diff --git a/Lib/ssl.py b/Lib/ssl.py
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -99,6 +99,10 @@ import traceback
 import errno
 
 
+# Disable weak or insecure ciphers by default
+_DEFAULT_CIPHERS = 'HIGH:!aNULL:!eNULL'
+
+
 class CertificateError(ValueError):
     pass
 
@@ -165,7 +169,9 @@ class SSLContext(_SSLContext):
     __slots__ = ('protocol',)
 
     def __new__(cls, protocol, *args, **kwargs):
-        return _SSLContext.__new__(cls, protocol)
+        self = _SSLContext.__new__(cls, protocol)
+        self.set_ciphers(_DEFAULT_CIPHERS)
+        return self
 
     def __init__(self, protocol):
         self.protocol = protocol
@@ -211,8 +217,8 @@ class SSLSocket(socket):
                 self.context.load_verify_locations(ca_certs)
             if certfile:
                 self.context.load_cert_chain(certfile, keyfile)
-            if ciphers:
-                self.context.set_ciphers(ciphers)
+            ciphers = ciphers or _DEFAULT_CIPHERS
+            self.context.set_ciphers(ciphers)
             self.keyfile = keyfile
             self.certfile = certfile
             self.cert_reqs = cert_reqs