diff --git a/roles/xmpp_server/templates/prosody.cfg.lua.j2 b/roles/xmpp_server/templates/prosody.cfg.lua.j2
index 4a044a8ed9202764d6c8b557588c53e690cf9b78..0553b12cdb2b1b4b2fd6fe4239f74cee252ab559 100644
--- a/roles/xmpp_server/templates/prosody.cfg.lua.j2
+++ b/roles/xmpp_server/templates/prosody.cfg.lua.j2
@@ -44,6 +44,8 @@ allow_registration = false;
 ssl = {
   key = "/etc/ssl/private/{{ xmpp_tls_key | basename }}";
   certificate = "/etc/ssl/certs/{{ xmpp_tls_certificate | basename }}";
+  prosody = "tlsv1_2";
+  ciphers = "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT;"
 }
 
 -- Ports on which to have direct TLS/SSL.