diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 331a8057ab6e325457065ddec285319467be0bda..849428221239c2ec198c043236eabfb2a4e9048a 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -1167,7 +1167,7 @@ The role implements the following:
 * Installs and configures nginx with a single, default vhost with a small static
   index page.
 * Deploys the HTTPS TLS private key and certificate (for default vhost).
-* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers.
+* Configures TLS versions and ciphers supported by Nginx.
 * Configures firewall to allow incoming connections to the web server.
 * Installs and configures virtualenv and virtualenvwrapper as a common base for
   Python apps.
@@ -1206,6 +1206,16 @@ Parameters
   Message for the default web page shown to users (if no other vhosts were
   matched).
 
+**web_server_tls_protocols** (list, optional, ``[ "TLSv1.2" ]``)
+  List of TLS protocols the web server should support. Each value specified
+  should be compatible with Nginx configuration option ``ssl_protocols``.
+
+**web_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT``)
+  TLS ciphers to enable on the web server. This should be an OpenSSL-compatible
+  cipher specification. Value should be compatible with Nginx configuration
+  option ``ssl_ciphers``. Default value allows only TLSv1.2 and strong PFS
+  ciphers.
+
 
 Examples
 ~~~~~~~~