diff --git a/doc/sample.config b/doc/sample.config
index 6250acf4..592c7e44 100644
--- a/doc/sample.config
+++ b/doc/sample.config
@@ -143,7 +143,8 @@ server-key = ../tests/server-key.pem
 # as there are no openconnect (and possibly anyconnect clients) using
 # that protocol. The default string below enforces perfect forward secrecy (PFS) 
 # on the main channel.
-tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
 
 # More combinations in priority strings are available, check
 # http://gnutls.org/manual/html_node/Priority-Strings.html
diff --git a/src/ocserv-args.def b/src/ocserv-args.def
index 94c20404..dc422fc7 100644
--- a/src/ocserv-args.def
+++ b/src/ocserv-args.def
@@ -226,15 +226,15 @@ server-key = /path/to/key.pem
 
 # GnuTLS priority string; note that SSL 3.0 is disabled by default
 # as there are no openconnect (and possibly anyconnect clients) using
-# that protocol. The default string below enforces perfect forward secrecy (PFS) 
-# on the main channel.
-tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
+# that protocol. The string below does not enforce perfect forward
+# secrecy, in order to be compatible with legacy clients.
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
 
 # More combinations in priority strings are available, check
 # http://gnutls.org/manual/html_node/Priority-Strings.html
-# E.g., to old default without perfect forward secrecy (PFS)
-# on the main channel:
-#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
+# E.g., the string below enforces perfect forward secrecy (PFS) 
+# on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
 
 # The time (in seconds) that a client is allowed to stay connected prior
 # to authentication