&args.ciphers, "ciphers", "", "colon-separated list of enabled ciphers")
 	flag.Parse()
 	return args
 }
@@ -93,6 +95,7 @@ func run() int {
 			mainLogger.Critical("TLS config construction failed: %v", err)
 			return 3
 		}
+		cfg.CipherSuites = makeCipherList(args.ciphers)
 		server.TLSConfig = cfg
 		err = server.ListenAndServeTLS("", "")
 	} else {
diff --git a/utils.go b/utils.go
index 9541b8d..c274165 100644
--- a/utils.go
+++ b/utils.go
@@ -8,8 +8,10 @@ import (
 	"errors"
 	"io"
 	"io/ioutil"
+	"log"
 	"net"
 	"net/http"
+	"strings"
 	"sync"
 	"time"
 )
@@ -163,3 +165,27 @@ func makeServerTLSConfig(certfile, keyfile, cafile string) (*tls.Config, error)
 	}
 	return &cfg, nil
 }
+
+func makeCipherList(ciphers string) []uint16 {
+	if ciphers == "" {
+		return nil
+	}
+
+	cipherIDs := make(map[string]uint16)
+	for _, cipher := range tls.CipherSuites() {
+		cipherIDs[cipher.Name] = cipher.ID
+	}
+
+	cipherNameList := strings.Split(ciphers, ":")
+	cipherIDList := make([]uint16, 0, len(cipherNameList))
+
+	for _, name := range cipherNameList {
+		id, ok := cipherIDs[name]
+		if !ok {
+			log.Printf("WARNING: Unknown cipher \"%s\"", name)
+		}
+		cipherIDList = append(cipherIDList, id)
+	}
+
+	return cipherIDList
+}