diff --git a/roles/web_server/molecule/default/tests/test_mandatory.py b/roles/web_server/molecule/default/tests/test_mandatory.py
index c09ed9f14607d3c0648d1ec8664578be2dce26df..403de252876735d3445ec27ed3debecfe8135ab6 100644
--- a/roles/web_server/molecule/default/tests/test_mandatory.py
+++ b/roles/web_server/molecule/default/tests/test_mandatory.py
@@ -23,17 +23,33 @@ def test_certificate_validity_check_configuration(host):
     assert config.content_string == "/etc/ssl/certs/%s_https.pem" % hostname
 
 
-def test_tls_configuration(host):
+def test_tls_enabled(host):
     """
-    Tests if the TLS has been configured correctly and works.
+    Tests if TLS has been enabled.
     """
 
     tls = host.run('wget -q -O - https://parameters-mandatory/')
     assert tls.rc == 0
 
+
+def test_tls_version(host):
+    """
+    Tests if only the configured TLS protocol versions are allowed by
+    the server.
+    """
+
     old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:443")
-    assert old_tls_versions_disabled.rc != 0
+
+    # Avoid false negatives by ensuring the client had actually
+    # established the TCP connection.
     assert "CONNECTED" in old_tls_versions_disabled.stdout
+    assert old_tls_versions_disabled.rc != 0
+
+
+def test_tls_ciphers(host):
+    """
+    Tests available TLS ciphers on the server.
+    """
 
     cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:443")
     assert cipher.rc == 0