diff --git a/wangle/ssl/SSLContextConfig.h b/wangle/ssl/SSLContextConfig.h
index a7e9066a0..a278d08b6 100644
--- a/wangle/ssl/SSLContextConfig.h
+++ b/wangle/ssl/SSLContextConfig.h
@@ -92,6 +92,8 @@ struct SSLContextConfig {
   std::string eccCurveName{"prime256v1"};
   // Ciphers to negotiate if TLS version >= 1.1
   std::string tls11Ciphers{""};
+  // Knobs to tune ciphersuite picking probability for TLS >= 1.1
+  std::vector<std::pair<std::string, int>> tls11AltCipherlist;
   // Weighted lists of NPN strings to advertise
   std::list<folly::SSLContext::NextProtocolsItem>
       nextProtocols;
diff --git a/wangle/ssl/SSLContextManager.cpp b/wangle/ssl/SSLContextManager.cpp
index fce1d96ce..73698e433 100644
--- a/wangle/ssl/SSLContextManager.cpp
+++ b/wangle/ssl/SSLContextManager.cpp
@@ -492,15 +492,20 @@ SSLContextManager::ctxSetupByOpensslFeature(
 #endif
 
   // Specify cipher(s) to be used for TLS1.1 client
-  if (!ctxConfig.tls11Ciphers.empty()) {
+  if (!ctxConfig.tls11Ciphers.empty() ||
+      !ctxConfig.tls11AltCipherlist.empty()) {
 #ifdef PROXYGEN_HAVE_SERVERNAMECALLBACK
     // Specified TLS1.1 ciphers are valid
+    // XXX: this callback will be called for every new (TLS 1.1 or greater)
+    // handshake, so it relies on ctxConfig.tls11Ciphers and
+    // ctxConfig.tls11AltCipherlist not changing.
     sslCtx->addClientHelloCallback(
       std::bind(
         &SSLContext::switchCiphersIfTLS11,
         sslCtx.get(),
         std::placeholders::_1,
-        ctxConfig.tls11Ciphers
+        ctxConfig.tls11Ciphers,
+        ctxConfig.tls11AltCipherlist
       )
     );
 #else