diff --git a/roles/web_server/defaults/main.yml b/roles/web_server/defaults/main.yml
index a8650ecab1b70da82c519c60059908d5355bcfba..ecf1e1f316f00d156fb2f549524a67a42ecee6a1 100644
--- a/roles/web_server/defaults/main.yml
+++ b/roles/web_server/defaults/main.yml
@@ -6,6 +6,10 @@ web_default_title: "Welcome"
 web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
 web_server_tls_protocols:
   - "TLSv1.2"
+  - "TLSv1.3"
+
+# TLS_* ciphers are mandated by the TLSv1.3-related standards and
+# cannot be disabled when TLSv1.3 is enabled on the server.
 web_server_tls_ciphers: "\
 DHE-RSA-AES128-GCM-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:\
@@ -13,6 +17,9 @@ DHE-RSA-CHACHA20-POLY1305:\
 ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-CHACHA20-POLY1305:\
+TLS_AES_128_GCM_SHA256:\
+TLS_AES_256_GCM_SHA384:\
+TLS_CHACHA20_POLY1305_SHA256:\
 !aNULL:!MD5:!EXPORT"
 
 # Internal parameters