diff --git a/cipher_suites.go b/cipher_suites.go
index f2527a5..f7a89c9 100644
--- a/cipher_suites.go
+++ b/cipher_suites.go
@@ -16,6 +16,7 @@ import (
 	"fmt"
 	"hash"
 	"runtime"
+	"slices"
 
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/sys/cpu"
@@ -345,21 +346,20 @@ var rsaKexCiphers = map[uint16]bool{
 	TLS_RSA_WITH_AES_256_GCM_SHA384: true,
 }
 
-var defaultCipherSuites []uint16
-var defaultCipherSuitesWithRSAKex []uint16
+// tdesCiphers contains 3DES ciphers,
+// which we also disable by default unless a GODEBUG is set.
+var tdesCiphers = map[uint16]bool{
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: true,
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA:       true,
+}
 
-func init() {
-	defaultCipherSuites = make([]uint16, 0, len(cipherSuitesPreferenceOrder))
-	defaultCipherSuitesWithRSAKex = make([]uint16, 0, len(cipherSuitesPreferenceOrder))
-	for _, c := range cipherSuitesPreferenceOrder {
-		if disabledCipherSuites[c] {
-			continue
-		}
-		if !rsaKexCiphers[c] {
-			defaultCipherSuites = append(defaultCipherSuites, c)
-		}
-		defaultCipherSuitesWithRSAKex = append(defaultCipherSuitesWithRSAKex, c)
-	}
+func defaultCipherSuites() []uint16 {
+	suites := slices.Clone(cipherSuitesPreferenceOrder)
+	return slices.DeleteFunc(suites, func(c uint16) bool {
+		return disabledCipherSuites[c] ||
+			rsaKexCiphers[c] ||
+			tdesCiphers[c]
+	})
 }
 
 // defaultCipherSuitesTLS13 is also the preference order, since there are no
diff --git a/common.go b/common.go
index 9f7cb64..5c5495f 100644
--- a/common.go
+++ b/common.go
@@ -700,7 +700,9 @@ type Config struct {
 	// If CipherSuites is nil, a safe default list is used. The default cipher
 	// suites might change over time. In Go 1.22 RSA key exchange based cipher
 	// suites were removed from the default list, but can be re-added with the
-	// GODEBUG setting tlsrsakex=1.
+	// GODEBUG setting tlsrsakex=1. In Go 1.23 3DES cipher suites were removed
+	// from the default list, but can be re-added with the GODEBUG setting
+	// tls3des=1.
 	CipherSuites []uint16
 
 	// PreferServerCipherSuites is a legacy field and has no effect.
@@ -1056,7 +1058,7 @@ func (c *Config) cipherSuites() []uint16 {
 	if c.CipherSuites != nil {
 		return c.CipherSuites
 	}
-	return defaultCipherSuites
+	return defaultCipherSuites()
 }
 
 var supportedVersions = []uint16{