diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2a3a3672..d9c33ca9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,14 @@ matrix_riot_web_integrations_widgets_urls: "https://dimension.t2bot.io/widgets"
 matrix_riot_web_integrations_jitsi_widget_url: "https://dimension.t2bot.io/widgets/jitsi"
 ```
 
+## SSL protocols used to serve Riot and Synapse
+
+There's now a new `matrix_nginx_proxy_ssl_protocols` playbook variable, which controls the SSL protocols used to serve Riot and Synapse. Its default value is `TLSv1.1 TLSv1.2`. This playbook previously used `TLSv1 TLSv1.1 TLSv1.2` to serve Riot and Synapse.
+
+You may wish to reenable TLSv1 if you need to access Riot in older browsers.
+
+Note: Currently the dockerized nginx doesn't support TLSv1.3. See https://github.com/nginxinc/docker-nginx/issues/190 for more details.
+
 
 # 2018-11-01
 
diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml
index 982c3df5..59a21336 100644
--- a/roles/matrix-server/defaults/main.yml
+++ b/roles/matrix-server/defaults/main.yml
@@ -302,6 +302,11 @@ matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008"
 # a new SSL certificate could go into effect.
 matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
 
+# Specifies which SSL protocols to use when serving Riot and Synapse
+# Note TLSv1.3 is not yet available in dockerized nginx
+# See: https://github.com/nginxinc/docker-nginx/issues/190
+matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
+
 
 matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
 matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2
index 9347f02e..eaa87440 100644
--- a/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2
+++ b/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2
@@ -35,7 +35,7 @@ server {
 
 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/fullchain.pem;
 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/privkey.pem;
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
 	ssl_prefer_server_ciphers on;
 	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 
diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2
index 03ec51a1..096249e0 100644
--- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2
@@ -35,7 +35,7 @@ server {
 
 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/fullchain.pem;
 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/privkey.pem;
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
 	ssl_prefer_server_ciphers on;
 	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";