diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index c614e686157d7a6b62785ed9e140008c57a82d85..d91e408a5ebc7113646e2803351f4de28eb64bda 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -845,6 +845,8 @@ Prosody is configured as follows:
 * Client-to-server communication requires encryption (TLS).
 * Uses 2048-bit Diffie-Hellman parameters for relevant TLS ciphers for
   incoming connections.
+* Configures TLS versions and ciphers supported by Prosody (for
+  *c2s*/client connections only).
 * Authentication is done via LDAP. For setting the LDAP TLS truststore, see
   :ref:`LDAP Client <ldap_client>`.
 * Internal storage is used.
@@ -853,12 +855,6 @@ Prosody is configured as follows:
 * For each domain specified, a dedicated file proxy service will be set-up, with
   FQDN set to ``proxy.DOMAIN``.
 
-.. warning::
-   Since it is not possible to set-up separate TLS configuration for *c2s* and
-   *s2s* connections in Prosody 0.9.x, no hardening of TLS is performed in order
-   to improve interoperability. This will be changed in Prosody 0.10.x, at which
-   point hardening can be revisited.
-
 Prosody expects a specific directory structure in LDAP when doing look-ups:
 
 * Prosody will log-in to LDAP as user
@@ -927,8 +923,26 @@ Parameters
 **xmpp_prosody_package** (string, optional, ``prosody-0.10``)
   Name of Prosody package from the Prosody repositories to
   install. This makes it possible to easily test the latest Prosody or
-  to switch to a different nightly builds. It should be noted that
-  only the default version is getting properly tested.
+  to switch to a different nightly build. It should be noted that
+  only the default version is getting properly tested. Prosody
+  versions lower than ``0.10.x`` are not supported.
+
+**xmpp_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``)
+  TLS ciphers to enable on the XMPP server. This should be an
+  OpenSSL-compatible cipher specification. Value should be compatible
+  with Prosody's option ``ciphers`` normally defined within the
+  ``ssl`` section of configuration file (see `official documentation
+  <https://prosody.im/doc/advanced_ssl_config#ciphers>`_ for details).
+  Default value allows only TLSv1.2 and strong PFS ciphers with RSA
+  private keys.
+
+**xmpp_server_tls_protocol** (string, optional, ``tlsv1_2+``)
+  Protocol version the XMPP server should support for client
+  connections. The value specified should be compatible with Prosody's
+  ``protocol`` option normally defined within the ``ssl`` section of
+  configuration file (see `official documentation
+  <https://prosody.im/doc/advanced_ssl_config#protocol>`_ for
+  details).
 
 **xmpp_tls_certificate** (string, mandatory)
   X.509 certificate used for TLS for XMPP service. The file will be stored in