diff --git a/roles/ldap_server/molecule/default/tests/test_mandatory.py b/roles/ldap_server/molecule/default/tests/test_mandatory.py
index 51efd6cd9cfce0361c962aaebb822b70802ec914..8bdafacc5c7f210c5cdf966babd6a5983c17155c 100644
--- a/roles/ldap_server/molecule/default/tests/test_mandatory.py
+++ b/roles/ldap_server/molecule/default/tests/test_mandatory.py
@@ -1,11 +1,9 @@
 import os
 
-import pytest
+import defusedxml.ElementTree as ElementTree
 
 import testinfra.utils.ansible_runner
 
-from tls_ciphers import ALL_CIPHERS
-
 
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')
@@ -55,9 +53,10 @@ def test_certificate_validity_check_configuration(host):
     assert config.content_string == "/etc/ssl/certs/%s_ldap.pem" % inventory_hostname
 
 
-def test_tls_configuration(host):
+def test_tls_connectivity(host):
     """
-    Tests if the TLS has been configured correctly and works.
+    Tests if it is possible to connect to the LDAP server using
+    STARTTLS/TLS.
     """
 
     starttls = host.run('ldapwhoami -Z -x -H ldap://parameters-mandatory.local/')
@@ -68,54 +67,50 @@ def test_tls_configuration(host):
     assert tls.rc == 0
     assert tls.stdout == 'anonymous\n'
 
-    old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory.local:636")
-    assert old_tls_versions_disabled.rc != 0
-    assert "CONNECTED" in old_tls_versions_disabled.stdout
-
 
-# @TODO: Under Debian Stretch, the DHE ciphers are not usable due to a
-# bug present in OpenLDAP 2.4.44. See
-# https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979 for
-# details. It should be possible to fix this problem once switch to
-# buster is made.
-ENABLED_CIPHERS = [
-    # "DHE-RSA-AES128-GCM-SHA256",
-    # "DHE-RSA-AES256-GCM-SHA384",
-    # "DHE-RSA-CHACHA20-POLY1305",
-    "ECDHE-RSA-AES128-GCM-SHA256",
-    "ECDHE-RSA-AES256-GCM-SHA384",
-    "ECDHE-RSA-CHACHA20-POLY1305",
-]
+def test_tls_version_and_ciphers(host):
+    """
+    Tests if the correct TLS version and ciphers have been enabled.
+    """
 
-DISABLED_CIPHERS = sorted(list(set(ALL_CIPHERS)-set(ENABLED_CIPHERS)))
+    expected_tls_versions = ["TLSv1.2"]
 
+    # @TODO: Under Debian Stretch, the DHE ciphers are not usable due
+    # to a bug present in OpenLDAP 2.4.44. See
+    # https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979
+    # for details. It should be possible to fix this problem once
+    # switch to buster is mad.e
+    expected_tls_ciphers = [
+        # "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+        # "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+        # "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+    ]
 
-@pytest.mark.parametrize("cipher", ENABLED_CIPHERS)
-def test_enabled_tls_ciphers(host, cipher):
-    """
-    Tests available TLS ciphers on the server.
-    """
+    # Run the nmap scanner against the LDAP server, and fetch the
+    # results.
+    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 636 localhost -oX /tmp/report.xml")
+    assert nmap.rc == 0
+    report_content = host.file('/tmp/report.xml').content_string
 
-    hostname = host.run('hostname').stdout.strip()
-    fqdn = hostname
+    report_root = ElementTree.fromstring(report_content)
 
-    client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:636", cipher, fqdn)
-    assert client.rc == 0
-    assert cipher in client.stdout
+    tls_versions = []
+    tls_ciphers = set()
 
+    for child in report_root.findall("./host/ports/port/script/table"):
+        tls_versions.append(child.attrib['key'])
 
-@pytest.mark.parametrize("cipher", DISABLED_CIPHERS)
-def test_disabled_tls_ciphers(host, cipher):
-    """
-    Tests available TLS ciphers on the server.
-    """
+    for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
+        tls_ciphers.add(child.text)
 
-    hostname = host.run('hostname').stdout.strip()
-    fqdn = hostname
+    tls_versions.sort()
+    tls_ciphers = sorted(list(tls_ciphers))
 
-    client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:636", cipher, fqdn)
-    assert client.rc != 0
-    assert cipher not in client.stdout
+    assert tls_versions == expected_tls_versions
+    assert tls_ciphers == expected_tls_ciphers
 
 
 def test_ssf_configuration(host):