diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 23831697ffb639cc3aee97f10f722ab415d2973d..5d699a4cbd9b4a8f43b07b40fc3de2c4236c4155 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -1003,6 +1003,7 @@ Distribution compatibility
 Role is compatible with the following distributions:
 
 - Debian 11 (Bullseye)
+- Debian 12 (Bookworm)
 
 
 Examples
diff --git a/roles/xmpp_server/meta/main.yml b/roles/xmpp_server/meta/main.yml
index 3ea41c50efcd2d0ef82ce7b207866015e8102fbe..944c460d479e8485aa193b35d0964983d4d326cf 100644
--- a/roles/xmpp_server/meta/main.yml
+++ b/roles/xmpp_server/meta/main.yml
@@ -17,3 +17,4 @@ galaxy_info:
     - name: Debian
       versions:
         - 11
+        - 12
diff --git a/roles/xmpp_server/molecule/default/host_vars/ldap-server.yml b/roles/xmpp_server/molecule/default/host_vars/ldap-server.yml
index e12030b01e8a9a88cccf3b855085bbb4aa36871d..26869dfbbed00d79229ea49313ba8c8a60554edc 100644
--- a/roles/xmpp_server/molecule/default/host_vars/ldap-server.yml
+++ b/roles/xmpp_server/molecule/default/host_vars/ldap-server.yml
@@ -42,3 +42,6 @@ backup_clients:
   - server: parameters-optional-bullseye
     ip: 192.168.56.52
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
+  - server: parameters-optional-bookworm
+    ip: 192.168.56.32
+    public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
diff --git a/roles/xmpp_server/molecule/default/molecule.yml b/roles/xmpp_server/molecule/default/molecule.yml
index 6c33bd67c05b3a9356977fa83dcac98a0f886b9a..b800f059efef57644141854c4884723ffd9a4093 100644
--- a/roles/xmpp_server/molecule/default/molecule.yml
+++ b/roles/xmpp_server/molecule/default/molecule.yml
@@ -19,7 +19,7 @@ platforms:
   # =======
 
   - name: ldap-server
-    box: debian/bullseye64
+    box: debian/bookworm64
     memory: 512
     cpus: 1
     provider_raw_config_args:
@@ -79,6 +79,56 @@ platforms:
         network_name: private_network
         type: static
 
+
+  # Debian 11 Bookworm
+  # ==================
+
+  - name: client-bookworm
+    groups:
+      - clients
+      - bookworm
+    box: debian/bookworm64
+    memory: 256
+    cpus: 1
+    provider_raw_config_args:
+      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
+    interfaces:
+      - auto_config: true
+        ip: 192.168.56.21
+        network_name: private_network
+        type: static
+
+  - name: parameters-mandatory-bookworm
+    groups:
+      - parameters-mandatory
+      - bookworm
+    box: debian/bookworm64
+    memory: 512
+    cpus: 1
+    provider_raw_config_args:
+      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
+    interfaces:
+      - auto_config: true
+        ip: 192.168.56.31
+        network_name: private_network
+        type: static
+
+  - name: parameters-optional-bookworm
+    groups:
+      - parameters-optional
+      - bookworm
+    box: debian/bookworm64
+    memory: 512
+    cpus: 1
+    provider_raw_config_args:
+      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
+    interfaces:
+      - auto_config: true
+        ip: 192.168.56.32
+        network_name: private_network
+        type: static
+
+
 provisioner:
   name: ansible
   playbooks:
diff --git a/roles/xmpp_server/molecule/default/prepare.yml b/roles/xmpp_server/molecule/default/prepare.yml
index fbe74a73026197074a34eb4eeb31cc6e80930d40..cddfe31b7ecbbd8f820eba30cee0bd60a8f4996a 100644
--- a/roles/xmpp_server/molecule/default/prepare.yml
+++ b/roles/xmpp_server/molecule/default/prepare.yml
@@ -38,6 +38,21 @@
             - domain3
             - proxy.domain3
             - conference.domain3
+        - name: parameters-mandatory-bookworm_xmpp
+          fqdn:
+            - parameters-mandatory
+            - domain1
+            - proxy.domain1
+            - conference.domain1
+        - name: parameters-optional-bookworm_xmpp
+          fqdn:
+            - parameters-optional
+            - domain2
+            - proxy.domain2
+            - conference.domain2
+            - domain3
+            - proxy.domain3
+            - conference.domain3
 
     - name: Set-up link to generated X.509 material
       file:
@@ -105,6 +120,43 @@
         192.168.56.51: "parameters-mandatory domain1 proxy.domain1 conference.domain1"
         192.168.56.52: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"
 
+- hosts: bookworm
+  become: true
+  tasks:
+
+    - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter
+      blockinfile:
+        path: "/etc/ssl/openssl.cnf"
+        block: |
+          [openssl_init]
+          ssl_conf = ssl_sect
+
+          [ssl_sect]
+          system_default = system_default_sect
+
+          [system_default_sect]
+          MinProtocol = TLSv1.1
+          CipherString = DEFAULT@SECLEVEL=0
+        owner: root
+        group: root
+        mode: 0644
+        state: present
+
+    - name: Set-up the hosts file
+      lineinfile:
+        path: /etc/hosts
+        regexp: "^{{ item.key }}"
+        line: "{{ item.key }} {{ item.value }}"
+        owner: root
+        group: root
+        mode: 0644
+        state: present
+      with_dict:
+        192.168.56.11: "ldap-server backup-server"
+        192.168.56.21: "client-bookworm"
+        192.168.56.31: "parameters-mandatory domain1 proxy.domain1 conference.domain1"
+        192.168.56.32: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"
+
 - hosts: clients
   become: true
   tasks:
diff --git a/roles/xmpp_server/molecule/default/tests/test_mandatory.py b/roles/xmpp_server/molecule/default/tests/test_mandatory.py
index 6ad6196ad88ca3816f2a6e2ce8d9dd42acbe9d57..46bafe8176aa88321de5c52c1c08772becebcdd5 100644
--- a/roles/xmpp_server/molecule/default/tests/test_mandatory.py
+++ b/roles/xmpp_server/molecule/default/tests/test_mandatory.py
@@ -49,16 +49,31 @@ def test_xmpp_c2s_tls_version_and_ciphers(host, port):
     XMPP C2S ports.
     """
 
-    expected_tls_versions = ["TLSv1.2"]
-
-    expected_tls_ciphers = [
-        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
-        "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
-        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
-    ]
+    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
+
+    if distribution_release == "bullseye":
+        expected_tls_versions = ["TLSv1.2"]
+        expected_tls_ciphers = [
+            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        ]
+    else:
+        expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
+        expected_tls_ciphers = [
+            "TLS_AKE_WITH_AES_128_GCM_SHA256",
+            "TLS_AKE_WITH_AES_256_GCM_SHA384",
+            "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
+            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        ]
 
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain1 -oX /tmp/report.xml", str(port))
diff --git a/roles/xmpp_server/molecule/default/tests/test_optional.py b/roles/xmpp_server/molecule/default/tests/test_optional.py
index 58784a4939d5b1acc8adc4ea1ec39b24a5b7cb31..39ab5b8fa1beae0e9b413cad52e2f1facecfbf98 100644
--- a/roles/xmpp_server/molecule/default/tests/test_optional.py
+++ b/roles/xmpp_server/molecule/default/tests/test_optional.py
@@ -55,19 +55,37 @@ def test_xmpp_c2s_tls_version_and_ciphers(host, port):
     XMPP C2S ports.
     """
 
-    expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
-
-    expected_tls_ciphers = [
-        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
-        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
-        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
-        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
-        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
-        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    ]
+    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
+
+    if distribution_release == "bullseye":
+        expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
+        expected_tls_ciphers = [
+            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        ]
+    else:
+        expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
+        expected_tls_ciphers = [
+            "TLS_AKE_WITH_AES_128_GCM_SHA256",
+            "TLS_AKE_WITH_AES_256_GCM_SHA384",
+            "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
+            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        ]
 
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain2 -oX /tmp/report.xml", str(port))
diff --git a/roles/xmpp_server/templates/prosody.cfg.lua.j2 b/roles/xmpp_server/templates/prosody.cfg.lua.j2
index ba312efa3b16d6e0408057c02608bdd6f231d0b3..86bbcd26e2cf35923ff57cfe3a87e5a243a365fc 100644
--- a/roles/xmpp_server/templates/prosody.cfg.lua.j2
+++ b/roles/xmpp_server/templates/prosody.cfg.lua.j2
@@ -55,13 +55,31 @@ c2s_ssl = {
 
 -- Configure TLS protocol and ciphers for client-to-server
 -- connections (direct TLS).
+{% if ansible_distribution_release == "bullseye" %}
 legacy_ssl_ssl = {
   protocol = "{{ xmpp_server_tls_protocol }}";
   ciphers = "{{ xmpp_server_tls_ciphers }}";
 }
+{% else %}
+c2s_direct_tls_ssl = {
+  protocol = "{{ xmpp_server_tls_protocol }}";
+  ciphers = "{{ xmpp_server_tls_ciphers }}";
+  -- @WORKAROUND: No DHE ciphers because dhparam is getting reset
+  --
+  --    There is a bug in Prosody 0.12.3 resulting in dhparam value
+  --    from from global config getting ignored when domain SNI
+  --    context is initalised on TCP port 5223. Define the parameter
+  --    in within this configuration context as well to fix the issue.
+  dhparam = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem";
+}
+{% endif %}
 
 -- Ports on which to have direct TLS/SSL.
+{% if ansible_distribution_release == "bullseye" %}
 legacy_ssl_ports = { 5223 }
+{% else %}
+c2s_direct_tls_ports = { 5223 }
+{% endif %}
 
 -- Force clients to use encrypted connection.
 c2s_require_encryption = true