diff --git a/src/Servers/Kestrel/Core/src/CoreStrings.resx b/src/Servers/Kestrel/Core/src/CoreStrings.resx
index 1d270be8ee2d..7f9e97c266d9 100644
--- a/src/Servers/Kestrel/Core/src/CoreStrings.resx
+++ b/src/Servers/Kestrel/Core/src/CoreStrings.resx
@@ -602,4 +602,7 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l
   <data name="GreaterThanOrEqualToZeroRequired" xml:space="preserve">
     <value>A value greater than or equal to zero is required.</value>
   </data>
+  <data name="HttpsConnectionEstablished" xml:space="preserve">
+    <value>Connection "{connectionId}" established using the following protocol: {protocol}</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs b/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
index 92e80cc8d098..d801316b5f9c 100644
--- a/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
+++ b/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
@@ -24,7 +24,6 @@ public class HttpsConnectionAdapterOptions
         public HttpsConnectionAdapterOptions()
         {
             ClientCertificateMode = ClientCertificateMode.NoCertificate;
-            SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
             HandshakeTimeout = TimeSpan.FromSeconds(10);
         }
 
@@ -61,7 +60,8 @@ public HttpsConnectionAdapterOptions()
         public Func<X509Certificate2, X509Chain, SslPolicyErrors, bool> ClientCertificateValidation { get; set; }
 
         /// <summary>
-        /// Specifies allowable SSL protocols. Defaults to <see cref="SslProtocols.Tls12" /> and <see cref="SslProtocols.Tls11"/>.
+        /// Specifies allowable SSL protocols. Defaults to <see cref="SslProtocols.None" /> which allows the operating system to choose the best protocol to use,
+        /// and to block protocols that are not secure. Unless your app has a specific reason not to, you should use this default.
         /// </summary>
         public SslProtocols SslProtocols { get; set; }
 
diff --git a/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs b/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
index eef77ef82389..473579f2103a 100644
--- a/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
+++ b/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
@@ -252,6 +252,8 @@ public async Task OnConnectionAsync(ConnectionContext context)
 
             KestrelEventSource.Log.TlsHandshakeStop(context, feature);
 
+            _logger.LogDebug(3, CoreStrings.HttpsConnectionEstablished, context.ConnectionId, sslStream.SslProtocol);
+
             var originalTransport = context.Transport;
 
             try
diff --git a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
index 43e557734e87..b32d151a9902 100644
--- a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
+++ b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
@@ -362,12 +362,13 @@ void ConfigureListenOptions(ListenOptions listenOptions)
         }
 
         [Fact]
-        public async Task DoesNotSupportTls10()
+        public async Task Tls10CanBeDisabled()
         {
             void ConfigureListenOptions(ListenOptions listenOptions)
             {
                 listenOptions.UseHttps(options =>
                 {
+                    options.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
                     options.ServerCertificate = _x509Certificate2;
                     options.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
                     options.AllowAnyClientCertificate();
diff --git a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs
index 17b5cae1e16a..f587f0956d63 100644
--- a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs
+++ b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs
@@ -366,7 +366,10 @@ public async Task ClientAttemptingToUseUnsupportedProtocolIsLoggedAsDebug()
                 new TestServiceContext(LoggerFactory),
                 listenOptions =>
                 {
-                    listenOptions.UseHttps(TestResources.GetTestCertificate("no_extensions.pfx"));
+                    listenOptions.UseHttps(TestResources.GetTestCertificate("no_extensions.pfx"), httpsOptions =>
+                    {
+                        httpsOptions.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
+                    });
                 }))
             {
                 using (var connection = server.CreateConnection())