diff --git a/include/common/defaults.h b/include/common/defaults.h
index db7c07763..cd5edeb4f 100644
--- a/include/common/defaults.h
+++ b/include/common/defaults.h
@@ -247,6 +247,17 @@
 #define SSL_DEFAULT_DH_PARAM 0
 #endif
 
+/* max memory cost per SSL session */
+#ifndef SSL_SESSION_MAX_COST
+#define SSL_SESSION_MAX_COST (16*1024)    // measured
+#endif
+
+/* max memory cost per SSL handshake (on top of session) */
+#ifndef SSL_HANDSHAKE_MAX_COST
+#define SSL_HANDSHAKE_MAX_COST (76*1024)  // measured
+#endif
+#endif
+
 /* Number of samples used to compute the times reported in stats. A power of
  * two is highly recommended, and this value multiplied by the largest response
  * time must not overflow and unsigned int. See freq_ctr.h for more information.
diff --git a/include/types/global.h b/include/types/global.h
index ab80c72e0..afd7aef11 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -84,6 +84,8 @@ struct global {
 	int nbproc;
 	int maxconn, hardmaxconn;
 	int maxsslconn;
+	int ssl_session_max_cost;   /* how many bytes an SSL session may cost */
+	int ssl_handshake_max_cost; /* how many bytes an SSL handshake may use */
 	int ssl_used_frontend;      /* non-zero if SSL is used in a frontend */
 	int ssl_used_backend;       /* non-zero if SSL is used in a backend */
 #ifdef USE_OPENSSL
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 3bf71cf35..67422dc75 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4720,6 +4720,9 @@ static void __ssl_sock_init(void)
 	bind_register_keywords(&bind_kws);
 	srv_register_keywords(&srv_kws);
 	cfg_register_keywords(&cfg_kws);
+
+	global.ssl_session_max_cost   = SSL_SESSION_MAX_COST;
+	global.ssl_handshake_max_cost = SSL_HANDSHAKE_MAX_COST;
 }
 
 /*