diff --git a/kronosutil/certs.go b/kronosutil/certs.go
index a2882e25..6d9d13d5 100644
--- a/kronosutil/certs.go
+++ b/kronosutil/certs.go
@@ -29,6 +29,7 @@ const (
 var tls12CipherSuitesDefaultValue = []uint16{
 	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, // required for http servers
 }
 
 // SSLCreds returns credentials by reading keys and certificates from
diff --git a/oracle/raft.go b/oracle/raft.go
index dfbf3dd2..636aa364 100644
--- a/oracle/raft.go
+++ b/oracle/raft.go
@@ -1228,7 +1228,7 @@ func (rc *raftNode) serveRaft(
 			log.Fatalf(ctx, "Failed to get tls config: %v", err)
 		}
 		tlsConfig.MinVersion, tlsConfig.MaxVersion = kronosutil.GetTLSVersions()
-		tlsConfig.CipherSuites = kronosutil.GetTls12CipherSuites()
+		tlsConfig.CipherSuites = []uint16{tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256} // kronosutil.GetTls12CipherSuitesForRaftServer()
 		httpServer.TLSConfig = tlsConfig
 		err = httpServer.ServeTLS(
 			ln,