diff --git a/roles/xmpp_server/defaults/main.yml b/roles/xmpp_server/defaults/main.yml
index ec4073bfb6a983c04fc44fb0c68043aed1ff728c..aecf13a40ea3f59b1b389d451a0903f6fea8bfa0 100644
--- a/roles/xmpp_server/defaults/main.yml
+++ b/roles/xmpp_server/defaults/main.yml
@@ -3,6 +3,9 @@
 enable_backup: false
 xmpp_server_archive_expiration: "never"
 xmpp_server_tls_protocol: "tlsv1_2+"
+
+# TLS_* ciphers are mandated by the TLSv1.3-related standards and
+# cannot be disabled when TLSv1.3 is enabled on the server.
 xmpp_server_tls_ciphers: "\
 DHE-RSA-AES128-GCM-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:\
@@ -10,4 +13,7 @@ DHE-RSA-CHACHA20-POLY1305:\
 ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-CHACHA20-POLY1305:\
+TLS_AES_128_GCM_SHA256:\
+TLS_AES_256_GCM_SHA384:\
+TLS_CHACHA20_POLY1305_SHA256:\
 !aNULL:!MD5:!EXPORT"