diff --git a/roles/xmpp_server/templates/prosody.cfg.lua.j2 b/roles/xmpp_server/templates/prosody.cfg.lua.j2
index ba312efa3b16d6e0408057c02608bdd6f231d0b3..86bbcd26e2cf35923ff57cfe3a87e5a243a365fc 100644
--- a/roles/xmpp_server/templates/prosody.cfg.lua.j2
+++ b/roles/xmpp_server/templates/prosody.cfg.lua.j2
@@ -55,13 +55,31 @@ c2s_ssl = {
 
 -- Configure TLS protocol and ciphers for client-to-server
 -- connections (direct TLS).
+{% if ansible_distribution_release == "bullseye" %}
 legacy_ssl_ssl = {
   protocol = "{{ xmpp_server_tls_protocol }}";
   ciphers = "{{ xmpp_server_tls_ciphers }}";
 }
+{% else %}
+c2s_direct_tls_ssl = {
+  protocol = "{{ xmpp_server_tls_protocol }}";
+  ciphers = "{{ xmpp_server_tls_ciphers }}";
+  -- @WORKAROUND: No DHE ciphers because dhparam is getting reset
+  --
+  --    There is a bug in Prosody 0.12.3 resulting in dhparam value
+  --    from from global config getting ignored when domain SNI
+  --    context is initalised on TCP port 5223. Define the parameter
+  --    in within this configuration context as well to fix the issue.
+  dhparam = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem";
+}
+{% endif %}
 
 -- Ports on which to have direct TLS/SSL.
+{% if ansible_distribution_release == "bullseye" %}
 legacy_ssl_ports = { 5223 }
+{% else %}
+c2s_direct_tls_ports = { 5223 }
+{% endif %}
 
 -- Force clients to use encrypted connection.
 c2s_require_encryption = true