diff --git a/CHANGELOG b/CHANGELOG
index ae10c330a..fefa210b0 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o Updated the default ciphers list for Ncat and the secure ciphers list for
+  Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
+  ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]
+
 o [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup
   Exec Agent 15 or 16. [Andrew Orr]
 
diff --git a/ncat/docs/ncat.xml b/ncat/docs/ncat.xml
index ee159926a..1dd88ee00 100644
--- a/ncat/docs/ncat.xml
+++ b/ncat/docs/ncat.xml
@@ -392,7 +392,7 @@
             when connecting to servers or when accepting SSL connections from
             clients. The syntax is described in the OpenSSL ciphers(1) man
             page, and defaults to
-            <literal>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</literal></para>
+            <literal>ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH</literal></para>
         </listitem>
       </varlistentry>
     </variablelist>
diff --git a/ncat/docs/ncatguide.xml b/ncat/docs/ncatguide.xml
index ec5a3efb5..ec401a5fa 100644
--- a/ncat/docs/ncatguide.xml
+++ b/ncat/docs/ncatguide.xml
@@ -440,7 +440,7 @@ Content-Type: text/html; charset=UTF-8
     client) or accept (as a server) is a matter of choice between the greatest
     compatibility and the greatest security. The default set, expressed as an
     OpenSSL cipherlist, is
-    <literal>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</literal>, a reasonable balance
+    <literal>ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH</literal>, a reasonable balance
     between the two ends of the spectrum. To set a different priority or
     initial choice, use the <option>--ssl-ciphers</option> option.
     <indexterm><primary><option>--ssl-ciphers</option> (Ncat option)</primary></indexterm>
diff --git a/ncat/ncat_connect.c b/ncat/ncat_connect.c
index 6ab2e241c..51f061ee3 100644
--- a/ncat/ncat_connect.c
+++ b/ncat/ncat_connect.c
@@ -248,7 +248,7 @@ static void set_ssl_ctx_options(SSL_CTX *ctx)
             bye("The --ssl-key and --ssl-cert options must be used together.");
     }
     if (o.sslciphers == NULL) {
-      if (!SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"))
+      if (!SSL_CTX_set_cipher_list(ctx, "ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH"))
         bye("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL));
     }
     else {
diff --git a/ncat/ncat_ssl.c b/ncat/ncat_ssl.c
index 2b1516044..dbebef957 100644
--- a/ncat/ncat_ssl.c
+++ b/ncat/ncat_ssl.c
@@ -197,7 +197,7 @@ SSL_CTX *setup_ssl_listen(void)
 
     /* Secure ciphers list taken from Nsock. */
     if (o.sslciphers == NULL) {
-      if (!SSL_CTX_set_cipher_list(sslctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"))
+      if (!SSL_CTX_set_cipher_list(sslctx, "ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH"))
         bye("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL));
     }
     else {
diff --git a/nsock/src/nsock_ssl.c b/nsock/src/nsock_ssl.c
index 5dae25d4f..ba7b2dd77 100644
--- a/nsock/src/nsock_ssl.c
+++ b/nsock/src/nsock_ssl.c
@@ -71,7 +71,7 @@
  *  OpenSSL. To see exactly what ciphers are enabled, use the command
  *   openssl ciphers -v '...'
  * where ... is the string below. */
-#define CIPHERS_SECURE "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
+#define CIPHERS_SECURE "ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:@STRENGTH"
 
 /* This list of ciphers is for speed and compatibility, not security. Any cipher
  *  is accepted, and the list is sorted by speed based on Brian Hatch's