diff --git a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
index 1d516945ad6..f3f6025ecbd 100644
--- a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
+++ b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
@@ -62,6 +62,7 @@ import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
 import org.apache.hadoop.security.authorize.AccessControlList;
 import org.apache.hadoop.security.authorize.ProxyUsers;
 import org.apache.hadoop.util.Shell;
+import org.apache.hadoop.util.StringUtils;
 import org.apache.yetus.audience.InterfaceAudience;
 import org.apache.yetus.audience.InterfaceStability;
 import org.slf4j.Logger;
@@ -197,6 +198,7 @@ public class HttpServer implements FilterContainer {
     private String usernameConfKey;
     private String keytabConfKey;
     private boolean needsClientAuth;
+    private String excludeCiphers;
 
     private String hostName;
     private String appDir = APP_DIR;
@@ -374,6 +376,10 @@ public class HttpServer implements FilterContainer {
       return this;
     }
 
+    public void excludeCiphers(String excludeCiphers) {
+      this.excludeCiphers = excludeCiphers;
+    }
+
     public HttpServer build() throws IOException {
 
       // Do we still need to assert this non null name if it is deprecated?
@@ -433,8 +439,13 @@ public class HttpServer implements FilterContainer {
             sslCtxFactory.setTrustStorePath(trustStore);
             sslCtxFactory.setTrustStoreType(trustStoreType);
             sslCtxFactory.setTrustStorePassword(trustStorePassword);
-
           }
+
+          if (excludeCiphers != null && !excludeCiphers.trim().isEmpty()) {
+            sslCtxFactory.setExcludeCipherSuites(StringUtils.getTrimmedStrings(excludeCiphers));
+            LOG.debug("Excluded SSL Cipher List:" + excludeCiphers);
+          }
+
           listener = new ServerConnector(server.webServer, new SslConnectionFactory(sslCtxFactory,
               HttpVersion.HTTP_1_1.toString()), new HttpConnectionFactory(httpsConfig));
         } else {
diff --git a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java
index 3dd38773604..5ed380e4c35 100644
--- a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java
+++ b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java
@@ -78,6 +78,7 @@ public class InfoServer {
         .trustStore(c.get("ssl.server.truststore.location"),
                 HBaseConfiguration.getPassword(c, "ssl.server.truststore.password", null),
                 c.get("ssl.server.truststore.type", "jks"));
+      builder.excludeCiphers(c.get("ssl.server.exclude.cipher.list"));
     }
     // Enable SPNEGO authentication
     if ("kerberos".equalsIgnoreCase(c.get(HttpServer.HTTP_UI_AUTHENTICATION, null))) {