[exim-cvs] TLS: restore TLS protocol version to default Rece…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] TLS: restore TLS protocol version to default Received: header
Gitweb: https://git.exim.org/exim.git/commitdiff/da40b1ec6b91ccd3faa4def9e5cff05ec51ca573
Commit:     da40b1ec6b91ccd3faa4def9e5cff05ec51ca573
Parent:     84b1b2779773e86c221ac0641b9d7c107c5594a5
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Mon Nov 18 11:03:15 2019 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon Nov 18 11:04:19 2019 +0000


    TLS: restore TLS protocol version to default Received: header


    Broken-by: f1be21cf0b
---
 doc/doc-docbook/spec.xfpt   | 14 ++++++++
 doc/doc-txt/NewStuff        |  2 ++
 src/src/deliver.c           |  8 +++--
 src/src/expand.c            |  2 ++
 src/src/globals.c           |  1 +
 src/src/globals.h           |  1 +
 src/src/smtp_in.c           |  2 +-
 src/src/spool_in.c          | 19 +++++------
 src/src/spool_out.c         |  1 +
 src/src/structs.h           |  1 +
 src/src/tls-gnu.c           | 11 ++++++-
 src/src/tls-openssl.c       | 28 ++++++++++++----
 src/src/transports/smtp.c   |  3 ++
 test/confs/2002             |  3 ++
 test/confs/2102             |  3 ++
 test/confs/5710             |  2 ++
 test/confs/5720             |  2 ++
 test/log/2002               |  3 ++
 test/log/2102               |  3 ++
 test/log/2102.openssl_1_1_1 |  3 ++
 test/log/5710               |  8 +++++
 test/log/5720               |  8 +++++
 test/log/5821               |  4 +--
 test/mail/3700.smtps        |  2 +-
 test/mail/3700.x            |  2 +-
 test/runtest                | 23 ++++++++-----
 test/stderr/0402            | 26 ++++++++++-----
 test/stderr/0544            | 26 ++++++++++-----
 test/stderr/5410            | 78 +++++++++++++++++++++++++++++++--------------
 test/stderr/5420            | 78 +++++++++++++++++++++++++++++++--------------
 30 files changed, 272 insertions(+), 95 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index ceb377b..24ed4fb 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -13522,6 +13522,19 @@ the transport.
.vindex &$tls_out_tlsa_usage$&
Bitfield of TLSA record types found. See section &<<SECDANE>>&.

+.new
+.vitem &$tls_in_ver$&
+.vindex "&$tls_in_ver$&"
+When a message is received from a remote host over an encrypted SMTP connection
+this variable is set to the protocol version, eg &'TLS1.2'&.
+
+.vitem &$tls_out_ver$&
+.vindex "&$tls_out_ver$&"
+When a message is being delivered to a remote host over an encrypted SMTP connection
+this variable is set to the protocol version.
+.wen
+
+
 .vitem &$tod_bsdinbox$&
 .vindex "&$tod_bsdinbox$&"
 The time of day and the date, in the format required for BSD-style mailbox
@@ -16756,6 +16769,7 @@ received_header_text = Received: \
         ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
   by $primary_hostname \
   ${if def:received_protocol {with $received_protocol }}\
+  ${if def:tls_ver           { ($tls_ver)}}\
   ${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}\
   (Exim $version_number)\n\t\
   ${if def:sender_address \
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 5d0c8bd..fc307a3 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -50,6 +50,8 @@ Version 4.93


16: Command-line option to move messages from one named queue to another.

+17. Variables $tls_in_ver, $tls_out_ver.
+

Version 4.92
--------------
diff --git a/src/src/deliver.c b/src/src/deliver.c
index 34990b7..94bc9a8 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -1610,6 +1610,7 @@ if (result == OK)
tls_out.peercert = addr->peercert;
addr->peercert = NULL;

+  tls_out.ver = addr->tlsver;
   tls_out.cipher = addr->cipher;
   tls_out.peerdn = addr->peerdn;
   tls_out.ocsp = addr->ocsp;
@@ -1623,6 +1624,7 @@ if (result == OK)
 #ifndef DISABLE_TLS
   tls_free_cert(&tls_out.ourcert);
   tls_free_cert(&tls_out.peercert);
+  tls_out.ver = NULL;
   tls_out.cipher = NULL;
   tls_out.peerdn = NULL;
   tls_out.ocsp = OCSP_NOT_REQ;
@@ -3480,11 +3482,13 @@ while (!done)
       switch (*subid)
     {
     case '1':
-      addr->cipher = NULL;
-      addr->peerdn = NULL;
+      addr->tlsver = addr->cipher = addr->peerdn = NULL;


       if (*ptr)
+        {
         addr->cipher = string_copy(ptr);
+        addr->tlsver = string_copyn(ptr, Ustrchr(ptr, ':') - ptr);
+        }
       while (*ptr++);
       if (*ptr)
         addr->peerdn = string_copy(ptr);
diff --git a/src/src/expand.c b/src/src/expand.c
index 9706f2a..21686e9 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -760,6 +760,7 @@ static var_entry var_table[] = {
 #ifndef DISABLE_TLS
   { "tls_in_sni",          vtype_stringptr,   &tls_in.sni },
 #endif
+  { "tls_in_ver",          vtype_stringptr,   &tls_in.ver },
   { "tls_out_bits",        vtype_int,         &tls_out.bits },
   { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
   { "tls_out_cipher",      vtype_stringptr,   &tls_out.cipher },
@@ -780,6 +781,7 @@ static var_entry var_table[] = {
 #ifdef SUPPORT_DANE
   { "tls_out_tlsa_usage",  vtype_int,         &tls_out.tlsa_usage },
 #endif
+  { "tls_out_ver",         vtype_stringptr,   &tls_out.ver },


   { "tls_peerdn",          vtype_stringptr,   &tls_in.peerdn },    /* mind the alphabetical order! */
 #ifndef DISABLE_TLS
diff --git a/src/src/globals.c b/src/src/globals.c
index 07665bf..358c380 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1233,6 +1233,7 @@ uschar *received_header_text   = US
      "by $primary_hostname "
      "${if def:received_protocol {with $received_protocol }}"
 #ifndef DISABLE_TLS
+     "${if def:tls_in_ver        { ($tls_in_ver)}}"
      "${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}"
 #endif
      "(Exim $version_number)\n\t"
diff --git a/src/src/globals.h b/src/src/globals.h
index 0466da5..ca342ac 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -89,6 +89,7 @@ typedef struct {
 #endif
   uschar *cipher;             /* Cipher used */
   const uschar *cipher_stdname; /* Cipher used, RFC version */
+  const uschar *ver;          /* TLS version */


   BOOL    on_connect;         /* For older MTAs that don't STARTTLS */
   uschar *on_connect_ports;   /* Ports always tls-on-connect */
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 6717986..18e04dc 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -2466,7 +2466,7 @@ if (!host_checking && !f.sender_host_notsocket)
 authenticated_by = NULL;


 #ifndef DISABLE_TLS
-tls_in.cipher = tls_in.peerdn = NULL;
+tls_in.ver = tls_in.cipher = tls_in.peerdn = NULL;
 tls_in.ourcert = tls_in.peercert = NULL;
 tls_in.sni = NULL;
 tls_in.ocsp = OCSP_NOT_REQ;
diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index 7c60a12..8d5f5a7 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -278,7 +278,7 @@ tls_in.certificate_verified = FALSE;
 # ifdef SUPPORT_DANE
 tls_in.dane_verified = FALSE;
 # endif
-tls_in.cipher = NULL;
+tls_in.ver = tls_in.cipher = NULL;
 # ifndef COMPILE_UTILITY    /* tls support fns not built in */
 tls_free_cert(&tls_in.ourcert);
 tls_free_cert(&tls_in.peercert);
@@ -669,24 +669,25 @@ for (;;)
       if (Ustrncmp(q, "certificate_verified", 20) == 0)
     tls_in.certificate_verified = TRUE;
       else if (Ustrncmp(q, "cipher", 6) == 0)
-    tls_in.cipher = string_copy_taint(var + 11, tainted);
+    tls_in.cipher = string_copy_taint(q+7, tainted);
 # ifndef COMPILE_UTILITY    /* tls support fns not built in */
       else if (Ustrncmp(q, "ourcert", 7) == 0)
-    (void) tls_import_cert(var + 12, &tls_in.ourcert);
+    (void) tls_import_cert(q+8, &tls_in.ourcert);
       else if (Ustrncmp(q, "peercert", 8) == 0)
-    (void) tls_import_cert(var + 13, &tls_in.peercert);
+    (void) tls_import_cert(q+9, &tls_in.peercert);
 # endif
       else if (Ustrncmp(q, "peerdn", 6) == 0)
-    tls_in.peerdn = string_unprinting(string_copy_taint(var + 11, tainted));
+    tls_in.peerdn = string_unprinting(string_copy_taint(q+7, tainted));
       else if (Ustrncmp(q, "sni", 3) == 0)
-    tls_in.sni = string_unprinting(string_copy_taint(var + 8, tainted));
+    tls_in.sni = string_unprinting(string_copy_taint(q+4, tainted));
       else if (Ustrncmp(q, "ocsp", 4) == 0)
-    tls_in.ocsp = var[9] - '0';
+    tls_in.ocsp = q[5] - '0';
 # ifdef EXPERIMENTAL_TLS_RESUME
       else if (Ustrncmp(q, "resumption", 10) == 0)
-    tls_in.resumption = var[15] - 'A';
+    tls_in.resumption = q[11] - 'A';
 # endif
-
+      else if (Ustrncmp(q, "ver", 3) == 0)
+    tls_in.ver = string_copy_taint(q+4, tainted);
       }
     break;
 #endif
diff --git a/src/src/spool_out.c b/src/src/spool_out.c
index 00361ab..892ea2f 100644
--- a/src/src/spool_out.c
+++ b/src/src/spool_out.c
@@ -263,6 +263,7 @@ if (tls_in.ocsp)     fprintf(fp, "-tls_ocsp %d\n",   tls_in.ocsp);
 # ifdef EXPERIMENTAL_TLS_RESUME
 fprintf(fp, "-tls_resumption %c\n", 'A' + tls_in.resumption);
 # endif
+if (tls_in.ver) spool_var_write(fp, US"tls_ver", tls_in.ver);
 #endif


 #ifdef SUPPORT_I18N
diff --git a/src/src/structs.h b/src/src/structs.h
index 338dccb..3b5818d 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -570,6 +570,7 @@ typedef struct address_item {
   uschar *shadow_message;         /* info about shadow transporting */


 #ifndef DISABLE_TLS
+  const uschar *tlsver;           /* version used for transport */
   uschar *cipher;                 /* Cipher used for transport */
   void   *ourcert;                /* Certificate offered to peer, binary */
   void   *peercert;               /* Certificate from peer, binary */
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index f18c244..fc426a2 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -480,6 +480,7 @@ Sets:
   tls_bits                  strength indicator
   tls_certificate_verified  bool indicator
   tls_channelbinding_b64    for some SASL mechanisms
+  tls_ver                   a string
   tls_cipher                a string
   tls_peercert              pointer to library internal
   tls_peerdn                a string
@@ -1766,11 +1767,17 @@ old_pool = store_pool;
     /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */


     for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
+
+    tlsp->ver = string_copyn(g->s, g->ptr);
+    for (uschar * p = US tlsp->ver; *p; p++)
+      if (*p == '-') { *p = '\0'; break; }    /* TLS1.0-PKIX -> TLS1.0 */
+
     g = string_catn(g, US":", 1);
     if (*s) s++;        /* now on _ between groups */
     while ((c = *s))
       {
-      for (*++s && ++s; (c = *s) && c != ')'; s++) g = string_catn(g, c == '-' ? US"_" : s, 1);
+      for (*++s && ++s; (c = *s) && c != ')'; s++)
+    g = string_catn(g, c == '-' ? US"_" : s, 1);
       /* now on ) closing group */
       if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
       /* now on _ between groups */
@@ -1790,6 +1797,8 @@ old_pool = store_pool;
   releases did return "TLS 1.0"; play it safe, just in case. */


   for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
+  tlsp->ver = string_copyn(state->ciphersuite,
+            Ustrchr(state->ciphersuite, ':') - state->ciphersuite);
 #endif


 /* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index bef3fb4..063c23d 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2281,14 +2281,13 @@ Returns:    pointer to allocated string in perm-pool
 */


static uschar *
-construct_cipher_name(SSL * ssl, int * bits)
+construct_cipher_name(SSL * ssl, const uschar * ver, int * bits)
{
int pool = store_pool;
/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
the accessor functions use const in the prototype. */

-const uschar * ver = CUS SSL_get_version(ssl);
const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
uschar * s;

@@ -2319,6 +2318,21 @@ return cipher_stdname(id >> 8, id & 0xff);
}


+static const uschar *
+tlsver_name(SSL * ssl)
+{
+uschar * s, * p;
+int pool = store_pool;
+
+store_pool = POOL_PERM;
+s = string_copy(US SSL_get_version(ssl));
+store_pool = pool;
+if ((p = Ustrchr(s, 'v')))    /* TLSv1.2 -> TLS1.2 */
+  for (;; p++) if (!(*p = p[1])) break;
+return CUS s;
+}
+
+
 static void
 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
 {
@@ -2767,12 +2781,13 @@ if (SSL_session_reused(server_ssl))
   }
 #endif


-/* TLS has been set up. Adjust the input functions to read via TLS,
-and initialize things. */
+/* TLS has been set up. Record data for the connection,
+adjust the input functions to read via TLS, and initialize things. */

peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));

-tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
+tls_in.ver = tlsver_name(server_ssl);
+tls_in.cipher = construct_cipher_name(server_ssl, tls_in.ver, &tls_in.bits);
tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);

DEBUG(D_tls)
@@ -3357,7 +3372,8 @@ tls_client_resume_posthandshake(exim_client_ctx, tlsp);

peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));

-tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
+tlsp->ver = tlsver_name(exim_client_ctx->ssl);
+tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, tlsp->ver, &tlsp->bits);
tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);

/* Record the certificate we presented */
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 9f86033..3fd94a1 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1968,6 +1968,7 @@ tls_out.ocsp = OCSP_NOT_REQ;
#ifdef EXPERIMENTAL_TLS_RESUME
tls_out.resumption = 0;
#endif
+tls_out.ver = NULL;

 /* Flip the legacy TLS-related variables over to the outbound set in case
 they're used in the context of the transport.  Don't bother resetting
@@ -2488,6 +2489,7 @@ if (  smtp_peer_options & OPTION_TLS
         addr->peercert = tls_out.peercert;
         addr->peerdn = tls_out.peerdn;
     addr->ocsp = tls_out.ocsp;
+        addr->tlsver = tls_out.ver;
         }
     }
   }
@@ -4440,6 +4442,7 @@ for (address_item * addr = addrlist; addr; addr = addr->next)
     addr->peercert = NULL;
     addr->peerdn = NULL;
     addr->ocsp = OCSP_NOT_REQ;
+    addr->tlsver = NULL;
 #endif
 #ifdef EXPERIMENTAL_DSN_INFO
     addr->smtp_greeting = NULL;
diff --git a/test/confs/2002 b/test/confs/2002
index dfeb172..6475fb7 100644
--- a/test/confs/2002
+++ b/test/confs/2002
@@ -62,6 +62,9 @@ check_recipient:
       logwrite =  sha1   fingerprint ${sha1:$tls_in_peercert}
       logwrite =  sha256 fingerprint ${sha256:$tls_in_peercert}
       logwrite =  der_b64 ${base64:$tls_in_peercert}
+      logwrite = cipher: $tls_in_cipher
+      logwrite = cipher_ $tls_in_cipher_std
+      logwrite = ver:    $tls_in_ver



 # ----- Routers -----
diff --git a/test/confs/2102 b/test/confs/2102
index 99f659f..5e156d4 100644
--- a/test/confs/2102
+++ b/test/confs/2102
@@ -72,6 +72,9 @@ check_recipient:
       logwrite =  sha1   fingerprint ${sha1:$tls_in_peercert}
       logwrite =  sha256 fingerprint ${sha256:$tls_in_peercert}
       logwrite =  der_b64 ${base64:$tls_in_peercert}
+      logwrite = cipher: $tls_in_cipher
+      logwrite = cipher_ $tls_in_cipher_std
+      logwrite = ver:    $tls_in_ver



 # ----- Routers -----
diff --git a/test/confs/5710 b/test/confs/5710
index 6ab64f4..85293a5 100644
--- a/test/confs/5710
+++ b/test/confs/5710
@@ -71,6 +71,8 @@ logger:
      message =   ${acl {ev_tls}}
   accept condition = ${if eq {smtp:ehlo}{$event_name}}
      logwrite =  $tls_out_cipher smtp:ehlo $event_data
+     logwrite =  cipher_ $tls_out_cipher_std
+     logwrite =  ver:    $tls_out_ver
   accept


 # ----- Routers -----
diff --git a/test/confs/5720 b/test/confs/5720
index 0304349..9062662 100644
--- a/test/confs/5720
+++ b/test/confs/5720
@@ -71,6 +71,8 @@ logger:
      message =   ${acl {ev_tls}}
   accept condition = ${if eq {smtp:ehlo}{$event_name}}
      logwrite =  $tls_out_cipher smtp:ehlo $event_data
+     logwrite =  cipher_ $tls_out_cipher_std
+     logwrite =  ver:    $tls_out_ver
   accept


 # ----- Routers -----
diff --git a/test/log/2002 b/test/log/2002
index 825c0df..36ea6c1 100644
--- a/test/log/2002
+++ b/test/log/2002
@@ -41,6 +41,9 @@
 1999-03-02 09:44:33 sha1   fingerprint E75D537E478758010505D4F339B00DFD73728088
 1999-03-02 09:44:33 sha256 fingerprint E251FA7D0372CB784294CF92B243DCE53FDDABD9F58A1B89226586C07C82CAC6
 1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY=
+1999-03-02 09:44:33 cipher: TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 cipher_ TLS1.x:ke_RSA_WITH_ci_mac
+1999-03-02 09:44:33 ver:    TLS1.x
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server2.example.com" S=sss
 1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
 1999-03-02 09:44:33 Peer did not present a cert
diff --git a/test/log/2102 b/test/log/2102
index 215bbe2..bddb8e9 100644
--- a/test/log/2102
+++ b/test/log/2102
@@ -39,6 +39,9 @@
 1999-03-02 09:44:33 sha1   fingerprint E75D537E478758010505D4F339B00DFD73728088
 1999-03-02 09:44:33 sha256 fingerprint E251FA7D0372CB784294CF92B243DCE53FDDABD9F58A1B89226586C07C82CAC6
 1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY=
+1999-03-02 09:44:33 cipher: TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 cipher_ TLS1.x:ke_RSA_WITH_ci_mac
+1999-03-02 09:44:33 ver:    TLSv1.x
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server2.example.com" S=sss
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
diff --git a/test/log/2102.openssl_1_1_1 b/test/log/2102.openssl_1_1_1
index 3e2e65f..951caaf 100644
--- a/test/log/2102.openssl_1_1_1
+++ b/test/log/2102.openssl_1_1_1
@@ -39,6 +39,9 @@
 1999-03-02 09:44:33 sha1   fingerprint E75D537E478758010505D4F339B00DFD73728088
 1999-03-02 09:44:33 sha256 fingerprint E251FA7D0372CB784294CF92B243DCE53FDDABD9F58A1B89226586C07C82CAC6
 1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY=
+1999-03-02 09:44:33 cipher: TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 cipher_ TLS1.x:ke_RSA_WITH_ci_mac
+1999-03-02 09:44:33 ver:    TLS1.x
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server2.example.com" S=sss
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
diff --git a/test/log/5710 b/test/log/5710
index 72bba14..4a3a180 100644
--- a/test/log/5710
+++ b/test/log/5710
@@ -2,6 +2,8 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
+1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_ 
+1999-03-02 09:44:33 10HmaX-0005vi-00 ver:    
 1999-03-02 09:44:33 10HmaX-0005vi-00 tls:cert depth=0 <CN=server1.example.com>
 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:host:defer bad
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
@@ -19,14 +21,20 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 CRU <http://crl.example.com/latest.crl>
 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (certificate verification failed): certificate invalid: delivering unencrypted to H=127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
 1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
+1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_ TLS1.x:ke_RSA_WITH_ci_mac
+1999-03-02 09:44:33 10HmaX-0005vi-00 ver:    
 1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery bad
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
 1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
+1999-03-02 09:44:33 10HmaY-0005vi-00 cipher_ 
+1999-03-02 09:44:33 10HmaY-0005vi-00 ver:    
 1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=0 <CN=server1.example.com>
 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS1.x:ke-RSA-AES256-SHAnnn:xxx smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250 HELP
+1999-03-02 09:44:33 10HmaY-0005vi-00 cipher_ TLS1.x:ke_RSA_WITH_ci_mac
+1999-03-02 09:44:33 10HmaY-0005vi-00 ver:    TLS1.x
 1999-03-02 09:44:33 10HmaY-0005vi-00 => good@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 msg:delivery good
 1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com
diff --git a/test/log/5720 b/test/log/5720
index 066f7fb..4f6254f 100644
--- a/test/log/5720
+++ b/test/log/5720
@@ -2,6 +2,8 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
+1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_ 
+1999-03-02 09:44:33 10HmaX-0005vi-00 ver:    
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=2 error=self signed certificate in certificate chain cert=/O=example.com/CN=clica CA rsa
 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:host:defer bad
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
@@ -20,16 +22,22 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 (no CRU)
 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
+1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_ 
+1999-03-02 09:44:33 10HmaX-0005vi-00 ver:    
 1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery bad
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
 1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
+1999-03-02 09:44:33 10HmaY-0005vi-00 cipher_ 
+1999-03-02 09:44:33 10HmaY-0005vi-00 ver:    
 1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=2 <CN=clica CA rsa,O=example.com>
 1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=1 <CN=clica Signing Cert rsa,O=example.com>
 1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth=0 <CN=server1.example.com>
 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS1.x:ke-RSA-AES256-SHAnnn:xxx smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250 HELP
+1999-03-02 09:44:33 10HmaY-0005vi-00 cipher_ TLS1.x:ke_RSA_WITH_ci_mac
+1999-03-02 09:44:33 10HmaY-0005vi-00 ver:    TLS1.x
 1999-03-02 09:44:33 10HmaY-0005vi-00 => good@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 msg:delivery good
 1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com
diff --git a/test/log/5821 b/test/log/5821
index 98282ec..c1da057 100644
--- a/test/log/5821
+++ b/test/log/5821
@@ -8,7 +8,7 @@
 1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@??? R=client T=send_to_server H=localhost.test.ex [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
-1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.2:RSA_CAMELLIA_256_GCM-SHAnnn:256 CV=dane DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:RSA__CAMELLIA_256_GCM:256 CV=dane DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed


 ******** SERVER ********
@@ -26,6 +26,6 @@
 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@???> R=server
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.2:RSA_CAMELLIA_256_GCM-SHAnnn:256 CV=no S=sss id=E10HmbD-0005vi-00@??? for CALLER@???
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:RSA__CAMELLIA_256_GCM:256 CV=no S=sss id=E10HmbD-0005vi-00@??? for CALLER@???
 1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <CALLER@???> R=server
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
diff --git a/test/mail/3700.smtps b/test/mail/3700.smtps
index 700d681..66d2afe 100644
--- a/test/mail/3700.smtps
+++ b/test/mail/3700.smtps
@@ -3,7 +3,7 @@ Authentication-Results: myhost.test.ex;
     iprev=pass (localhost) smtp.remote-ip=127.0.0.1;
     auth=pass (tls) x509.auth="Phil Pennock"
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-    by myhost.test.ex with esmtpsa (TLS_proto_and_cipher)
+    by myhost.test.ex with esmtpsa (TLS1.x:ke-RSA-AES256-SHAnnn:xxx)
     (Exim x.yz)
     (envelope-from <ok@???>)
     id 10HmbA-0005vi-00
diff --git a/test/mail/3700.x b/test/mail/3700.x
index 8b589be..d520cfe 100644
--- a/test/mail/3700.x
+++ b/test/mail/3700.x
@@ -3,7 +3,7 @@ Authentication-Results: myhost.test.ex;
     iprev=pass (localhost) smtp.remote-ip=127.0.0.1;
     auth=pass (tls) x509.auth="Phil Pennock"
 Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-    by myhost.test.ex with esmtpsa (TLS_proto_and_cipher)
+    by myhost.test.ex with esmtpsa (TLS1.x:ke-RSA-AES256-SHAnnn:xxx)
     (Exim x.yz)
     (envelope-from <ok@???>)
     id 10HmaZ-0005vi-00
diff --git a/test/runtest b/test/runtest
index 8ef5d64..1ec546e 100755
--- a/test/runtest
+++ b/test/runtest
@@ -552,15 +552,19 @@ RESET_AFTER_EXTRA_LINE_READ:
   # the older (comment) style, keeping only the Auth element
   # (discarding kex, cipher, mac).  For TLS 1.3 there is no kex
   # element (and no _WITH); insert a spurious "RSA".
+  # Also in $tls_X_cipher_std reporting.


- s/^\s+by .+ with .+ \K tls TLS_.*?([^_]+)_WITH.+$/(TLS1.x:ke-$1-AES256-SHAnnn:xxx)/;
- s/^\s+by .+ with .+ \K tls TLS_.+$/(TLS1.x:ke-RSA-AES256-SHAnnn:xxx)/;
+ s/^\s+by \S+ with .+ \K \(TLS1(?:\.[0-3])?\) tls TLS_.*?([^_]+)_WITH.+$/(TLS1.x:ke-$1-AES256-SHAnnn:xxx)/;
+ s/^\s+by \S+ with .+ \K \(TLS1(?:\.[0-3])?\) tls TLS_.+$/(TLS1.x:ke-RSA-AES256-SHAnnn:xxx)/;
+
+ s/ cipher_ TLS_.*?([^_]+)_WITH.+$/ cipher_ TLS1.x:ke_$1_WITH_ci_mac/;
+ s/ cipher_ TLS_.*$/ cipher_ TLS1.x:ke_RSA_WITH_ci_mac/;

# Test machines might have various different TLS library versions supporting
# different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we
# treat the standard algorithms the same.
#
- # TLSversion : KeyExchange? - Authentication/Signature - C_iph_er - MAC : ???
+ # TLSversion : KeyExchange? - Authentication/Signature - C_iph_er - MAC : bits
#
# So far, have seen:
# TLSv1:AES128-GCM-SHA256:128
@@ -578,7 +582,7 @@ RESET_AFTER_EXTRA_LINE_READ:
#
# Retain the authentication algorith field as we want to test that.

- s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1(\.[123])?:/$1TLS1.x:/xg;
+ s/( (?: (?:\b|\s) [\(=] ) | \s )TLS1(\.[123])?:/$1TLS1.x:/xg;
s/(?<!ke-)((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA)(?!:)/ke-$3-AES256-SHAnnn/g;
s/(?<!ke-)((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA):(128|256)/ke-$3-AES256-SHAnnn:xxx/g;

@@ -633,10 +637,11 @@ RESET_AFTER_EXTRA_LINE_READ:
   #   DHE-RSA-AES256-SHA
   # picking latter as canonical simply because regex easier that way.
   s/\bDHE_RSA_AES_128_CBC_SHA1:128/RSA-AES256-SHA1:256/g;
-  s/TLS1.[0123](-PKIX)?:                        # TLS version
+  s/TLS1.[x0123](-PKIX)?:                        # TLS version
     ((EC)?DHE(_((?<psk>PSK)_)?((?<auth>RSA|ECDSA)_)?
                 (SECP(256|521)R1|X25519))?__?)?        # key-exchange
     ((?<auth>RSA|ECDSA)((_PSS_RSAE)?_SHA(512|256))?__?)?        # authentication
+    (?<with>WITH_)?                            # stdname-with
     AES_(256|128)_(CBC|GCM)                        # cipher
     (__?AEAD)?                                # pseudo-MAC
     (__?SHA(1|256|384))?                        # PRF
@@ -644,10 +649,15 @@ RESET_AFTER_EXTRA_LINE_READ:
     /"TLS1.x:ke-"
     . (defined($+{psk}) ? $+{psk} : "")
     . (defined($+{auth}) ? $+{auth} : "")
+    . (defined($+{with}) ? $+{with} : "")
     . "-AES256-SHAnnn:xxx"/gex;
   s/TLS1.2:RSA__CAMELLIA_256_GCM(_SHA384)?:256/TLS1.2:RSA_CAMELLIA_256_GCM-SHAnnn:256/g;
   s/\b(ECDHE-(RSA|ECDSA)-AES256-SHA|DHE-RSA-AES256-SHA256)\b/ke-$2-AES256-SHAnnn/g;


+  # Separate reporting of TLS version
+  s/ver:    TLS1(\.[0-3])?$/ver:    TLS1.x/;
+  s/ \(TLS1(\.[0-3])?\) / (TLS1.x) /;
+
   # GnuTLS library error message changes
   s/(No certificate was found|Certificate is required)/The peer did not send any certificate/g;
 #(dodgy test?)  s/\(certificate verification failed\): invalid/\(gnutls_handshake\): The peer did not send any certificate./g;
@@ -1758,9 +1768,6 @@ $munges =
               s! DN="[^,"]*\K,!/!;
              ',
       'rejectlog' => 's/ X=TLS\S+ / X=TLS_proto_and_cipher /',
-      'mail'      => 's/^\s+by .+ with .+ \K tls TLS_.+$/(TLS_proto_and_cipher)/;
-              s/ \(TLS[^)]*\)/ (TLS_proto_and_cipher)/;
-             ',
     },


     'debug_pid' =>
diff --git a/test/stderr/0402 b/test/stderr/0402
index 5826221..a469f8a 100644
--- a/test/stderr/0402
+++ b/test/stderr/0402
@@ -42,7 +42,7 @@ Data file written for message 10HmaX-0005vi-00
  ╰─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ╭considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
@@ -51,7 +51,7 @@ Data file written for message 10HmaX-0005vi-00
  ├─────result: false
   ╭───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -62,7 +62,7 @@ Data file written for message 10HmaX-0005vi-00

    
   ╰───skipping: result is not used
   ╭considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -70,13 +70,13 @@ Data file written for message 10HmaX-0005vi-00
   ├──condition: def:sender_ident
   ├─────result: true
    ╭considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎╭considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
    ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
@@ -88,7 +88,7 @@ Data file written for message 10HmaX-0005vi-00
   ├──condition: def:sender_helo_name
   ├─────result: false
    ╭───scanning: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
@@ -103,13 +103,23 @@ Data file written for message 10HmaX-0005vi-00
   ╰─────result: from CALLER 
  ├──condition: def:received_protocol
  ├─────result: true
-  ╭considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+  ╭considering: with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──expanding: with $received_protocol 
   ╰─────result: with local 
+ ├──condition: def:tls_in_ver
+ ├─────result: false
+  ╭───scanning:  ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding:  ($tls_in_ver)
+  ├─────result:  ()
+  ╰───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ╭considering: (envelope-from <$sender_address>)
@@ -130,7 +140,7 @@ Data file written for message 10HmaX-0005vi-00
   ╰───skipping: result is not used
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
diff --git a/test/stderr/0544 b/test/stderr/0544
index 94d65fc..4f4e07b 100644
--- a/test/stderr/0544
+++ b/test/stderr/0544
@@ -7,7 +7,7 @@ admin user
  ╰─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ╭considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
@@ -16,7 +16,7 @@ admin user
  ├─────result: false
   ╭───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -27,7 +27,7 @@ admin user

    
   ╰───skipping: result is not used
   ╭considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -35,13 +35,13 @@ admin user
   ├──condition: def:sender_ident
   ├─────result: true
    ╭considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎╭considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
    ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
@@ -53,7 +53,7 @@ admin user
   ├──condition: def:sender_helo_name
   ├─────result: false
    ╭───scanning: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
@@ -68,13 +68,23 @@ admin user
   ╰─────result: from CALLER 
  ├──condition: def:received_protocol
  ├─────result: true
-  ╭considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+  ╭considering: with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──expanding: with $received_protocol 
   ╰─────result: with local 
+ ├──condition: def:tls_in_ver
+ ├─────result: false
+  ╭───scanning:  ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding:  ($tls_in_ver)
+  ├─────result:  ()
+  ╰───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ╭considering: (envelope-from <$sender_address>)
@@ -95,7 +105,7 @@ admin user
   ╰───skipping: result is not used
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
diff --git a/test/stderr/5410 b/test/stderr/5410
index e808be9..0461d84 100644
--- a/test/stderr/5410
+++ b/test/stderr/5410
@@ -141,7 +141,7 @@ end of inline ACL: ACCEPT
  ╰─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ╭considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
@@ -150,7 +150,7 @@ end of inline ACL: ACCEPT
  ├─────result: false
   ╭───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -161,7 +161,7 @@ end of inline ACL: ACCEPT

    
   ╰───skipping: result is not used
   ╭considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -169,13 +169,13 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_ident
   ├─────result: true
    ╭considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎╭considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
    ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
@@ -187,7 +187,7 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_helo_name
   ├─────result: true
    ╭considering: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
@@ -204,13 +204,23 @@ end of inline ACL: ACCEPT
              ╰──(tainted)
  ├──condition: def:received_protocol
  ├─────result: true
-  ╭considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+  ╭considering: with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──expanding: with $received_protocol 
   ╰─────result: with local-esmtp 
+ ├──condition: def:tls_in_ver
+ ├─────result: false
+  ╭───scanning:  ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding:  ($tls_in_ver)
+  ├─────result:  ()
+  ╰───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ╭considering: (envelope-from <$sender_address>)
@@ -231,7 +241,7 @@ end of inline ACL: ACCEPT
              ╰──(tainted)
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
@@ -373,7 +383,7 @@ end of inline ACL: ACCEPT
  ╰─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ╭considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
@@ -382,7 +392,7 @@ end of inline ACL: ACCEPT
  ├─────result: false
   ╭───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -393,7 +403,7 @@ end of inline ACL: ACCEPT

    
   ╰───skipping: result is not used
   ╭considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -401,13 +411,13 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_ident
   ├─────result: true
    ╭considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎╭considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
    ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
@@ -419,7 +429,7 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_helo_name
   ├─────result: true
    ╭considering: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
@@ -436,13 +446,23 @@ end of inline ACL: ACCEPT
              ╰──(tainted)
  ├──condition: def:received_protocol
  ├─────result: true
-  ╭considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+  ╭considering: with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──expanding: with $received_protocol 
   ╰─────result: with local-esmtp 
+ ├──condition: def:tls_in_ver
+ ├─────result: false
+  ╭───scanning:  ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding:  ($tls_in_ver)
+  ├─────result:  ()
+  ╰───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ╭considering: (envelope-from <$sender_address>)
@@ -463,7 +483,7 @@ end of inline ACL: ACCEPT
              ╰──(tainted)
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
@@ -605,7 +625,7 @@ end of inline ACL: ACCEPT
  ╰─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ╭considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
@@ -614,7 +634,7 @@ end of inline ACL: ACCEPT
  ├─────result: false
   ╭───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -625,7 +645,7 @@ end of inline ACL: ACCEPT

    
   ╰───skipping: result is not used
   ╭considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -633,13 +653,13 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_ident
   ├─────result: true
    ╭considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎╭considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
    ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
@@ -651,7 +671,7 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_helo_name
   ├─────result: true
    ╭considering: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
@@ -668,13 +688,23 @@ end of inline ACL: ACCEPT
              ╰──(tainted)
  ├──condition: def:received_protocol
  ├─────result: true
-  ╭considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+  ╭considering: with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──expanding: with $received_protocol 
   ╰─────result: with local-esmtp 
+ ├──condition: def:tls_in_ver
+ ├─────result: false
+  ╭───scanning:  ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding:  ($tls_in_ver)
+  ├─────result:  ()
+  ╰───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ╭considering: (envelope-from <$sender_address>)
@@ -695,7 +725,7 @@ end of inline ACL: ACCEPT
              ╰──(tainted)
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
diff --git a/test/stderr/5420 b/test/stderr/5420
index c335c9e..b0f1f0a 100644
--- a/test/stderr/5420
+++ b/test/stderr/5420
@@ -142,7 +142,7 @@ end of inline ACL: ACCEPT
  ╰─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ╭considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
@@ -151,7 +151,7 @@ end of inline ACL: ACCEPT
  ├─────result: false
   ╭───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -162,7 +162,7 @@ end of inline ACL: ACCEPT

    
   ╰───skipping: result is not used
   ╭considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -170,13 +170,13 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_ident
   ├─────result: true
    ╭considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎╭considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
    ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
@@ -188,7 +188,7 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_helo_name
   ├─────result: true
    ╭considering: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
@@ -205,13 +205,23 @@ end of inline ACL: ACCEPT
              ╰──(tainted)
  ├──condition: def:received_protocol
  ├─────result: true
-  ╭considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+  ╭considering: with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──expanding: with $received_protocol 
   ╰─────result: with local-esmtp 
+ ├──condition: def:tls_in_ver
+ ├─────result: false
+  ╭───scanning:  ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding:  ($tls_in_ver)
+  ├─────result:  ()
+  ╰───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ╭considering: (envelope-from <$sender_address>)
@@ -232,7 +242,7 @@ end of inline ACL: ACCEPT
              ╰──(tainted)
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
@@ -374,7 +384,7 @@ end of inline ACL: ACCEPT
  ╰─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ╭considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
@@ -383,7 +393,7 @@ end of inline ACL: ACCEPT
  ├─────result: false
   ╭───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -394,7 +404,7 @@ end of inline ACL: ACCEPT

    
   ╰───skipping: result is not used
   ╭considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -402,13 +412,13 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_ident
   ├─────result: true
    ╭considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎╭considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
    ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
@@ -420,7 +430,7 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_helo_name
   ├─────result: true
    ╭considering: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
@@ -437,13 +447,23 @@ end of inline ACL: ACCEPT
              ╰──(tainted)
  ├──condition: def:received_protocol
  ├─────result: true
-  ╭considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+  ╭considering: with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──expanding: with $received_protocol 
   ╰─────result: with local-esmtp 
+ ├──condition: def:tls_in_ver
+ ├─────result: false
+  ╭───scanning:  ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding:  ($tls_in_ver)
+  ├─────result:  ()
+  ╰───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ╭considering: (envelope-from <$sender_address>)
@@ -464,7 +484,7 @@ end of inline ACL: ACCEPT
              ╰──(tainted)
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
@@ -606,7 +626,7 @@ end of inline ACL: ACCEPT
  ╰─────result: Tue, 2 Mar 1999 09:44:33 +0000
  ╭considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {
@@ -615,7 +635,7 @@ end of inline ACL: ACCEPT
  ├─────result: false
   ╭───scanning: from $sender_rcvhost
       }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -626,7 +646,7 @@ end of inline ACL: ACCEPT

    
   ╰───skipping: result is not used
   ╭considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
@@ -634,13 +654,13 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_ident
   ├─────result: true
    ╭considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
        for $received_for}}
    ╎╭considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+   ╎    }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
    ╎    }}(Exim $version_number)
    ╎    ${if def:sender_address {(envelope-from <$sender_address>)
    ╎    }}id $message_exim_id${if def:received_for {
@@ -652,7 +672,7 @@ end of inline ACL: ACCEPT
   ├──condition: def:sender_helo_name
   ├─────result: true
    ╭considering: (helo=$sender_helo_name)
-       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+       }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
        }}(Exim $version_number)
        ${if def:sender_address {(envelope-from <$sender_address>)
        }}id $message_exim_id${if def:received_for {
@@ -669,13 +689,23 @@ end of inline ACL: ACCEPT
              ╰──(tainted)
  ├──condition: def:received_protocol
  ├─────result: true
-  ╭considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+  ╭considering: with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
       }}(Exim $version_number)
       ${if def:sender_address {(envelope-from <$sender_address>)
       }}id $message_exim_id${if def:received_for {
       for $received_for}}
   ├──expanding: with $received_protocol 
   ╰─────result: with local-esmtp 
+ ├──condition: def:tls_in_ver
+ ├─────result: false
+  ╭───scanning:  ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+      }}(Exim $version_number)
+      ${if def:sender_address {(envelope-from <$sender_address>)
+      }}id $message_exim_id${if def:received_for {
+      for $received_for}}
+  ├──expanding:  ($tls_in_ver)
+  ├─────result:  ()
+  ╰───skipping: result is not used
  ├──condition: def:sender_address
  ├─────result: true
   ╭considering: (envelope-from <$sender_address>)
@@ -696,7 +726,7 @@ end of inline ACL: ACCEPT
              ╰──(tainted)
  ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
      }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
-     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+     }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_ver        { ($tls_in_ver)}}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
      }}(Exim $version_number)
      ${if def:sender_address {(envelope-from <$sender_address>)
      }}id $message_exim_id${if def:received_for {