diff --git a/roles/ldap_server/molecule/default/tests/test_optional.py b/roles/ldap_server/molecule/default/tests/test_optional.py
index a5fe69286b8a9f4cc1452c69061c4463bce34a2a..a3d5ae759900d1d26b29794e9b18d35d5dc46c05 100644
--- a/roles/ldap_server/molecule/default/tests/test_optional.py
+++ b/roles/ldap_server/molecule/default/tests/test_optional.py
@@ -1,9 +1,13 @@
 import os
 
+import pytest
+
 import testinfra.utils.ansible_runner
 
 from helpers import parse_ldif
 
+from tls_ciphers import ALL_CIPHERS
+
 
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional')
@@ -70,13 +74,55 @@ def test_tls_configuration(host):
     assert old_tls_versions_disabled.rc == 0
     assert "CONNECTED" in old_tls_versions_disabled.stdout
 
-    cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:636")
-    assert cipher.rc == 0
-    assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout
 
-    cipher = host.run("echo 'Q' | openssl s_client -tls1_1 -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:636")
-    assert cipher.rc == 0
-    assert "ECDHE-RSA-AES128-SHA" in cipher.stdout
+# @TODO: Under Debian Stretch, the DHE ciphers are not usable due to a
+# bug present in OpenLDAP 2.4.44. See
+# https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979 for
+# details. It should be possible to fix this problem once switch to
+# buster is made.
+ENABLED_CIPHERS = [
+    # "DHE-RSA-AES128-GCM-SHA256",
+    # "DHE-RSA-AES256-GCM-SHA384",
+    # "DHE-RSA-CHACHA20-POLY1305",
+    "ECDHE-RSA-AES128-SHA256",
+    "ECDHE-RSA-AES128-SHA",
+    "ECDHE-RSA-AES128-GCM-SHA256",
+    "ECDHE-RSA-AES128-SHA",
+    "ECDHE-RSA-AES128-SHA256",
+    "ECDHE-RSA-AES256-GCM-SHA384",
+    "ECDHE-RSA-AES256-SHA",
+    "ECDHE-RSA-AES256-SHA384",
+]
+
+DISABLED_CIPHERS = sorted(list(set(ALL_CIPHERS)-set(ENABLED_CIPHERS)))
+
+
+@pytest.mark.parametrize("cipher", ENABLED_CIPHERS)
+def test_enabled_tls_ciphers(host, cipher):
+    """
+    Tests available TLS ciphers on the server.
+    """
+
+    hostname = host.run('hostname').stdout.strip()
+    fqdn = hostname
+
+    client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:636", cipher, fqdn)
+    assert client.rc == 0
+    assert cipher in client.stdout
+
+
+@pytest.mark.parametrize("cipher", DISABLED_CIPHERS)
+def test_disabled_tls_ciphers(host, cipher):
+    """
+    Tests available TLS ciphers on the server.
+    """
+
+    hostname = host.run('hostname').stdout.strip()
+    fqdn = hostname
+
+    client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:636", cipher, fqdn)
+    assert client.rc != 0
+    assert cipher not in client.stdout
 
 
 def test_ssf_configuration(host):