diff --git a/inventory/group_vars/all/ssl.yml b/inventory/group_vars/all/ssl.yml
index db40746fcb..c4c52e9052 100644
--- a/inventory/group_vars/all/ssl.yml
+++ b/inventory/group_vars/all/ssl.yml
@@ -18,7 +18,8 @@
 # services running behind Apache (currently, Horizon and Keystone).
 ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
 # Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
-ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
+ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
+ssl_cipher_suite_tls13: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
 
 #variables used in OSA roles which call the PKI role
 openstack_pki_dir: "/etc/openstack_deploy/pki"
@@ -63,4 +64,4 @@ openstack_pki_authorities:
 
 #install the root CA certificate on all hosts and containers
 openstack_pki_install_ca:
- - name: "ExampleCorpRoot"
\ No newline at end of file
+ - name: "ExampleCorpRoot"
diff --git a/releasenotes/notes/tls_variables-991aec792d58eeb9.yaml b/releasenotes/notes/tls_variables-991aec792d58eeb9.yaml
new file mode 100644
index 0000000000..57a5b6184c
--- /dev/null
+++ b/releasenotes/notes/tls_variables-991aec792d58eeb9.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    A new 'ssl_cipher_suite_tls13' variable is added for global control of
+    TLS v1.3 cipher suites.
+deprecations:
+  - |
+    The variable 'ssl_cipher_suite' is deprecated in favour of
+    'ssl_cipher_suite_tls12' which will continue to manage configuration of
+    ciphers for TLS v1.2 and earlier.