[exim-cvs] TLS: add variables for the IETF standard name for…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Exim Git Commits Mailing List
Dátum:  
Címzett: exim-cvs
Tárgy: [exim-cvs] TLS: add variables for the IETF standard name for the connection ciphersuite
Gitweb: https://git.exim.org/exim.git/commitdiff/f1be21cf0b8b97a64dfe17f2ca05bb4b9efe8d32
Commit:     f1be21cf0b8b97a64dfe17f2ca05bb4b9efe8d32
Parent:     826cb8c29cb1947cfc8f0e1b4e96c97e10a0e18a
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Feb 3 22:12:48 2019 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon Feb 11 00:16:46 2019 +0000


    TLS: add variables for the IETF standard name for the connection ciphersuite


    (cherry picked from commit ffc3d145e3819e1a3762caa1bbe8b07e723fbaf2)
---
 doc/doc-docbook/spec.xfpt      |  29 ++-
 doc/doc-txt/ChangeLog          |   2 +
 doc/doc-txt/NewStuff           |   3 +
 src/OS/Makefile-Base           |   3 +-
 src/scripts/MakeLinks          |   3 +-
 src/src/expand.c               |   2 +
 src/src/globals.c              |  12 +-
 src/src/globals.h              |   2 +
 src/src/tls-cipher-stdname.c   | 393 +++++++++++++++++++++++++++++++++++++++++
 src/src/tls-gnu.c              |  56 ++++--
 src/src/tls-openssl.c          |  57 ++++--
 test/log/2102.openssl_1_1_1    |   8 +-
 test/runtest                   |  13 +-
 test/stderr/0402               |  40 +++--
 test/stderr/0544               |  40 +++--
 test/stderr/5410               | 120 +++++++++----
 test/stderr/5420               | 120 +++++++++----
 test/stdout/2114.openssl_1_1_1 |  18 +-
 test/stdout/2124.openssl_1_1_1 |   2 +-
 test/stdout/2132.openssl_1_1_1 |   8 +-
 20 files changed, 784 insertions(+), 147 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 22f06e3..bb486d6 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -13347,6 +13347,12 @@ The deprecated &$tls_cipher$& variable is the same as &$tls_in_cipher$& during m
but in the context of an outward SMTP delivery taking place via the &(smtp)& transport
becomes the same as &$tls_out_cipher$&.

+.new
+.vitem &$tls_in_cipher_std$&
+.vindex "&$tls_in_cipher_std$&"
+As above, but returning the RFC standard name for the cipher suite.
+.wen
+
.vitem &$tls_out_cipher$&
.vindex "&$tls_out_cipher$&"
This variable is
@@ -13355,6 +13361,12 @@ and then set to the outgoing cipher suite if one is negotiated. See chapter
&<<CHAPTLS>>& for details of TLS support and chapter &<<CHAPsmtptrans>>& for
details of the &(smtp)& transport.

+,new
+.vitem &$tls_out_cipher_std$&
+.vindex "&$tls_out_cipher_std$&"
+As above, but returning the RFC standard name for the cipher suite.
+.wen
+
.vitem &$tls_out_dane$&
.vindex &$tls_out_dane$&
DANE active status. See section &<<SECDANE>>&.
@@ -16585,23 +16597,26 @@ on at the end (preceded by a semicolon). The string is expanded each time it is
used. If the expansion yields an empty string, no &'Received:'& header line is
added to the message. Otherwise, the string should start with the text
&"Received:"& and conform to the RFC 2822 specification for &'Received:'&
-header lines. The default setting is:
+header lines.
+.new
+The default setting is:

 .code
 received_header_text = Received: \
   ${if def:sender_rcvhost {from $sender_rcvhost\n\t}\
-  {${if def:sender_ident \
-  {from ${quote_local_part:$sender_ident} }}\
-  ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
+    {${if def:sender_ident \
+      {from ${quote_local_part:$sender_ident} }}\
+        ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
   by $primary_hostname \
-  ${if def:received_protocol {with $received_protocol}} \
-  ${if def:tls_in_cipher {($tls_in_cipher)\n\t}}\
+  ${if def:received_protocol {with $received_protocol }}\
+  ${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}\
   (Exim $version_number)\n\t\
   ${if def:sender_address \
   {(envelope-from <$sender_address>)\n\t}}\
   id $message_exim_id\
   ${if def:received_for {\n\tfor $received_for}}
 .endd
+.wen


The reference to the TLS cipher is omitted when Exim is built without TLS
support. The use of conditional expansions ensures that this works for both
@@ -27476,7 +27491,7 @@ but is a full SMTP SASL authenticator
rather than being implicit for TLS-connection carried
client certificates only.

-The examples and discussion in this chapter assume that
+The examples and discussion in this chapter assume that
client-certificate authentication is being done.

 The client must present a certificate,
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c8f3c58..bc739ae 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -18,6 +18,8 @@ JH/02 OpenSSL: suppress the sending of (stateful) TLS1.3 session tickets.
 JH/03 Debug output for ACL now gives the config file name and line number for
       each verb.


+JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
+

Exim version 4.92
-----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 3b5cda1..ad238f4 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -13,6 +13,9 @@ Version 4.93

2. A JSON lookup type, and JSON variants of the forall/any expansion conditions.

+ 3. Variables $tls_in_cipher_std, $tls_out_cipher_std giving the RFC names
+    for ciphersuites.
+
 Version 4.92
 --------------


diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base
index 79bec06..b99cb9f 100644
--- a/src/OS/Makefile-Base
+++ b/src/OS/Makefile-Base
@@ -816,7 +816,8 @@ store.o:         $(HDRS) store.c
 string.o:        $(HDRS) string.c
 tls.o:           $(HDRS) tls.c \
          tls-gnu.c tlscert-gnu.c \
-         tls-openssl.c tlscert-openssl.c
+         tls-openssl.c tlscert-openssl.c \
+         tls-cipher-stdname.c
 tod.o:           $(HDRS) tod.c
 transport.o:     $(HDRS) transport.c
 tree.o:          $(HDRS) tree.c
diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks
index b717367..8d8345c 100755
--- a/src/scripts/MakeLinks
+++ b/src/scripts/MakeLinks
@@ -106,7 +106,8 @@ for f in blob.h dbfunctions.h dbstuff.h exim.h functions.h globals.h \
   rda.c readconf.c receive.c retry.c rewrite.c rfc2047.c route.c search.c \
   setenv.c environment.c \
   sieve.c smtp_in.c smtp_out.c spool_in.c spool_out.c std-crypto.c store.c \
-  string.c tls.c tlscert-gnu.c tlscert-openssl.c tls-gnu.c tls-openssl.c \
+  string.c tls.c tlscert-gnu.c tlscert-openssl.c tls-cipher-stdname.c \
+  tls-gnu.c tls-openssl.c \
   tod.c transport.c tree.c verify.c version.c \
   dkim.c dkim.h dkim_transport.c dmarc.c dmarc.h \
   valgrind.h memcheck.h \
diff --git a/src/src/expand.c b/src/src/expand.c
index dc0912d..e3615cd 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -749,6 +749,7 @@ static var_entry var_table[] = {
   { "tls_in_bits",         vtype_int,         &tls_in.bits },
   { "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified },
   { "tls_in_cipher",       vtype_stringptr,   &tls_in.cipher },
+  { "tls_in_cipher_std",   vtype_stringptr,   &tls_in.cipher_stdname },
   { "tls_in_ocsp",         vtype_int,         &tls_in.ocsp },
   { "tls_in_ourcert",      vtype_cert,        &tls_in.ourcert },
   { "tls_in_peercert",     vtype_cert,        &tls_in.peercert },
@@ -759,6 +760,7 @@ static var_entry var_table[] = {
   { "tls_out_bits",        vtype_int,         &tls_out.bits },
   { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
   { "tls_out_cipher",      vtype_stringptr,   &tls_out.cipher },
+  { "tls_out_cipher_std",  vtype_stringptr,   &tls_out.cipher_stdname },
 #ifdef SUPPORT_DANE
   { "tls_out_dane",        vtype_bool,        &tls_out.dane_verified },
 #endif
diff --git a/src/src/globals.c b/src/src/globals.c
index b3362a3..df71025 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1246,13 +1246,13 @@ date  will be automatically added on the end. */
 uschar *received_header_text   = US
      "Received: "
      "${if def:sender_rcvhost {from $sender_rcvhost\n\t}"
-     "{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}"
-     "${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}"
+       "{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}"
+         "${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}"
      "by $primary_hostname "
-     "${if def:received_protocol {with $received_protocol}} "
-     #ifdef SUPPORT_TLS
-     "${if def:tls_cipher {($tls_cipher)\n\t}}"
-     #endif
+     "${if def:received_protocol {with $received_protocol }}"
+#ifdef SUPPORT_TLS
+     "${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}"
+#endif
      "(Exim $version_number)\n\t"
      "${if def:sender_address {(envelope-from <$sender_address>)\n\t}}"
      "id $message_exim_id"
diff --git a/src/src/globals.h b/src/src/globals.h
index f71f104..12cc1af 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -88,6 +88,8 @@ typedef struct {
   int     tlsa_usage;         /* TLSA record(s) usage */
 #endif
   uschar *cipher;             /* Cipher used */
+  const uschar *cipher_stdname; /* Cipher used, RFC version */
+  
   BOOL    on_connect;         /* For older MTAs that don't STARTTLS */
   uschar *on_connect_ports;   /* Ports always tls-on-connect */
   void   *ourcert;            /* Certificate we presented, binary */
diff --git a/src/src/tls-cipher-stdname.c b/src/src/tls-cipher-stdname.c
new file mode 100644
index 0000000..ab973af
--- /dev/null
+++ b/src/src/tls-cipher-stdname.c
@@ -0,0 +1,393 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) Jeremy Harris 2019 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Translate an IETF TLS ciphersuite code to an IETF ciphersuite name,
+for use when the TLS library do not provide such names.
+This file is #included by the tls-<library>.c file.
+
+Values for these tables pulled on 2019/02/03 from
+https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
+
+
+
+static const uschar * ctb_00[] = {
+[0x00] = US "TLS_NULL_WITH_NULL_NULL",
+[0x01] = US "TLS_RSA_WITH_NULL_MD5",
+[0x02] = US "TLS_RSA_WITH_NULL_SHA",
+[0x03] = US "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
+[0x04] = US "TLS_RSA_WITH_RC4_128_MD5",
+[0x05] = US "TLS_RSA_WITH_RC4_128_SHA",
+[0x06] = US "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
+[0x07] = US "TLS_RSA_WITH_IDEA_CBC_SHA",
+[0x08] = US "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
+[0x09] = US "TLS_RSA_WITH_DES_CBC_SHA",
+[0x0A] = US "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x0B] = US "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
+[0x0C] = US "TLS_DH_DSS_WITH_DES_CBC_SHA",
+[0x0D] = US "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
+[0x0E] = US "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
+[0x0F] = US "TLS_DH_RSA_WITH_DES_CBC_SHA",
+[0x10] = US "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x11] = US "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+[0x12] = US "TLS_DHE_DSS_WITH_DES_CBC_SHA",
+[0x13] = US "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+[0x14] = US "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+[0x15] = US "TLS_DHE_RSA_WITH_DES_CBC_SHA",
+[0x16] = US "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x17] = US "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
+[0x18] = US "TLS_DH_anon_WITH_RC4_128_MD5",
+[0x19] = US "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+[0x1A] = US "TLS_DH_anon_WITH_DES_CBC_SHA",
+[0x1B] = US "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA",
+
+[0x1E] = US "TLS_KRB5_WITH_DES_CBC_SHA",
+[0x1F] = US "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
+[0x20] = US "TLS_KRB5_WITH_RC4_128_SHA",
+[0x21] = US "TLS_KRB5_WITH_IDEA_CBC_SHA",
+[0x22] = US "TLS_KRB5_WITH_DES_CBC_MD5",
+[0x23] = US "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
+[0x24] = US "TLS_KRB5_WITH_RC4_128_MD5",
+[0x25] = US "TLS_KRB5_WITH_IDEA_CBC_MD5",
+[0x26] = US "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
+[0x27] = US "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
+[0x28] = US "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
+[0x29] = US "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
+[0x2A] = US "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
+[0x2B] = US "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
+[0x2C] = US "TLS_PSK_WITH_NULL_SHA",
+[0x2D] = US "TLS_DHE_PSK_WITH_NULL_SHA",
+[0x2E] = US "TLS_RSA_PSK_WITH_NULL_SHA",
+[0x2F] = US "TLS_RSA_WITH_AES_128_CBC_SHA",
+[0x30] = US "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
+[0x31] = US "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
+[0x32] = US "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+[0x33] = US "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+[0x34] = US "TLS_DH_anon_WITH_AES_128_CBC_SHA",
+[0x35] = US "TLS_RSA_WITH_AES_256_CBC_SHA",
+[0x36] = US "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
+[0x37] = US "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
+[0x38] = US "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+[0x39] = US "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+[0x3A] = US "TLS_DH_anon_WITH_AES_256_CBC_SHA",
+[0x3B] = US "TLS_RSA_WITH_NULL_SHA256",
+[0x3C] = US "TLS_RSA_WITH_AES_128_CBC_SHA256",
+[0x3D] = US "TLS_RSA_WITH_AES_256_CBC_SHA256",
+[0x3E] = US "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
+[0x3F] = US "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
+[0x40] = US "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+[0x41] = US "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
+[0x42] = US "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
+[0x43] = US "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
+[0x44] = US "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
+[0x45] = US "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
+[0x46] = US "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",
+
+[0x67] = US "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+[0x68] = US "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
+[0x69] = US "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
+[0x6A] = US "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+[0x6B] = US "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+[0x6C] = US "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
+[0x6D] = US "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
+
+[0x84] = US "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
+[0x85] = US "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
+[0x86] = US "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
+[0x87] = US "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
+[0x88] = US "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
+[0x89] = US "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
+[0x8A] = US "TLS_PSK_WITH_RC4_128_SHA",
+[0x8B] = US "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
+[0x8C] = US "TLS_PSK_WITH_AES_128_CBC_SHA",
+[0x8D] = US "TLS_PSK_WITH_AES_256_CBC_SHA",
+[0x8E] = US "TLS_DHE_PSK_WITH_RC4_128_SHA",
+[0x8F] = US "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
+[0x90] = US "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
+[0x91] = US "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
+[0x92] = US "TLS_RSA_PSK_WITH_RC4_128_SHA",
+[0x93] = US "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
+[0x94] = US "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
+[0x95] = US "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
+[0x96] = US "TLS_RSA_WITH_SEED_CBC_SHA",
+[0x97] = US "TLS_DH_DSS_WITH_SEED_CBC_SHA",
+[0x98] = US "TLS_DH_RSA_WITH_SEED_CBC_SHA",
+[0x99] = US "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
+[0x9A] = US "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
+[0x9B] = US "TLS_DH_anon_WITH_SEED_CBC_SHA",
+[0x9C] = US "TLS_RSA_WITH_AES_128_GCM_SHA256",
+[0x9D] = US "TLS_RSA_WITH_AES_256_GCM_SHA384",
+[0x9E] = US "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+[0x9F] = US "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+[0xA0] = US "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
+[0xA1] = US "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
+[0xA2] = US "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+[0xA3] = US "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
+[0xA4] = US "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
+[0xA5] = US "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
+[0xA6] = US "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
+[0xA7] = US "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
+[0xA8] = US "TLS_PSK_WITH_AES_128_GCM_SHA256",
+[0xA9] = US "TLS_PSK_WITH_AES_256_GCM_SHA384",
+[0xAA] = US "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
+[0xAB] = US "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
+[0xAC] = US "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
+[0xAD] = US "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
+[0xAE] = US "TLS_PSK_WITH_AES_128_CBC_SHA256",
+[0xAF] = US "TLS_PSK_WITH_AES_256_CBC_SHA384",
+[0xB0] = US "TLS_PSK_WITH_NULL_SHA256",
+[0xB1] = US "TLS_PSK_WITH_NULL_SHA384",
+[0xB2] = US "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
+[0xB3] = US "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
+[0xB4] = US "TLS_DHE_PSK_WITH_NULL_SHA256",
+[0xB5] = US "TLS_DHE_PSK_WITH_NULL_SHA384",
+[0xB6] = US "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
+[0xB7] = US "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
+[0xB8] = US "TLS_RSA_PSK_WITH_NULL_SHA256",
+[0xB9] = US "TLS_RSA_PSK_WITH_NULL_SHA384",
+[0xBA] = US "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBB] = US "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBC] = US "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBD] = US "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBE] = US "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBF] = US "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
+[0xC0] = US "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC1] = US "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC2] = US "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC3] = US "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC4] = US "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC5] = US "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256",
+};
+static const uschar * ctb_13[] = {
+[0x01] = US "TLS_AES_128_GCM_SHA256",
+[0x02] = US "TLS_AES_256_GCM_SHA384",
+[0x03] = US "TLS_CHACHA20_POLY1305_SHA256",
+[0x04] = US "TLS_AES_128_CCM_SHA256",
+[0x05] = US "TLS_AES_128_CCM_8_SHA256",
+};
+static const uschar * ctb_c0[] = {
+[0x01] = US "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+[0x02] = US "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+[0x03] = US "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+[0x04] = US "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+[0x05] = US "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+[0x06] = US "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+[0x07] = US "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+[0x08] = US "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+[0x09] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+[0x0A] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+[0x0B] = US "TLS_ECDH_RSA_WITH_NULL_SHA",
+[0x0C] = US "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+[0x0D] = US "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x0E] = US "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+[0x0F] = US "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+[0x10] = US "TLS_ECDHE_RSA_WITH_NULL_SHA",
+[0x11] = US "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+[0x12] = US "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x13] = US "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+[0x14] = US "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+[0x15] = US "TLS_ECDH_anon_WITH_NULL_SHA",
+[0x16] = US "TLS_ECDH_anon_WITH_RC4_128_SHA",
+[0x17] = US "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+[0x18] = US "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+[0x19] = US "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
+[0x1A] = US "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
+[0x1B] = US "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x1C] = US "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
+[0x1D] = US "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
+[0x1E] = US "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
+[0x1F] = US "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
+[0x20] = US "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
+[0x21] = US "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
+[0x22] = US "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
+[0x23] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+[0x24] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+[0x25] = US "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+[0x26] = US "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
+[0x27] = US "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+[0x28] = US "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+[0x29] = US "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+[0x2A] = US "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
+[0x2B] = US "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+[0x2C] = US "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+[0x2D] = US "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+[0x2E] = US "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
+[0x2F] = US "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+[0x30] = US "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+[0x31] = US "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+[0x32] = US "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
+[0x33] = US "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
+[0x34] = US "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
+[0x35] = US "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
+[0x36] = US "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
+[0x37] = US "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
+[0x38] = US "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
+[0x39] = US "TLS_ECDHE_PSK_WITH_NULL_SHA",
+[0x3A] = US "TLS_ECDHE_PSK_WITH_NULL_SHA256",
+[0x3B] = US "TLS_ECDHE_PSK_WITH_NULL_SHA384",
+[0x3C] = US "TLS_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x3D] = US "TLS_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x3E] = US "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256",
+[0x3F] = US "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384",
+[0x40] = US "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x41] = US "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x42] = US "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256",
+[0x43] = US "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384",
+[0x44] = US "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x45] = US "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x46] = US "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256",
+[0x47] = US "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384",
+[0x48] = US "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256",
+[0x49] = US "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384",
+[0x4A] = US "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256",
+[0x4B] = US "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384",
+[0x4C] = US "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x4D] = US "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x4E] = US "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x4F] = US "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x50] = US "TLS_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x51] = US "TLS_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x52] = US "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x53] = US "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x54] = US "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x55] = US "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x56] = US "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256",
+[0x57] = US "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384",
+[0x58] = US "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256",
+[0x59] = US "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384",
+[0x5A] = US "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256",
+[0x5B] = US "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384",
+[0x5C] = US "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256",
+[0x5D] = US "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384",
+[0x5E] = US "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256",
+[0x5F] = US "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384",
+[0x60] = US "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x61] = US "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x62] = US "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x63] = US "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x64] = US "TLS_PSK_WITH_ARIA_128_CBC_SHA256",
+[0x65] = US "TLS_PSK_WITH_ARIA_256_CBC_SHA384",
+[0x66] = US "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256",
+[0x67] = US "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384",
+[0x68] = US "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256",
+[0x69] = US "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384",
+[0x6A] = US "TLS_PSK_WITH_ARIA_128_GCM_SHA256",
+[0x6B] = US "TLS_PSK_WITH_ARIA_256_GCM_SHA384",
+[0x6C] = US "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256",
+[0x6D] = US "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384",
+[0x6E] = US "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256",
+[0x6F] = US "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384",
+[0x70] = US "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256",
+[0x71] = US "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384",
+[0x72] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0x73] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
+[0x74] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0x75] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
+[0x76] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0x77] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
+[0x78] = US "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0x79] = US "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384",
+[0x7A] = US "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x7B] = US "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x7C] = US "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x7D] = US "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x7E] = US "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x7F] = US "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x80] = US "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256",
+[0x81] = US "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384",
+[0x82] = US "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256",
+[0x83] = US "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384",
+[0x84] = US "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256",
+[0x85] = US "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384",
+[0x86] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x87] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x88] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x89] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x8A] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x8B] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x8C] = US "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x8D] = US "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x8E] = US "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+[0x8F] = US "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+[0x90] = US "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+[0x91] = US "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+[0x92] = US "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+[0x93] = US "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+[0x94] = US "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+[0x95] = US "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+[0x96] = US "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+[0x97] = US "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+[0x98] = US "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+[0x99] = US "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+[0x9A] = US "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+[0x9B] = US "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+[0x9C] = US "TLS_RSA_WITH_AES_128_CCM",
+[0x9D] = US "TLS_RSA_WITH_AES_256_CCM",
+[0x9E] = US "TLS_DHE_RSA_WITH_AES_128_CCM",
+[0x9F] = US "TLS_DHE_RSA_WITH_AES_256_CCM",
+[0xA0] = US "TLS_RSA_WITH_AES_128_CCM_8",
+[0xA1] = US "TLS_RSA_WITH_AES_256_CCM_8",
+[0xA2] = US "TLS_DHE_RSA_WITH_AES_128_CCM_8",
+[0xA3] = US "TLS_DHE_RSA_WITH_AES_256_CCM_8",
+[0xA4] = US "TLS_PSK_WITH_AES_128_CCM",
+[0xA5] = US "TLS_PSK_WITH_AES_256_CCM",
+[0xA6] = US "TLS_DHE_PSK_WITH_AES_128_CCM",
+[0xA7] = US "TLS_DHE_PSK_WITH_AES_256_CCM",
+[0xA8] = US "TLS_PSK_WITH_AES_128_CCM_8",
+[0xA9] = US "TLS_PSK_WITH_AES_256_CCM_8",
+[0xAA] = US "TLS_PSK_DHE_WITH_AES_128_CCM_8",
+[0xAB] = US "TLS_PSK_DHE_WITH_AES_256_CCM_8",
+[0xAC] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
+[0xAD] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
+[0xAE] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
+[0xAF] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
+[0xB0] = US "TLS_ECCPWD_WITH_AES_128_GCM_SHA256",
+[0xB1] = US "TLS_ECCPWD_WITH_AES_256_GCM_SHA384",
+[0xB2] = US "TLS_ECCPWD_WITH_AES_128_CCM_SHA256",
+[0xB3] = US "TLS_ECCPWD_WITH_AES_256_CCM_SHA384",
+[0xB4] = US "TLS_SHA256_SHA256",
+[0xB5] = US "TLS_SHA384_SHA384",
+};
+static const uschar * ctb_cc[] = {
+[0xA8] = US "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+[0xA9] = US "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+[0xAA] = US "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+[0xAB] = US "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256",
+[0xAC] = US "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+[0xAD] = US "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+[0xAE] = US "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256",
+};
+static const uschar * ctb_d0[] = {
+[0x01] = US "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256",
+[0x02] = US "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384",
+[0x03] = US "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256",
+
+[0x05] = US "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256",
+};
+
+static const uschar *
+cipher_stdname_tb(uschar idx, const uschar ** tb, int lim)
+{
+return idx >= lim ? NULL : tb[idx];
+}
+
+static const uschar *
+cipher_stdname(uschar id0, uschar id1)
+{
+switch (id0)
+  {
+  case 0x00:    return cipher_stdname_tb(id1, ctb_00, nelem(ctb_00));
+  case 0x13:    return cipher_stdname_tb(id1, ctb_13, nelem(ctb_00));
+  case 0xc0:    return cipher_stdname_tb(id1, ctb_c0, nelem(ctb_c0));
+  case 0xcc:    return cipher_stdname_tb(id1, ctb_cc, nelem(ctb_cc));
+  case 0xd0:    return cipher_stdname_tb(id1, ctb_d0, nelem(ctb_d0));
+  default:    return NULL;
+  }
+}
+
+/* vi: aw ai sw=2
+*/
+/* End of tls-cipher-stdname.c */
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index c6a695c..d9efe8c 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -96,6 +96,9 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 # include <gnutls/dane.h>
 #endif


+#include "tls-cipher-stdname.c"
+
+
/* GnuTLS 2 vs 3

 GnuTLS 3 only:
@@ -1451,6 +1454,25 @@ return OK;
 *            Extract peer information            *
 *************************************************/


+static const uschar *
+cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
+  gnutls_mac_algorithm_t mac)
+{
+uschar cs_id[2];
+gnutls_kx_algorithm_t kx_i;
+gnutls_cipher_algorithm_t cipher_i;
+gnutls_mac_algorithm_t mac_i;
+
+for (size_t i = 0;
+     gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
+     i++)
+  if (kx_i == kx && cipher_i == cipher && mac_i == mac)
+    return cipher_stdname(cs_id[0], cs_id[1]);
+return NULL;
+}
+
+
+
 /* Called from both server and client code.
 Only this is allowed to set state->peerdn and state->have_set_peerdn
 and we use that to detect double-calls.
@@ -1479,7 +1501,6 @@ Returns:          OK/DEFER/FAIL
 static int
 peer_status(exim_gnutls_state_st *state, uschar ** errstr)
 {
-uschar cipherbuf[256];
 const gnutls_datum_t *cert_list;
 int old_pool, rc;
 unsigned int cert_list_size = 0;
@@ -1504,28 +1525,29 @@ protocol = gnutls_protocol_get_version(state->session);
 mac = gnutls_mac_get(state->session);
 kx = gnutls_kx_get(state->session);


-string_format(cipherbuf, sizeof(cipherbuf),
-    "%s:%s:%d",
-    gnutls_protocol_get_name(protocol),
-    gnutls_cipher_suite_get_name(kx, cipher, mac),
-    (int) gnutls_cipher_get_key_size(cipher) * 8);
-
-/* I don't see a way that spaces could occur, in the current GnuTLS
-code base, but it was a concern in the old code and perhaps older GnuTLS
-releases did return "TLS 1.0"; play it safe, just in case. */
-for (uschar * p = cipherbuf; *p != '\0'; ++p)
-  if (isspace(*p))
-    *p = '-';
 old_pool = store_pool;
-store_pool = POOL_PERM;
-state->ciphersuite = string_copy(cipherbuf);
+  {
+  store_pool = POOL_PERM;
+  state->ciphersuite = string_sprintf("%s:%s:%d",
+      gnutls_protocol_get_name(protocol),
+      gnutls_cipher_suite_get_name(kx, cipher, mac),
+      (int) gnutls_cipher_get_key_size(cipher) * 8);
+
+  /* I don't see a way that spaces could occur, in the current GnuTLS
+  code base, but it was a concern in the old code and perhaps older GnuTLS
+  releases did return "TLS 1.0"; play it safe, just in case. */
+
+  for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
+  state->tlsp->cipher = state->ciphersuite;
+
+  state->tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
+  }
 store_pool = old_pool;
-state->tlsp->cipher = state->ciphersuite;


/* tls_peerdn */
cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);

-if (cert_list == NULL || cert_list_size == 0)
+if (!cert_list || cert_list_size == 0)
   {
   DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
       cert_list, cert_list_size);
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index aa24c33..ba9e7da 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -71,6 +71,7 @@ change this guard and punt the issue for a while longer. */
 #  define EXIM_HAVE_OPENSSL_DH_BITS
 #  define EXIM_HAVE_OPENSSL_TLS_METHOD
 #  define EXIM_HAVE_OPENSSL_KEYLOG
+#  define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
 # else
 #  define EXIM_NEED_OPENSSL_INIT
 # endif
@@ -96,6 +97,7 @@ change this guard and punt the issue for a while longer. */
 # if OPENSSL_VERSION_NUMBER >= 0x010101000L
 #  define OPENSSL_HAVE_KEYLOG_CB
 #  define OPENSSL_HAVE_NUM_TICKETS
+#  define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
 # endif
 #endif


@@ -108,6 +110,13 @@ change this guard and punt the issue for a while longer. */
# include <openssl/x509v3.h>
#endif

+#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
+# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
+#  define SSL_CIPHER_get_id(c) (c->id)
+# endif
+# include "tls-cipher-stdname.c"
+#endif
+
 /*************************************************
 *        OpenSSL option parse                    *
 *************************************************/
@@ -1911,28 +1920,46 @@ return OK;


 /*
 Argument:   pointer to an SSL structure for the connection
-            buffer to use for answer
-            size of buffer
         pointer to number of bits for cipher
-Returns:    nothing
+Returns:    pointer to allocated string in perm-pool
 */


-static void
-construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
+static uschar *
+construct_cipher_name(SSL * ssl, int * bits)
{
+int pool = store_pool;
/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
the accessor functions use const in the prototype. */

const uschar * ver = CUS SSL_get_version(ssl);
const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
+uschar * s;

SSL_CIPHER_get_bits(c, bits);

-string_format(cipherbuf, bsize, "%s:%s:%u", ver,
- SSL_CIPHER_get_name(c), *bits);
+store_pool = POOL_PERM;
+s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
+store_pool = pool;
+DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
+return s;
+}
+

-DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
+/* Get IETF-standard name for ciphersuite.
+Argument:   pointer to an SSL structure for the connection
+Returns:    pointer to string
+*/
+
+static const uschar *
+cipher_stdname_ssl(SSL * ssl)
+{
+#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
+return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
+#else
+ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
+return cipher_stdname(id >> 8, id & 0xff);
+#endif
 }



@@ -2179,7 +2206,6 @@ int rc;
uschar * expciphers;
tls_ext_ctx_cb * cbinfo;
static uschar peerdn[256];
-static uschar cipherbuf[256];

/* Check for previous activation */

@@ -2307,10 +2333,13 @@ and initialize things. */

peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));

+tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
+tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
+
 DEBUG(D_tls)
   {
   uschar buf[2048];
-  if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
+  if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
     debug_printf("Shared ciphers: %s\n", buf);


#ifdef EXIM_HAVE_OPENSSL_KEYLOG
@@ -2326,9 +2355,6 @@ DEBUG(D_tls)
#endif
}

-construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
-tls_in.cipher = cipherbuf;
-
/* Record the certificate we presented */
{
X509 * crt = SSL_get_certificate(server_ssl);
@@ -2491,7 +2517,6 @@ exim_openssl_client_tls_ctx * exim_client_ctx;
static uschar peerdn[256];
uschar * expciphers;
int rc;
-static uschar cipherbuf[256];

#ifndef DISABLE_OCSP
BOOL request_ocsp = FALSE;
@@ -2713,8 +2738,8 @@ DEBUG(D_tls)

peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));

-construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
-tlsp->cipher = cipherbuf;
+tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
+tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);

/* Record the certificate we presented */
{
diff --git a/test/log/2102.openssl_1_1_1 b/test/log/2102.openssl_1_1_1
index d5efeef..51f739b 100644
--- a/test/log/2102.openssl_1_1_1
+++ b/test/log/2102.openssl_1_1_1
@@ -13,10 +13,10 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
1999-03-02 09:44:33 Peer did not present a cert
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? H=[127.0.0.1] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss
1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
1999-03-02 09:44:33 Peer did not present a cert
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@??? H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@??? H=[127.0.0.1] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
1999-03-02 09:44:33 Peer cert:
@@ -39,8 +39,8 @@
1999-03-02 09:44:33 sha1 fingerprint E75D537E478758010505D4F339B00DFD73728088
1999-03-02 09:44:33 sha256 fingerprint E251FA7D0372CB784294CF92B243DCE53FDDABD9F58A1B89226586C07C82CAC6
1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY=
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server2.example.com" S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server2.example.com" S=sss
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
1999-03-02 09:44:33 Peer did not present a cert
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=[127.0.0.1] P=smtps X=TLSv1:ke-ECDSA-AES256-SHA:xxx CV=no S=sss
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=[127.0.0.1] P=smtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss
diff --git a/test/runtest b/test/runtest
index e941804..729f88a 100755
--- a/test/runtest
+++ b/test/runtest
@@ -544,6 +544,15 @@ RESET_AFTER_EXTRA_LINE_READ:
s/(could not connect to .*: Connection) reset by peer$/$1 refused/;

   # ======== TLS certificate algorithms ========
+  #
+  # In Received: headers, convert RFC 8314 style ciphersuite to
+  # the older (comment) style, keeping only the Auth element
+  # (discarding kex, cipher, mac).  For TLS 1.3 there is no kex
+  # element (and no _WITH); insert a spurious "RSA".
+
+  s/^\s+by .+ with .+ \K tls TLS_.*?([^_]+)_WITH.+$/(TLS1.x:ke-\1-AES256-SHAnnn:xxx)/;
+  s/^\s+by .+ with .+ \K tls TLS_.+$/(TLS1.x:ke-RSA-AES256-SHAnnn:xxx)/;
+
   # Test machines might have various different TLS library versions supporting
   # different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we
   # treat the standard algorithms the same.
@@ -1630,7 +1639,9 @@ $munges =
               s! DN="[^,"]*\K,!/!;
              ',
       'rejectlog' => 's/ X=TLS\S+ / X=TLS_proto_and_cipher /',
-      'mail'      => 's/ \(TLS[^)]*\)/ (TLS_proto_and_cipher)/',
+      'mail'      => 's/^\s+by .+ with .+ \K tls TLS_.+$/(TLS_proto_and_cipher)/;
+              s/ \(TLS[^)]*\)/ (TLS_proto_and_cipher)/;
+             ',
     },


     'debug_pid' =>
diff --git a/test/stderr/0402 b/test/stderr/0402
index 6c2e922..9f7ad28 100644
--- a/test/stderr/0402
+++ b/test/stderr/0402
@@ -41,7 +41,8 @@ Data file written for message 10HmaX-0005vi-00
  └─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
@@ -49,7 +50,8 @@ Data file written for message 10HmaX-0005vi-00
  ├─────result: false
   ┌───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
@@ -59,19 +61,22 @@ Data file written for message 10HmaX-0005vi-00

    
   └───skipping: result is not used
   ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──condition: def:sender_ident
   ├─────result: true
    ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
    ╎    for $received_for}}
@@ -82,7 +87,8 @@ Data file written for message 10HmaX-0005vi-00
   ├──condition: def:sender_helo_name
   ├─────result: false
    ┌───scanning: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
@@ -96,12 +102,25 @@ Data file written for message 10HmaX-0005vi-00
   └─────result: from CALLER 
  ├──condition: def:received_protocol
  ├─────result: true
-  ┌considering: with $received_protocol}} (Exim $version_number)
+  ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
-  ├──expanding: with $received_protocol
-  └─────result: with local
+  ├──expanding: with $received_protocol 
+  └─────result: with local 
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+  ┌───scanning:  tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding:  tls $tls_in_cipher_std
+      
+  ├─────result:  tls 
+      
+  └───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ┌considering: (envelope-from <$sender_address>)
@@ -122,7 +141,8 @@ Data file written for message 10HmaX-0005vi-00
   └───skipping: result is not used
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
diff --git a/test/stderr/0544 b/test/stderr/0544
index e45faa1..a8a961e 100644
--- a/test/stderr/0544
+++ b/test/stderr/0544
@@ -6,7 +6,8 @@ admin user
  └─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
@@ -14,7 +15,8 @@ admin user
  ├─────result: false
   ┌───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
@@ -24,19 +26,22 @@ admin user

    
   └───skipping: result is not used
   ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──condition: def:sender_ident
   ├─────result: true
    ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
    ╎    for $received_for}}
@@ -47,7 +52,8 @@ admin user
   ├──condition: def:sender_helo_name
   ├─────result: false
    ┌───scanning: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
@@ -61,12 +67,25 @@ admin user
   └─────result: from CALLER 
  ├──condition: def:received_protocol
  ├─────result: true
-  ┌considering: with $received_protocol}} (Exim $version_number)
+  ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
-  ├──expanding: with $received_protocol
-  └─────result: with local
+  ├──expanding: with $received_protocol 
+  └─────result: with local 
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+  ┌───scanning:  tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding:  tls $tls_in_cipher_std
+      
+  ├─────result:  tls 
+      
+  └───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ┌considering: (envelope-from <$sender_address>)
@@ -87,7 +106,8 @@ admin user
   └───skipping: result is not used
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
diff --git a/test/stderr/5410 b/test/stderr/5410
index e4ef02c..8e6e7bb 100644
--- a/test/stderr/5410
+++ b/test/stderr/5410
@@ -136,7 +136,8 @@ end of inline ACL: ACCEPT
  └─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
@@ -144,7 +145,8 @@ end of inline ACL: ACCEPT
  ├─────result: false
   ┌───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
@@ -154,19 +156,22 @@ end of inline ACL: ACCEPT

    
   └───skipping: result is not used
   ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──condition: def:sender_ident
   ├─────result: true
    ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
    ╎    for $received_for}}
@@ -177,7 +182,8 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_helo_name
   ├─────result: true
    ┌considering: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
@@ -191,12 +197,25 @@ end of inline ACL: ACCEPT

    
  ├──condition: def:received_protocol
  ├─────result: true
-  ┌considering: with $received_protocol}} (Exim $version_number)
+  ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
-  ├──expanding: with $received_protocol
-  └─────result: with local-esmtp
+  ├──expanding: with $received_protocol 
+  └─────result: with local-esmtp 
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+  ┌───scanning:  tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding:  tls $tls_in_cipher_std
+      
+  ├─────result:  tls 
+      
+  └───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ┌considering: (envelope-from <$sender_address>)
@@ -216,7 +235,8 @@ end of inline ACL: ACCEPT
       for userx@???
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
@@ -352,7 +372,8 @@ end of inline ACL: ACCEPT
  └─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
@@ -360,7 +381,8 @@ end of inline ACL: ACCEPT
  ├─────result: false
   ┌───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
@@ -370,19 +392,22 @@ end of inline ACL: ACCEPT

    
   └───skipping: result is not used
   ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──condition: def:sender_ident
   ├─────result: true
    ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
    ╎    for $received_for}}
@@ -393,7 +418,8 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_helo_name
   ├─────result: true
    ┌considering: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
@@ -407,12 +433,25 @@ end of inline ACL: ACCEPT

    
  ├──condition: def:received_protocol
  ├─────result: true
-  ┌considering: with $received_protocol}} (Exim $version_number)
+  ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding: with $received_protocol 
+  └─────result: with local-esmtp 
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+  ┌───scanning:  tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
-  ├──expanding: with $received_protocol
-  └─────result: with local-esmtp
+  ├──expanding:  tls $tls_in_cipher_std
+      
+  ├─────result:  tls 
+      
+  └───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ┌considering: (envelope-from <$sender_address>)
@@ -432,7 +471,8 @@ end of inline ACL: ACCEPT
       for usery@???
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
@@ -568,7 +608,8 @@ end of inline ACL: ACCEPT
  └─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
@@ -576,7 +617,8 @@ end of inline ACL: ACCEPT
  ├─────result: false
   ┌───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
@@ -586,19 +628,22 @@ end of inline ACL: ACCEPT

    
   └───skipping: result is not used
   ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──condition: def:sender_ident
   ├─────result: true
    ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
    ╎    for $received_for}}
@@ -609,7 +654,8 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_helo_name
   ├─────result: true
    ┌considering: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
@@ -623,12 +669,25 @@ end of inline ACL: ACCEPT

    
  ├──condition: def:received_protocol
  ├─────result: true
-  ┌considering: with $received_protocol}} (Exim $version_number)
+  ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding: with $received_protocol 
+  └─────result: with local-esmtp 
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+  ┌───scanning:  tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
-  ├──expanding: with $received_protocol
-  └─────result: with local-esmtp
+  ├──expanding:  tls $tls_in_cipher_std
+      
+  ├─────result:  tls 
+      
+  └───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ┌considering: (envelope-from <$sender_address>)
@@ -648,7 +707,8 @@ end of inline ACL: ACCEPT
       for usery@???
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
diff --git a/test/stderr/5420 b/test/stderr/5420
index 2596332..5bc80bb 100644
--- a/test/stderr/5420
+++ b/test/stderr/5420
@@ -137,7 +137,8 @@ end of inline ACL: ACCEPT
  └─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
@@ -145,7 +146,8 @@ end of inline ACL: ACCEPT
  ├─────result: false
   ┌───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
@@ -155,19 +157,22 @@ end of inline ACL: ACCEPT

    
   └───skipping: result is not used
   ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──condition: def:sender_ident
   ├─────result: true
    ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
    ╎    for $received_for}}
@@ -178,7 +183,8 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_helo_name
   ├─────result: true
    ┌considering: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
@@ -192,12 +198,25 @@ end of inline ACL: ACCEPT

    
  ├──condition: def:received_protocol
  ├─────result: true
-  ┌considering: with $received_protocol}} (Exim $version_number)
+  ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
-  ├──expanding: with $received_protocol
-  └─────result: with local-esmtp
+  ├──expanding: with $received_protocol 
+  └─────result: with local-esmtp 
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+  ┌───scanning:  tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding:  tls $tls_in_cipher_std
+      
+  ├─────result:  tls 
+      
+  └───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ┌considering: (envelope-from <$sender_address>)
@@ -217,7 +236,8 @@ end of inline ACL: ACCEPT
       for userx@???
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
@@ -353,7 +373,8 @@ end of inline ACL: ACCEPT
  └─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
@@ -361,7 +382,8 @@ end of inline ACL: ACCEPT
  ├─────result: false
   ┌───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
@@ -371,19 +393,22 @@ end of inline ACL: ACCEPT

    
   └───skipping: result is not used
   ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──condition: def:sender_ident
   ├─────result: true
    ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
    ╎    for $received_for}}
@@ -394,7 +419,8 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_helo_name
   ├─────result: true
    ┌considering: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
@@ -408,12 +434,25 @@ end of inline ACL: ACCEPT

    
  ├──condition: def:received_protocol
  ├─────result: true
-  ┌considering: with $received_protocol}} (Exim $version_number)
+  ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding: with $received_protocol 
+  └─────result: with local-esmtp 
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+  ┌───scanning:  tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
-  ├──expanding: with $received_protocol
-  └─────result: with local-esmtp
+  ├──expanding:  tls $tls_in_cipher_std
+      
+  ├─────result:  tls 
+      
+  └───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ┌considering: (envelope-from <$sender_address>)
@@ -433,7 +472,8 @@ end of inline ACL: ACCEPT
       for usery@???
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
@@ -569,7 +609,8 @@ end of inline ACL: ACCEPT
  └─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
@@ -577,7 +618,8 @@ end of inline ACL: ACCEPT
  ├─────result: false
   ┌───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
@@ -587,19 +629,22 @@ end of inline ACL: ACCEPT

    
   └───skipping: result is not used
   ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──condition: def:sender_ident
   ├─────result: true
    ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
    ╎    for $received_for}}
@@ -610,7 +655,8 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_helo_name
   ├─────result: true
    ┌considering: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
@@ -624,12 +670,25 @@ end of inline ACL: ACCEPT

    
  ├──condition: def:received_protocol
  ├─────result: true
-  ┌considering: with $received_protocol}} (Exim $version_number)
+  ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding: with $received_protocol 
+  └─────result: with local-esmtp 
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+  ┌───scanning:  tls $tls_in_cipher_std
+      }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
-  ├──expanding: with $received_protocol
-  └─────result: with local-esmtp
+  ├──expanding:  tls $tls_in_cipher_std
+      
+  ├─────result:  tls 
+      
+  └───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ┌considering: (envelope-from <$sender_address>)
@@ -649,7 +708,8 @@ end of inline ACL: ACCEPT
       for usery@???
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
      for $received_for}}
diff --git a/test/stdout/2114.openssl_1_1_1 b/test/stdout/2114.openssl_1_1_1
index 744d0e2..ee0af95 100644
--- a/test/stdout/2114.openssl_1_1_1
+++ b/test/stdout/2114.openssl_1_1_1
@@ -19,7 +19,7 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
 Succeeded in starting TLS

>>> noop

????554 Security failure
@@ -55,7 +55,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> helo rhu.barb

??? 250
@@ -93,7 +93,7 @@ Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<userx@???>

??? 250
@@ -128,7 +128,7 @@ Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<userx@???>

??? 250
@@ -163,7 +163,7 @@ Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> noop

????554 Security failure
@@ -196,7 +196,7 @@ Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<userx@???>

??? 250
@@ -231,7 +231,7 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> noop

????554 Security failure
@@ -264,7 +264,7 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<userx@???>

??? 250
@@ -299,7 +299,7 @@ Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<userx@???>

??? 250
diff --git a/test/stdout/2124.openssl_1_1_1 b/test/stdout/2124.openssl_1_1_1
index e7777a1..d40f58a 100644
--- a/test/stdout/2124.openssl_1_1_1
+++ b/test/stdout/2124.openssl_1_1_1
@@ -20,7 +20,7 @@ Key file = aux-fixed/cert2
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> noop

????554 Security failure
diff --git a/test/stdout/2132.openssl_1_1_1 b/test/stdout/2132.openssl_1_1_1
index 179a9ef..a3a8ec5 100644
--- a/test/stdout/2132.openssl_1_1_1
+++ b/test/stdout/2132.openssl_1_1_1
@@ -19,7 +19,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<CALLER@???>

??? 250
@@ -59,7 +59,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<"name with spaces"@???>

??? 250
@@ -99,7 +99,7 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> noop

????554
@@ -132,7 +132,7 @@ Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.e
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<CALLER@???>

??? 250