diff --git a/roles/xmpp_server/molecule/default/tests/test_mandatory.py b/roles/xmpp_server/molecule/default/tests/test_mandatory.py
index 839cc95527f9a1219623b9ff7efb9b066e1629ba..b8cf083d3bb140fe603701f65bfe3719f4998f44 100644
--- a/roles/xmpp_server/molecule/default/tests/test_mandatory.py
+++ b/roles/xmpp_server/molecule/default/tests/test_mandatory.py
@@ -83,3 +83,45 @@ def test_xmpp_c2s_tls_version_and_ciphers(host, port):
assert tls_versions == expected_tls_versions
assert tls_ciphers == expected_tls_ciphers
+
+
+def test_xmpp_s2s_tls_version_and_ciphers(host):
+ """
+ Tests if the correct TLS version and ciphers have been enabled for
+ XMPP S2S port.
+ """
+
+ expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
+ # Seems like TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 is off by default.
+ expected_tls_ciphers = [
+ "TLS_AKE_WITH_AES_128_GCM_SHA256",
+ "TLS_AKE_WITH_AES_256_GCM_SHA384",
+ "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
+ "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+ ]
+
+ # Run the nmap scanner against the server, and fetch the results.
+ nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 5269 domain1 -oX /tmp/report.xml")
+ assert nmap.rc == 0
+ report_content = host.file('/tmp/report.xml').content_string
+
+ report_root = ElementTree.fromstring(report_content)
+
+ tls_versions = []
+ tls_ciphers = set()
+
+ for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"):
+ tls_versions.append(child.attrib['key'])
+
+ for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
+ tls_ciphers.add(child.text)
+
+ tls_versions.sort()
+ tls_ciphers = sorted(list(tls_ciphers))
+
+ assert tls_versions == expected_tls_versions
+ assert tls_ciphers == expected_tls_ciphers
diff --git a/roles/xmpp_server/molecule/default/tests/test_optional.py b/roles/xmpp_server/molecule/default/tests/test_optional.py
index 3199a6bc11e863630140a3a34fe1a03d77b41e3a..c5587ad5e6690d0e1ac916e37798d2725a8d089e 100644
--- a/roles/xmpp_server/molecule/default/tests/test_optional.py
+++ b/roles/xmpp_server/molecule/default/tests/test_optional.py
@@ -83,3 +83,45 @@ def test_xmpp_c2s_tls_version_and_ciphers(host, port):
assert tls_versions == expected_tls_versions
assert tls_ciphers == expected_tls_ciphers
+
+
+def test_xmpp_s2s_tls_version_and_ciphers(host):
+ """
+ Tests if the correct TLS version and ciphers have been enabled for
+ XMPP S2S port.
+ """
+
+ expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
+ # Seems like TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 is off by default.
+ expected_tls_ciphers = [
+ "TLS_AKE_WITH_AES_128_GCM_SHA256",
+ "TLS_AKE_WITH_AES_256_GCM_SHA384",
+ "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
+ "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+ ]
+
+ # Run the nmap scanner against the server, and fetch the results.
+ nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 5269 domain2 -oX /tmp/report.xml")
+ assert nmap.rc == 0
+ report_content = host.file('/tmp/report.xml').content_string
+
+ report_root = ElementTree.fromstring(report_content)
+
+ tls_versions = []
+ tls_ciphers = set()
+
+ for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"):
+ tls_versions.append(child.attrib['key'])
+
+ for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
+ tls_ciphers.add(child.text)
+
+ tls_versions.sort()
+ tls_ciphers = sorted(list(tls_ciphers))
+
+ assert tls_versions == expected_tls_versions
+ assert tls_ciphers == expected_tls_ciphers