diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7e83b8b9..4ef521e4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,7 @@ The **patch** part changes incrementally at each release.
 
 * lxc-php: Do --no-install-recommends for ssmtp/opensmtpd
 * packweb-apache: Don't turn on mod-evasive emails by default
+* haproxy: deport SSL tuning to Mozilla SSL generator
 * haproxy: chroot and socket path are configurable
 * haproxy: adapt backports installed package list to distibution
 * haproxy: split stats variables
diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml
index f4ce3d79..04f08d39 100644
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@@ -27,19 +27,6 @@
     - haproxy
     - config
 
-- name: 2048 bits DHparam file is present
-  get_url:
-    url: https://ssl-config.mozilla.org/ffdhe2048.txt
-    dest: /etc/haproxy/dhparam2048.txt
-    mode: '0600'
-    owner: root
-    group: root
-    force: no
-  notify: reload haproxy
-  tags:
-    - haproxy
-    - config
-
 - name: HAProxy stats_access_ips are present
   blockinfile:
     dest: /etc/haproxy/stats_access_ips
diff --git a/haproxy/templates/haproxy.default.cfg.j2 b/haproxy/templates/haproxy.default.cfg.j2
index 5f1f4ed5..5e4c4b9f 100644
--- a/haproxy/templates/haproxy.default.cfg.j2
+++ b/haproxy/templates/haproxy.default.cfg.j2
@@ -14,14 +14,7 @@ global
     ca-base /etc/ssl/certs
     crt-base /etc/ssl/private
 
-    # intermediate configuration https://ssl-config.mozilla.org/
-    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-
-    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-
-    ssl-dh-param-file /etc/haproxy/dhparam2048.txt
+    # Go to https://ssl-config.mozilla.org/ and build your SSL configuration
 
 defaults
     log global