diff --git a/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc b/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc
index 86691ee83cc..a7d2f7c98a7 100644
--- a/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc
+++ b/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc
@@ -14,9 +14,10 @@ from Oracle's http://www.oracle.com/technetwork/java/javase/downloads/index.html
 The _JCE Unlimited Strength Jurisdiction Policy Files`_ are required for
 encryption with key lengths greater than 128 bits, such as 256-bit AES encryption.
 
-After installation, all cipher suites in the JCE are available for use. To enable
-the use of stronger cipher suites with {security}, configure the `cipher_suites`
-parameter. See the {ref}/security-settings.html#ssl-tls-settings[Configuration Parameters for TLS/SSL]
+After installation, all cipher suites in the JCE are available for use but requires
+configuration in order to use them. To enable the use of stronger cipher suites with
+{security}, configure the `cipher_suites` parameter. See the
+{ref}/security-settings.html#ssl-tls-settings[Configuration Parameters for TLS/SSL]
 section of this document for specific parameter information.
 
 NOTE: The _JCE Unlimited Strength Jurisdiction Policy Files_ must be installed
diff --git a/docs/en/settings/security-settings.asciidoc b/docs/en/settings/security-settings.asciidoc
index faa26b1945f..cd21cd8182f 100644
--- a/docs/en/settings/security-settings.asciidoc
+++ b/docs/en/settings/security-settings.asciidoc
@@ -598,7 +598,10 @@ Controls the verification of certificates. Valid values are `none`,
 Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
 Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
 `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
-`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`.
+`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`. If the _Java Cryptography Extension (JCE) Unlimited Strength
+Jurisdiction Policy Files_ has been installed, the default value also includes `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`,
+`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,
+`TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`.
 
 [float]
 [[tls-ssl-key-settings]]
diff --git a/plugin/src/main/java/org/elasticsearch/xpack/XPackSettings.java b/plugin/src/main/java/org/elasticsearch/xpack/XPackSettings.java
index b6467b29073..71d29147315 100644
--- a/plugin/src/main/java/org/elasticsearch/xpack/XPackSettings.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/XPackSettings.java
@@ -13,6 +13,8 @@ import org.elasticsearch.xpack.ssl.SSLClientAuth;
 import org.elasticsearch.xpack.ssl.SSLConfigurationSettings;
 import org.elasticsearch.xpack.ssl.VerificationMode;
 
+import javax.crypto.Cipher;
+import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -84,10 +86,29 @@ public class XPackSettings {
      * SSL settings. These are the settings that are specifically registered for SSL. Many are private as we do not explicitly use them
      * but instead parse based on a prefix (eg *.ssl.*)
      */
-    public static final List<String> DEFAULT_CIPHERS =
-            Arrays.asList("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
-                    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256",
-                    "TLS_RSA_WITH_AES_128_CBC_SHA");
+    public static final List<String> DEFAULT_CIPHERS;
+
+    static {
+        List<String> ciphers = Arrays.asList("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+                "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256",
+                "TLS_RSA_WITH_AES_128_CBC_SHA");
+        try {
+            final boolean use256Bit = Cipher.getMaxAllowedKeyLength("AES") > 128;
+            if (use256Bit) {
+                List<String> strongerCiphers = new ArrayList<>(ciphers.size() * 2);
+                strongerCiphers.addAll(Arrays.asList("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+                        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+                        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA"));
+                strongerCiphers.addAll(ciphers);
+                ciphers = strongerCiphers;
+            }
+        } catch (NoSuchAlgorithmException e) {
+            // ignore it here - there will be issues elsewhere and its not nice to throw in a static initializer
+        }
+
+        DEFAULT_CIPHERS = ciphers;
+    }
+
     public static final List<String> DEFAULT_SUPPORTED_PROTOCOLS = Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1");
     public static final SSLClientAuth CLIENT_AUTH_DEFAULT = SSLClientAuth.REQUIRED;
     public static final SSLClientAuth HTTP_CLIENT_AUTH_DEFAULT = SSLClientAuth.NONE;
diff --git a/plugin/src/test/java/org/elasticsearch/xpack/XPackSettingsTests.java b/plugin/src/test/java/org/elasticsearch/xpack/XPackSettingsTests.java
new file mode 100644
index 00000000000..d968b65bf9f
--- /dev/null
+++ b/plugin/src/test/java/org/elasticsearch/xpack/XPackSettingsTests.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack;
+
+import org.elasticsearch.test.ESTestCase;
+
+import javax.crypto.Cipher;
+
+import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.Matchers.not;
+
+public class XPackSettingsTests extends ESTestCase {
+
+    public void testDefaultSSLCiphers() throws Exception {
+        assertThat(XPackSettings.DEFAULT_CIPHERS, hasItem("TLS_RSA_WITH_AES_128_CBC_SHA"));
+
+        final boolean useAES256 = Cipher.getMaxAllowedKeyLength("AES") > 128;
+        if (useAES256) {
+            logger.info("AES 256 is available");
+            assertThat(XPackSettings.DEFAULT_CIPHERS, hasItem("TLS_RSA_WITH_AES_256_CBC_SHA"));
+        } else {
+            logger.info("AES 256 is not available");
+            assertThat(XPackSettings.DEFAULT_CIPHERS, not(hasItem("TLS_RSA_WITH_AES_256_CBC_SHA")));
+        }
+    }
+}