diff --git a/rebar.config b/rebar.config
index b40192da0..61748af56 100644
--- a/rebar.config
+++ b/rebar.config
@@ -57,7 +57,7 @@
         {stringprep, ".*", {git, "https://github.com/processone/stringprep", {tag, "1.0.23"}}},
         {if_var_true, stun,
          {stun, ".*", {git, "https://github.com/processone/stun", {tag, "1.0.39"}}}},
-        {xmpp, ".*", {git, "https://github.com/processone/xmpp", {tag, "1.4.10"}}},
+        {xmpp, ".*", {git, "https://github.com/processone/xmpp", "e21de94967c9d6b632058b1f5d34614e0dc9bfe8"}},
         {yconf, ".*", {git, "https://github.com/processone/yconf", {tag, "1.0.8"}}}
        ]}.
 
diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl
index a77f81ab2..56410ed82 100644
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -373,7 +373,7 @@ unauthenticated_stream_features(#{lserver := LServer}) ->
 authenticated_stream_features(#{lserver := LServer}) ->
     ejabberd_hooks:run_fold(c2s_post_auth_features, LServer, [], [LServer]).
 
-sasl_mechanisms(Mechs, #{lserver := LServer} = State) ->
+sasl_mechanisms(Mechs, #{lserver := LServer, stream_encrypted := Encrypted} = State) ->
     Type = ejabberd_auth:store_type(LServer),
     Mechs1 = ejabberd_option:disable_sasl_mechanisms(LServer),
     %% I re-created it from cyrsasl ets magic, but I think it's wrong
@@ -383,6 +383,11 @@ sasl_mechanisms(Mechs, #{lserver := LServer} = State) ->
 	      ejabberd_auth_anonymous:is_sasl_anonymous_enabled(LServer);
 	 (<<"DIGEST-MD5">>) -> Type == plain;
 	 (<<"SCRAM-SHA-1">>) -> Type /= external;
+	 (<<"SCRAM-SHA-1-PLUS">>) -> Type /= external andalso Encrypted;
+	 (<<"SCRAM-SHA-256">>) -> Type == plain;
+	 (<<"SCRAM-SHA-256-PLUS">>) -> Type == plain andalso Encrypted;
+	 (<<"SCRAM-SHA-512">>) -> Type == plain;
+	 (<<"SCRAM-SHA-512-PLUS">>) -> Type == plain andalso Encrypted;
 	 (<<"PLAIN">>) -> true;
 	 (<<"X-OAUTH2">>) -> [ejabberd_auth_anonymous] /= ejabberd_auth:auth_modules(LServer);
 	 (<<"EXTERNAL">>) -> maps:get(tls_verify, State, false);