diff --git a/tls.go b/tls.go
index ac24a7c8807b0cdc47f4a8b3b671663f8200eed0..d8ce2e76fb65a412c0c233556343b58fdd540168 100644
--- a/tls.go
+++ b/tls.go
@@ -7,11 +7,8 @@ import (
 	"log"
 )
 
-// Create a tls.Config enforcing CA-based client authentication. The
-// resulting Config can be used by clients and servers alike. It
-// forces some strict connection parameters since we control both
-// endpoints and don't have to worry about wide compatibility.
-func TLSClientAuthConfig(caFile string) *tls.Config {
+// Load a CA from file (PEM encoded).
+func loadCA(caFile string) *x509.CertPool {
 	data, err := ioutil.ReadFile(caFile)
 	if err != nil {
 		log.Fatal(err)
@@ -20,14 +17,20 @@ func TLSClientAuthConfig(caFile string) *tls.Config {
 	if !pool.AppendCertsFromPEM(data) {
 		log.Fatal("Could not load CA certificate")
 	}
+	return pool
+}
 
+// Create a tls.Config enforcing CA-based client authentication. The
+// resulting Config can be used by clients and servers alike. It
+// forces some strict connection parameters since we control both
+// endpoints and don't have to worry about wide compatibility.
+func TLSClientAuthConfig(caFile string) *tls.Config {
 	return &tls.Config{
-		RootCAs:    pool,
-		ClientCAs:  pool,
+		ClientCAs:  loadCA(caFile),
 		ClientAuth: tls.RequireAndVerifyClientCert,
 		CipherSuites: []uint16{
 			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 		},
 		PreferServerCipherSuites: true,
 		MinVersion:               tls.VersionTLS12,
@@ -36,7 +39,15 @@ func TLSClientAuthConfig(caFile string) *tls.Config {
 
 // Same as TLSClientAuthConfig, but load client certificates too.
 func TLSClientAuthConfigWithCerts(caFile, certFile, keyFile string) *tls.Config {
-	config := TLSClientAuthConfig(caFile)
+	config := &tls.Config{
+		RootCAs: loadCA(caFile),
+		ServerName: "desktop.m.investici.org",
+		MinVersion: tls.VersionTLS12,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		},
+	}
 
 	var err error
 	config.Certificates = make([]tls.Certificate, 1)