Index: java/org/apache/tomcat/util/net/AbstractEndpoint.java
===================================================================
--- java/org/apache/tomcat/util/net/AbstractEndpoint.java	(revision 1655482)
+++ java/org/apache/tomcat/util/net/AbstractEndpoint.java	(working copy)
@@ -31,6 +31,8 @@
 import java.util.concurrent.TimeUnit;
 
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
 
 import org.apache.juli.logging.Log;
 import org.apache.tomcat.util.IntrospectionUtils;
@@ -956,6 +958,10 @@
      */
     public abstract String[] getCiphersUsed();
 
+    private String useServerCipherSuitesOrder = "false";
+    public String getUseServerCipherSuitesOrder() { return useServerCipherSuitesOrder;}
+    public void setUseServerCipherSuitesOrder(String s) { this.useServerCipherSuitesOrder = s;}
+
     private String keyAlias = null;
     public String getKeyAlias() { return keyAlias;}
     public void setKeyAlias(String s ) { keyAlias = s;}
@@ -1057,7 +1063,23 @@
     protected final Set<SocketWrapperBase<S>> waitingRequests = Collections
             .newSetFromMap(new ConcurrentHashMap<SocketWrapperBase<S>, Boolean>());
 
+    /**
+     * Configures SSL engine to honor cipher suites order.
+     */
+    protected void configureUseServerCipherSuitesOrder(SSLEngine engine) {
+        String useServerCipherSuitesOrderStr = this
+                .getUseServerCipherSuitesOrder().trim();
+                
+        SSLParameters sslParameters = engine.getSSLParameters();
+        boolean useServerCipherSuitesOrder = 
+            ("true".equalsIgnoreCase(useServerCipherSuitesOrderStr)
+                || "yes".equalsIgnoreCase(useServerCipherSuitesOrderStr));
+        
+        sslParameters.setUseCipherSuitesOrder(useServerCipherSuitesOrder);
+        engine.setSSLParameters(sslParameters);
+    }
 
+
     /**
      * The async timeout thread.
      */
Index: java/org/apache/tomcat/util/net/Nio2Endpoint.java
===================================================================
--- java/org/apache/tomcat/util/net/Nio2Endpoint.java	(revision 1655482)
+++ java/org/apache/tomcat/util/net/Nio2Endpoint.java	(working copy)
@@ -530,6 +530,8 @@
         engine.setEnabledCipherSuites(enabledCiphers);
         engine.setEnabledProtocols(enabledProtocols);
 
+        configureUseServerCipherSuitesOrder(engine);
+
         handler.onCreateSSLEngine(engine);
         return engine;
     }
Index: java/org/apache/tomcat/util/net/NioEndpoint.java
===================================================================
--- java/org/apache/tomcat/util/net/NioEndpoint.java	(revision 1655482)
+++ java/org/apache/tomcat/util/net/NioEndpoint.java	(working copy)
@@ -560,6 +560,8 @@
         engine.setEnabledCipherSuites(enabledCiphers);
         engine.setEnabledProtocols(enabledProtocols);
 
+        configureUseServerCipherSuitesOrder(engine);
+
         handler.onCreateSSLEngine(engine);
         return engine;
     }
Index: webapps/docs/config/http.xml
===================================================================
--- webapps/docs/config/http.xml	(revision 1655482)
+++ webapps/docs/config/http.xml	(working copy)
@@ -1032,6 +1032,13 @@
       </p>
     </attribute>
 
+    <attribute name="useServerCipherSuitesOrder" required="false">
+      <p>Set to <code>true</code> to enforce the server's cipher order
+      (from the <code>ciphers</code> setting) instead of allowing
+      the client to choose the cipher (which is the default).
+      </p>
+    </attribute>
+
     <attribute name="ciphers" required="false">
       <p>If specified and using ',' as a separator, only the ciphers that are
       listed and supported by the SSL implementation will be used.