[exim-cvs] TLS: fix resumption for TLS-on-connect

Góra strony
Delete this message
Reply to this message
Autor: Exim Git Commits Mailing List
Data:  
Dla: exim-cvs
Temat: [exim-cvs] TLS: fix resumption for TLS-on-connect
Gitweb: https://git.exim.org/exim.git/commitdiff/5d5ad9fb16a2511ff2e0e7d4528d399f06f608da
Commit:     5d5ad9fb16a2511ff2e0e7d4528d399f06f608da
Parent:     4f780c09d2ab95bd9562ebe307a01043933adcd9
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Mon Nov 13 18:12:31 2023 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon Nov 13 18:12:31 2023 +0000


    TLS: fix resumption for TLS-on-connect
---
 doc/doc-docbook/spec.xfpt                    |  11 +-
 doc/doc-txt/ChangeLog                        |   7 +
 src/src/macros.h                             |  24 +-
 src/src/tls-gnu.c                            |  27 +-
 src/src/transports/smtp.c                    |  31 ++-
 src/src/transports/smtp.h                    |   1 +
 test/confs/5890                              |  54 ++--
 test/confs/5892                              |  52 ++--
 test/confs/5894                              |  54 ++--
 test/log/5890                                | 378 +++++++++++++++++++--------
 test/log/5892                                | 100 +++++--
 test/log/5894                                |  88 +++++--
 test/scripts/5890-Resume-GnuTLS/5890         |  20 +-
 test/scripts/5892-Resume-OpenSSL/5892        |   8 +-
 test/scripts/5894-Resume-OpenSSL-TLS1.3/5894 |  11 +-
 test/stdout/5892                             |   1 +
 16 files changed, 625 insertions(+), 242 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5a757c4ed..add3a532e 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -25549,15 +25549,24 @@ load-balancer, matching the session stored in the client's cache.

 Exim can pull out a server name, if there is one, from the response to the
 client's SMTP EHLO command.
-The default value of this option:
+For normal STARTTLS use, the default value of this option:
 .code
     ${if and { {match {$host} {.outlook.com\$}} \
                {match {$item} {\N^250-([\w.]+)\s\N}} \
          } {$1}}
 .endd
 suffices for one known case.
+
 During the expansion of this option the &$item$& variable will have the
 server's EHLO response.
+
+.new
+For TLS-on-connect connections we do not have an EHLO
+response to use. Because of this the default value of this option is
+set to a static string for those cases, meaning that resumption will
+always be attempted if permitted by the &%tls_resumption_hosts%& option.
+.wen
+
 The result of the option expansion is included in the key used to store and
 retrieve the TLS session, for session resumption.


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c74c0c0c6..9d23e8db2 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -24,6 +24,13 @@ JH/04 Bug 3039: Fix handling of of an empty log_reject_target, with
       a connection_reject log_selector, under tls_on_connect.  Previously
       with this combination, when the connect ACL rejected, a spurious
       paniclog entry was made.
+JH/04 Fix TLS resumption for TLS-on-connect.  This was broken by the advent
+      of loadbalancer-detection for resumption, in 4.96 - which tries to
+      use the EHLO response. SMTPS does not have one at the time it is starting
+      TLS.  Change the default for the smtp transport host_name_extract option
+      to be a static string, for TLS-on-connect cases; meaning that resumption
+      will always be attempted (unless deliberately overriden).
+



 Exim version 4.97
diff --git a/src/src/macros.h b/src/src/macros.h
index 969393561..e2c1d0f94 100644
--- a/src/src/macros.h
+++ b/src/src/macros.h
@@ -1103,14 +1103,22 @@ should not be one active. */
 #define RESUME_USED        BIT(4)


 #define RESUME_DECODE_STRING \
-      US"not requested or offered : 0x02 :client requested, no server ticket" \
-    ": 0x04 : 0x05 : 0x06 :client offered session, no server action" \
-    ": 0x08 :no client request: 0x0A :client requested new ticket, server provided" \
-    ": 0x0C :client offered session, not used: 0x0E :client offered session, server only provided new ticket" \
-    ": 0x10 :session resumed unasked: 0x12 :session resumed unasked" \
-    ": 0x14 : 0x15 : 0x16 :session resumed" \
-    ": 0x18 :session resumed unasked: 0x1A :session resumed unasked" \
-    ": 0x1C :session resumed: 0x1E :session resumed, also new ticket"
+  US"not requested or offered" \
+    ": 0x02 :client requested, no server ticket" \
+    ": 0x04 : 0x05 " \
+    ": 0x06 :client offered session, no server action" \
+    ": 0x08 :no client request" \
+    ": 0x0A :client requested new ticket, server provided" \
+    ": 0x0C :client offered session, not used" \
+    ": 0x0E :client offered session, server only provided new ticket" \
+    ": 0x10 :session resumed unasked" \
+    ": 0x12 :session resumed unasked" \
+    ": 0x14 : 0x15" \
+    ": 0x16 :session resumed" \
+    ": 0x18 :session resumed unasked" \
+    ": 0x1A :session resumed unasked" \
+    ": 0x1C :session resumed" \
+    ": 0x1E :session resumed, also new ticket"


 /* Flags for string_vformat */
 #define SVFMT_EXTEND        BIT(0)
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index a17597e8b..56ea93935 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -2851,7 +2851,7 @@ static int
 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
   unsigned incoming, const gnutls_datum_t * msg)
 {
-DEBUG(D_tls) debug_printf("newticket cb\n");
+DEBUG(D_tls) debug_printf("newticket cb (on server)\n");
 tls_in.resumption |= RESUME_CLIENT_REQUESTED;
 return 0;
 }
@@ -2888,9 +2888,12 @@ tls_server_resume_posthandshake(exim_gnutls_state_st * state)
 {
 if (gnutls_session_resumption_requested(state->session))
   {
-  /* This tells us the client sent a full ticket.  We use a
+  /* This tells us the client sent a full (?) ticket.  We use a
   callback on session-ticket request, elsewhere, to tell
-  if a client asked for a ticket. */
+  if a client asked for a ticket.
+  XXX As of GnuTLS 3.0.1 it seems to be returning true even for
+  a pure ticket-req (a zero-length Session Ticket extension
+  in the Client Hello, for 1.2) which mucks up our logic. */


tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
DEBUG(D_tls) debug_printf("client requested resumption\n");
@@ -3319,7 +3322,8 @@ tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
tlsp->resumption = RESUME_SUPPORTED;

 if (!conn_args->have_lbserver)
-  { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
+  { DEBUG(D_tls) debug_printf(
+      "resumption not supported: no LB detection done (continued-conn?)\n"); }
 else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, conn_args->host) == OK)
   {
   dbdata_tls_session * dt;
@@ -3347,6 +3351,7 @@ else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, conn_args->host
     dbfn_close(dbm_file);
     }
   }
+else DEBUG(D_tls) debug_printf("no resumption for this host\n");
 }



@@ -3374,7 +3379,7 @@ if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
       int dlen = sizeof(dbdata_tls_session) + tkt.size;
       dbdata_tls_session * dt = store_get(dlen, GET_TAINTED);


-      DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
+      DEBUG(D_tls) debug_printf(" session data size %u\n", (unsigned)tkt.size);
       memcpy(dt->session, tkt.data, tkt.size);
       gnutls_free(tkt.data);


@@ -3385,11 +3390,15 @@ if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
     dbfn_close(dbm_file);


     DEBUG(D_tls)
-      debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
+      debug_printf(" wrote session db (len %u)\n", (unsigned)dlen);
     }
       }
-    else DEBUG(D_tls)
-      debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
+    else
+      { DEBUG(D_tls)
+      debug_printf(" extract session data: %s\n", US gnutls_strerror(rc));
+      }
+  else DEBUG(D_tls)
+      debug_printf(" host not resmable; not saving ticket\n");
   }
 }


@@ -3406,7 +3415,7 @@ tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
tls_support * tlsp = state->tlsp;

-DEBUG(D_tls) debug_printf("newticket cb\n");
+DEBUG(D_tls) debug_printf("newticket cb (on client)\n");

 if (!tlsp->ticket_received)
   tls_save_session(tlsp, sess, state->host);
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index af2e1f2dd..8c00a1ef2 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -203,9 +203,6 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   .tls_tempfail_tryclear =    TRUE,
   .tls_try_verify_hosts =    US"*",
   .tls_verify_cert_hostnames =    US"*",
-# ifndef DISABLE_TLS_RESUME
-  .host_name_extract =        US"${if and {{match{$host}{.outlook.com\\$}} {match{$item}{\\N^250-([\\w.]+)\\s\\N}}} {$1}}",
-# endif
 #endif
 #ifdef SUPPORT_I18N
   .utf8_downconvert =        US"-1",
@@ -352,7 +349,7 @@ Returns:    nothing
 void
 smtp_transport_init(transport_instance *tblock)
 {
-smtp_transport_options_block *ob = SOB tblock->options_block;
+smtp_transport_options_block * ob = SOB tblock->options_block;
 int old_pool = store_pool;


/* Retry_use_local_part defaults FALSE if unset */
@@ -769,7 +766,7 @@ return TRUE;
resumption when such servers do not share a session-cache */

static void
-ehlo_response_lbserver(smtp_context * sx, smtp_transport_options_block * ob)
+ehlo_response_lbserver(smtp_context * sx, const uschar * name_extract)
{
#if !defined(DISABLE_TLS) && !defined(DISABLE_TLS_RESUME)
const uschar * s;
@@ -778,7 +775,7 @@ uschar * save_item = iterate_item;
if (sx->conn_args.have_lbserver)
return;
iterate_item = sx->buffer;
-s = expand_cstring(ob->host_name_extract);
+s = expand_cstring(name_extract);
iterate_item = save_item;
sx->conn_args.host_lbserver = s && !*s ? NULL : s;
sx->conn_args.have_lbserver = TRUE;
@@ -1067,6 +1064,8 @@ sx->pending_EHLO = FALSE;

 if (pending_BANNER)
   {
+  const uschar * s;
+
   DEBUG(D_transport) debug_printf("%s expect banner\n", __FUNCTION__);
   (*countp)--;
   if (!smtp_reap_banner(sx))
@@ -1076,7 +1075,10 @@ if (pending_BANNER)
     goto fail;
     }
   /*XXX EXPERIMENTAL_ESMTP_LIMITS ? */
-  ehlo_response_lbserver(sx, sx->conn_args.ob);
+
+  s = ((smtp_transport_options_block *)sx->conn_args.ob)->host_name_extract;
+  if (!s) s = HNE_DEFAULT;
+  ehlo_response_lbserver(sx, s);
   }


 if (pending_EHLO)
@@ -2474,10 +2476,20 @@ goto SEND_QUIT;
 #ifndef DISABLE_TLS
   if (sx->smtps)
     {
+    const uschar * s;
+
     smtp_peer_options |= OPTION_TLS;
     suppress_tls = FALSE;
     ob->tls_tempfail_tryclear = FALSE;
     smtp_command = US"SSL-on-connect";
+
+    /* Having no EHLO response yet, cannot peek there for a servername to detect
+    an LB.  Call this anyway, so that a dummy host_name_extract option value can
+    force resumption attempts. */
+
+    if (!(s = ob->host_name_extract)) s = US"never-LB";
+    ehlo_response_lbserver(sx, s);
+
     goto TLS_NEGOTIATE;
     }
 #endif
@@ -2565,6 +2577,8 @@ goto SEND_QUIT;
     if (!sx->early_pipe_active)
 #endif
       {
+      const uschar * s;
+
       sx->peer_offered = ehlo_response(sx->buffer,
     OPTION_TLS    /* others checked later */
 #ifndef DISABLE_PIPE_CONNECT
@@ -2600,7 +2614,8 @@ goto SEND_QUIT;
       }
     }
 #endif
-      ehlo_response_lbserver(sx, ob);
+      if (!(s = ob->host_name_extract)) s = HNE_DEFAULT;
+      ehlo_response_lbserver(sx, s);
       }


   /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index cb1d72625..0d15b9626 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -109,6 +109,7 @@ typedef struct {
   uschar    *tls_privatekey;
   uschar    *tls_require_ciphers;
 # ifndef DISABLE_TLS_RESUME
+#  define HNE_DEFAULT US"${if and {{match{$host}{.outlook.com\\$}} {match{$item}{\\N^250-([\\w.]+)\\s\\N}}} {$1}}"
   uschar    *host_name_extract;
   uschar    *tls_resumption_hosts;
 # endif
diff --git a/test/confs/5890 b/test/confs/5890
index 88743cfd0..ff5adb90f 100644
--- a/test/confs/5890
+++ b/test/confs/5890
@@ -13,9 +13,10 @@ domainlist local_domains = test.ex : *.test.ex


acl_smtp_helo = check_helo
acl_smtp_rcpt = check_recipient
-log_selector = +received_recipients +tls_resumption +tls_peerdn
+log_selector = +received_recipients +tls_resumption +tls_peerdn +outgoing_port

 tls_advertise_hosts = *
+tls_on_connect_ports =    PORT_D2


# Set certificate only if server

@@ -33,30 +34,32 @@ tls_resumption_hosts = 127.0.0.1
begin acl

 check_helo:
-  accept  condition =    ${if def:tls_in_cipher}
-      logwrite =    tls_in_resumption\t${listextract {$tls_in_resumption} {_RESUME_DECODE}}
-      logwrite =    our cert subject\t${certextract {subject}{$tls_in_ourcert}}
-      logwrite =    peer cert subject\t${certextract {subject}{$tls_in_peercert}}
-      logwrite =    peer cert verified\t${tls_in_certificate_verified}
-      logwrite =    peer dn\t${tls_in_peerdn}
-      logwrite =    cipher\t${tls_in_cipher}
-      logwrite =    bits\t${tls_in_bits}
+  accept condition =    ${if def:tls_in_cipher}
+     logwrite =    tls_in_ver\t$tls_in_ver
+     logwrite =    tls_in_resumption\t${listextract {$tls_in_resumption} {_RESUME_DECODE}}
+     logwrite =    our cert subject\t${certextract {subject}{$tls_in_ourcert}}
+     logwrite =    peer cert subject\t${certextract {subject}{$tls_in_peercert}}
+     logwrite =    peer cert verified\t${tls_in_certificate_verified}
+     logwrite =    peer dn\t${tls_in_peerdn}
+     logwrite =    cipher\t${tls_in_cipher}
+     logwrite =    bits\t${tls_in_bits}
   accept


 check_recipient:
-  accept  domains =    +local_domains
-  deny    message =    relay not permitted
+  accept domains =    +local_domains
+  deny   message =    relay not permitted


 log_resumption:
   accept condition =    ${if def:tls_out_cipher}
      condition =    ${if eq {$event_name}{tcp:close}}
+     logwrite =    tls_out_ver\t$tls_out_ver
      logwrite =    tls_out_resumption ${listextract {$tls_out_resumption} {_RESUME_DECODE}}
-      logwrite =    our cert subject\t${certextract {subject}{$tls_out_ourcert}}
-      logwrite =    peer cert subject\t${certextract {subject}{$tls_out_peercert}}
-      logwrite =    peer cert verified\t${tls_out_certificate_verified}
-      logwrite =    peer dn\t${tls_out_peerdn}
-      logwrite =    cipher\t${tls_out_cipher}
-      logwrite =    bits\t${tls_out_bits}
+     logwrite =    our cert subject\t${certextract {subject}{$tls_out_ourcert}}
+     logwrite =    peer cert subject\t${certextract {subject}{$tls_out_peercert}}
+     logwrite =    peer cert verified\t${tls_out_certificate_verified}
+     logwrite =    peer dn\t${tls_out_peerdn}
+     logwrite =    cipher\t${tls_out_cipher}
+     logwrite =    bits\t${tls_out_bits}



 # ----- Routers -----
@@ -66,7 +69,7 @@ begin routers
 client:
   driver =    accept
   condition =    ${if eq {SERVER}{server}{no}{yes}}
-  transport =    send_to_server${if eq{$local_part}{abcd}{2}{1}}
+  transport =    send_to_server${if eq{$local_part}{hostnotresume}{2}{1}}


 server:
   driver = redirect
@@ -80,7 +83,14 @@ send_to_server1:
   driver =            smtp
   allow_localhost
   hosts =            127.0.0.1
+.ifdef SELECTOR
+  port =            PORT_D2
+  protocol =            smtps
+  # Use HELO purely to get a P= different on the server <= line
+  hosts_avoid_esmtp =        *
+.else
   port =            PORT_D
+.endif
   helo_data =            helo.data.changed
 .ifdef HELO_MSG
   host_name_extract =        HELO_MSG
@@ -96,11 +106,11 @@ send_to_server1:
   event_action =        ${acl {log_resumption}}


 send_to_server2:
-  driver = smtp
+  driver =            smtp
   allow_localhost
-  hosts = HOSTIPV4
-  port = PORT_D
-  hosts_try_fastopen =    :
+  hosts =            HOSTIPV4
+  port =            PORT_D
+  hosts_try_fastopen =        :
   tls_verify_certificates =    CDIR/CA/CA.pem
   tls_verify_cert_hostnames =    :
   event_action =        ${acl {log_resumption}}
diff --git a/test/confs/5892 b/test/confs/5892
index 15b09fcff..571cb8e7e 100644
--- a/test/confs/5892
+++ b/test/confs/5892
@@ -13,7 +13,7 @@ domainlist local_domains = test.ex : *.test.ex


acl_smtp_helo = check_helo
acl_smtp_rcpt = check_recipient
-log_selector = +received_recipients +tls_resumption +tls_peerdn
+log_selector = +received_recipients +tls_resumption +tls_peerdn +outgoing_port

 .ifdef _OPT_OPENSSL_NO_TLSV1_3_X
 openssl_options = +no_sslv2 +no_sslv3 +single_dh_use OPTION
@@ -21,6 +21,7 @@ openssl_options = +no_sslv2 +no_sslv3 +single_dh_use OPTION
 openssl_options = +no_sslv2 +no_sslv3 +single_dh_use
 .endif
 tls_advertise_hosts = *
+tls_on_connect_ports =    PORT_D2


# Set certificate only if server

@@ -38,30 +39,32 @@ remote_max_parallel = 1
begin acl

 check_helo:
-  accept  condition =    ${if def:tls_in_cipher}
-      logwrite =    tls_in_resumption\t${listextract {$tls_in_resumption} {_RESUME_DECODE}}
-      logwrite =    our cert subject\t${certextract {subject}{$tls_in_ourcert}}
-      logwrite =    peer cert subject\t${certextract {subject}{$tls_in_peercert}}
-      logwrite =    peer cert verified\t${tls_in_certificate_verified}
-      logwrite =    peer dn\t${tls_in_peerdn}
-      logwrite =    cipher\t${tls_in_cipher}
-      logwrite =    bits\t${tls_in_bits}
+  accept condition =    ${if def:tls_in_cipher}
+     logwrite =    tls_in_ver\t$tls_in_ver
+     logwrite =    tls_in_resumption\t${listextract {$tls_in_resumption} {_RESUME_DECODE}}
+     logwrite =    our cert subject\t${certextract {subject}{$tls_in_ourcert}}
+     logwrite =    peer cert subject\t${certextract {subject}{$tls_in_peercert}}
+     logwrite =    peer cert verified\t${tls_in_certificate_verified}
+     logwrite =    peer dn\t${tls_in_peerdn}
+     logwrite =    cipher\t${tls_in_cipher}
+     logwrite =    bits\t${tls_in_bits}
   accept


 check_recipient:
-  accept  domains =    +local_domains
-  deny    message =    relay not permitted
+  accept domains =    +local_domains
+  deny   message =    relay not permitted


 log_resumption:
   accept condition =    ${if def:tls_out_cipher}
      condition =    ${if eq {$event_name}{tcp:close}}
+     logwrite =    tls_out_ver\t$tls_out_ver
      logwrite =    tls_out_resumption ${listextract {$tls_out_resumption} {_RESUME_DECODE}}
-      logwrite =    our cert subject\t${certextract {subject}{$tls_out_ourcert}}
-      logwrite =    peer cert subject\t${certextract {subject}{$tls_out_peercert}}
-      logwrite =    peer cert verified\t${tls_out_certificate_verified}
-      logwrite =    peer dn\t${tls_out_peerdn}
-      logwrite =    cipher\t${tls_out_cipher}
-      logwrite =    bits\t${tls_out_bits}
+     logwrite =    our cert subject\t${certextract {subject}{$tls_out_ourcert}}
+     logwrite =    peer cert subject\t${certextract {subject}{$tls_out_peercert}}
+     logwrite =    peer cert verified\t${tls_out_certificate_verified}
+     logwrite =    peer dn\t${tls_out_peerdn}
+     logwrite =    cipher\t${tls_out_cipher}
+     logwrite =    bits\t${tls_out_bits}



 # ----- Routers -----
@@ -85,7 +88,14 @@ send_to_server1:
   driver =            smtp
   allow_localhost
   hosts =            127.0.0.1
+.ifdef SELECTOR
+  port =            PORT_D2
+  protocol =            smtps
+  # Use HELO purely to get a P= different on the server <= line
+  hosts_avoid_esmtp =        *
+.else
   port =            PORT_D
+.endif
   helo_data =            helo.data.changed
 .ifdef HELO_MSG
   host_name_extract =        HELO_MSG
@@ -101,11 +111,11 @@ send_to_server1:
   event_action =        ${acl {log_resumption}}


 send_to_server2:
-  driver = smtp
+  driver =            smtp
   allow_localhost
-  hosts = HOSTIPV4
-  port = PORT_D
-  hosts_try_fastopen =    :
+  hosts =            HOSTIPV4
+  port =            PORT_D
+  hosts_try_fastopen =        :
   tls_verify_certificates =    CDIR/CA/CA.pem
   tls_verify_cert_hostnames =    :
   event_action =        ${acl {log_resumption}}
diff --git a/test/confs/5894 b/test/confs/5894
index da347178e..4b34c75ae 100644
--- a/test/confs/5894
+++ b/test/confs/5894
@@ -12,10 +12,11 @@ domainlist local_domains = test.ex : *.test.ex


acl_smtp_helo = check_helo
acl_smtp_rcpt = check_recipient
-log_selector = +received_recipients +tls_resumption +tls_peerdn
+log_selector = +received_recipients +tls_resumption +tls_peerdn +outgoing_port

 openssl_options = +no_sslv2 +no_sslv3 +single_dh_use
 tls_advertise_hosts = *
+tls_on_connect_ports =    PORT_D2


# Set certificate only if server

@@ -32,30 +33,32 @@ tls_resumption_hosts = 127.0.0.1
begin acl

 check_helo:
-  accept  condition =    ${if def:tls_in_cipher}
-      logwrite =    tls_in_resumption\t${listextract {$tls_in_resumption} {_RESUME_DECODE}}
-      logwrite =    our cert subject\t${certextract {subject}{$tls_in_ourcert}}
-      logwrite =    peer cert subject\t${certextract {subject}{$tls_in_peercert}}
-      logwrite =    peer cert verified\t${tls_in_certificate_verified}
-      logwrite =    peer dn\t${tls_in_peerdn}
-      logwrite =    cipher\t${tls_in_cipher}
-      logwrite =    bits\t${tls_in_bits}
+  accept condition =    ${if def:tls_in_cipher}
+     logwrite =    tls_in_ver\t$tls_in_ver
+     logwrite =    tls_in_resumption\t${listextract {$tls_in_resumption} {_RESUME_DECODE}}
+     logwrite =    our cert subject\t${certextract {subject}{$tls_in_ourcert}}
+     logwrite =    peer cert subject\t${certextract {subject}{$tls_in_peercert}}
+     logwrite =    peer cert verified\t${tls_in_certificate_verified}
+     logwrite =    peer dn\t${tls_in_peerdn}
+     logwrite =    cipher\t${tls_in_cipher}
+     logwrite =    bits\t${tls_in_bits}
   accept


 check_recipient:
-  accept  domains =    +local_domains
-  deny    message =    relay not permitted
+  accept domains =    +local_domains
+  deny   message =    relay not permitted


 log_resumption:
   accept condition =    ${if def:tls_out_cipher}
      condition =    ${if eq {$event_name}{tcp:close}}
+     logwrite =    tls_out_ver\t$tls_out_ver
      logwrite =    tls_out_resumption ${listextract {$tls_out_resumption} {_RESUME_DECODE}}
-      logwrite =    our cert subject\t${certextract {subject}{$tls_out_ourcert}}
-      logwrite =    peer cert subject\t${certextract {subject}{$tls_out_peercert}}
-      logwrite =    peer cert verified\t${tls_out_certificate_verified}
-      logwrite =    peer dn\t${tls_out_peerdn}
-      logwrite =    cipher\t${tls_out_cipher}
-      logwrite =    bits\t${tls_out_bits}
+     logwrite =    our cert subject\t${certextract {subject}{$tls_out_ourcert}}
+     logwrite =    peer cert subject\t${certextract {subject}{$tls_out_peercert}}
+     logwrite =    peer cert verified\t${tls_out_certificate_verified}
+     logwrite =    peer dn\t${tls_out_peerdn}
+     logwrite =    cipher\t${tls_out_cipher}
+     logwrite =    bits\t${tls_out_bits}



 # ----- Routers -----
@@ -65,7 +68,7 @@ begin routers
 client:
   driver =    accept
   condition =    ${if eq {SERVER}{server}{no}{yes}}
-  transport =    send_to_server${if eq{$local_part}{abcd}{2}{1}}
+  transport =    send_to_server${if eq{$local_part}{hostnotresume}{2}{1}}


 server:
   driver = redirect
@@ -79,7 +82,14 @@ send_to_server1:
   driver =            smtp
   allow_localhost
   hosts =            127.0.0.1
+.ifdef SELECTOR
+  port =            PORT_D2
+  protocol =            smtps
+  # Use HELO purely to get a P= different on the server <= line
+  hosts_avoid_esmtp =        *
+.else
   port =            PORT_D
+.endif
   helo_data =            helo.data.changed
 .ifdef VALUE
   tls_resumption_hosts =    *
@@ -92,11 +102,11 @@ send_to_server1:
   event_action =        ${acl {log_resumption}}


 send_to_server2:
-  driver = smtp
+  driver =            smtp
   allow_localhost
-  hosts = HOSTIPV4
-  port = PORT_D
-  hosts_try_fastopen =    :
+  hosts =            HOSTIPV4
+  port =            PORT_D
+  hosts_try_fastopen =        :
   tls_verify_certificates =    CDIR/CA/CA.pem
   tls_verify_cert_hostnames =    :
   event_action =        ${acl {log_resumption}}
diff --git a/test/log/5890 b/test/log/5890
index 065e31b7f..d77b85f92 100644
--- a/test/log/5890
+++ b/test/log/5890
@@ -1,4 +1,5 @@
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for getticket@???
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -6,9 +7,10 @@
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 peer dn    CN=server1.example.com
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmaX-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-000000005vi-0000"
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-000000005vi-0000"
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Completed
-1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@??? abcd@??? xyz@???
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@??? hostnotresume@??? xyz@???
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -16,6 +18,7 @@
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 peer dn    CN=server1.example.com
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 cipher    TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 tls_out_resumption not requested or offered
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -23,11 +26,12 @@
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 peer dn    CN=server1.example.com
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmaZ-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-000000005vi-0000"
-1999-03-02 09:44:33 10HmaZ-000000005vi-0000 -> xyz@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-000000005vi-0000"
-1999-03-02 09:44:33 10HmaZ-000000005vi-0000 => abcd@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-000000005vi-0000"
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-000000005vi-0000"
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 -> xyz@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-000000005vi-0000"
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 => hostnotresume@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-000000005vi-0000"
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for renewal@???
+1999-03-02 09:44:33 10HmbC-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -35,9 +39,10 @@
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 peer dn    CN=server1.example.com
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 cipher    TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbC-000000005vi-0000 => renewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-000000005vi-0000"
+1999-03-02 09:44:33 10HmbC-000000005vi-0000 => renewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-000000005vi-0000"
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for postrenewal@???
+1999-03-02 09:44:33 10HmbE-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -45,9 +50,10 @@
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 peer dn    CN=server1.example.com
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 cipher    TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbE-000000005vi-0000 => postrenewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbF-000000005vi-0000"
+1999-03-02 09:44:33 10HmbE-000000005vi-0000 => postrenewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbF-000000005vi-0000"
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for timeout@???
+1999-03-02 09:44:33 10HmbG-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 tls_out_resumption client offered session, server only provided new ticket
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -55,9 +61,10 @@
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 peer dn    CN=server1.example.com
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbG-000000005vi-0000 => timeout@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbH-000000005vi-0000"
+1999-03-02 09:44:33 10HmbG-000000005vi-0000 => timeout@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbH-000000005vi-0000"
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for notreq@???
+1999-03-02 09:44:33 10HmbI-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 tls_out_resumption no client request
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -65,9 +72,10 @@
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 peer dn    CN=server1.example.com
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbI-000000005vi-0000 => notreq@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbJ-000000005vi-0000"
+1999-03-02 09:44:33 10HmbI-000000005vi-0000 => notreq@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbJ-000000005vi-0000"
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for noverify_getticket@???
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -75,9 +83,10 @@
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 peer dn    CN=server1.example.com
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbK-000000005vi-0000 => noverify_getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmbL-000000005vi-0000"
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 => noverify_getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmbL-000000005vi-0000"
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for noverify_resume@???
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -85,120 +94,187 @@
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 peer dn    CN=server1.example.com
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 cipher    TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbM-000000005vi-0000 => noverify_resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no DN="CN=server1.example.com" C="250 OK id=10HmbN-000000005vi-0000"
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 => noverify_resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no DN="CN=server1.example.com" C="250 OK id=10HmbN-000000005vi-0000"
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 Completed
-1999-03-02 09:44:33 10HmbO-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for getticket@???
-1999-03-02 09:44:33 10HmbO-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 10HmbO-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@???
+1999-03-02 09:44:33 10HmbO-000000005vi-0000 tls_out_ver    TLS1.2
+1999-03-02 09:44:33 10HmbO-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 peer cert subject    CN=server1.example.com
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 peer cert verified    1
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 peer dn    CN=server1.example.com
-1999-03-02 09:44:33 10HmbO-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbO-000000005vi-0000 cipher    TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbO-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbP-000000005vi-0000"
+1999-03-02 09:44:33 10HmbO-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbP-000000005vi-0000"
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 Completed
-1999-03-02 09:44:33 10HmbQ-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@??? abcd@??? xyz@???
-1999-03-02 09:44:33 10HmbQ-000000005vi-0000 tls_out_resumption session resumed, also new ticket
-1999-03-02 09:44:33 10HmbQ-000000005vi-0000 our cert subject    
-1999-03-02 09:44:33 10HmbQ-000000005vi-0000 peer cert subject    CN=server1.example.com
-1999-03-02 09:44:33 10HmbQ-000000005vi-0000 peer cert verified    1
-1999-03-02 09:44:33 10HmbQ-000000005vi-0000 peer dn    CN=server1.example.com
-1999-03-02 09:44:33 10HmbQ-000000005vi-0000 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
-1999-03-02 09:44:33 10HmbQ-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbQ-000000005vi-0000 tls_out_resumption not requested or offered
+1999-03-02 09:44:33 10HmbQ-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for getticket@???
+1999-03-02 09:44:33 10HmbQ-000000005vi-0000 tls_out_ver    TLS1.2
+1999-03-02 09:44:33 10HmbQ-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 peer cert subject    CN=server1.example.com
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 peer cert verified    1
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 peer dn    CN=server1.example.com
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbQ-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbR-000000005vi-0000"
-1999-03-02 09:44:33 10HmbQ-000000005vi-0000 -> xyz@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbR-000000005vi-0000"
-1999-03-02 09:44:33 10HmbQ-000000005vi-0000 => abcd@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbS-000000005vi-0000"
+1999-03-02 09:44:33 10HmbQ-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D2 X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbR-000000005vi-0000"
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 Completed
-1999-03-02 09:44:33 10HmbT-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for renewal@???
-1999-03-02 09:44:33 10HmbT-000000005vi-0000 tls_out_resumption session resumed, also new ticket
-1999-03-02 09:44:33 10HmbT-000000005vi-0000 our cert subject    
-1999-03-02 09:44:33 10HmbT-000000005vi-0000 peer cert subject    CN=server1.example.com
-1999-03-02 09:44:33 10HmbT-000000005vi-0000 peer cert verified    1
-1999-03-02 09:44:33 10HmbT-000000005vi-0000 peer dn    CN=server1.example.com
-1999-03-02 09:44:33 10HmbT-000000005vi-0000 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
-1999-03-02 09:44:33 10HmbT-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbT-000000005vi-0000 => renewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbU-000000005vi-0000"
-1999-03-02 09:44:33 10HmbT-000000005vi-0000 Completed
-1999-03-02 09:44:33 10HmbV-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for postrenewal@???
-1999-03-02 09:44:33 10HmbV-000000005vi-0000 tls_out_resumption session resumed
-1999-03-02 09:44:33 10HmbV-000000005vi-0000 our cert subject    
-1999-03-02 09:44:33 10HmbV-000000005vi-0000 peer cert subject    CN=server1.example.com
-1999-03-02 09:44:33 10HmbV-000000005vi-0000 peer cert verified    1
-1999-03-02 09:44:33 10HmbV-000000005vi-0000 peer dn    CN=server1.example.com
-1999-03-02 09:44:33 10HmbV-000000005vi-0000 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
-1999-03-02 09:44:33 10HmbV-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbV-000000005vi-0000 => postrenewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbW-000000005vi-0000"
-1999-03-02 09:44:33 10HmbV-000000005vi-0000 Completed
-1999-03-02 09:44:33 10HmbX-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for timeout@???
-1999-03-02 09:44:33 10HmbX-000000005vi-0000 tls_out_resumption client offered session, server only provided new ticket
-1999-03-02 09:44:33 10HmbX-000000005vi-0000 our cert subject    
-1999-03-02 09:44:33 10HmbX-000000005vi-0000 peer cert subject    CN=server1.example.com
-1999-03-02 09:44:33 10HmbX-000000005vi-0000 peer cert verified    1
-1999-03-02 09:44:33 10HmbX-000000005vi-0000 peer dn    CN=server1.example.com
-1999-03-02 09:44:33 10HmbX-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
-1999-03-02 09:44:33 10HmbX-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbX-000000005vi-0000 => timeout@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbY-000000005vi-0000"
-1999-03-02 09:44:33 10HmbX-000000005vi-0000 Completed
-1999-03-02 09:44:33 10HmbZ-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for notreq@???
-1999-03-02 09:44:33 10HmbZ-000000005vi-0000 tls_out_resumption no client request
+1999-03-02 09:44:33 10HmbS-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@???
+1999-03-02 09:44:33 10HmbS-000000005vi-0000 tls_out_ver    TLS1.2
+1999-03-02 09:44:33 10HmbS-000000005vi-0000 tls_out_resumption session resumed
+1999-03-02 09:44:33 10HmbS-000000005vi-0000 our cert subject    
+1999-03-02 09:44:33 10HmbS-000000005vi-0000 peer cert subject    CN=server1.example.com
+1999-03-02 09:44:33 10HmbS-000000005vi-0000 peer cert verified    1
+1999-03-02 09:44:33 10HmbS-000000005vi-0000 peer dn    CN=server1.example.com
+1999-03-02 09:44:33 10HmbS-000000005vi-0000 cipher    TLS1.x:ke--AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbS-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmbS-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D2 X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbT-000000005vi-0000"
+1999-03-02 09:44:33 10HmbS-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmbU-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for getticket@???
+1999-03-02 09:44:33 10HmbU-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmbU-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 10HmbU-000000005vi-0000 our cert subject    
+1999-03-02 09:44:33 10HmbU-000000005vi-0000 peer cert subject    CN=server1.example.com
+1999-03-02 09:44:33 10HmbU-000000005vi-0000 peer cert verified    1
+1999-03-02 09:44:33 10HmbU-000000005vi-0000 peer dn    CN=server1.example.com
+1999-03-02 09:44:33 10HmbU-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbU-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmbU-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbV-000000005vi-0000"
+1999-03-02 09:44:33 10HmbU-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@??? hostnotresume@??? xyz@???
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 tls_out_resumption session resumed, also new ticket
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 our cert subject    
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 peer cert subject    CN=server1.example.com
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 peer cert verified    1
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 peer dn    CN=server1.example.com
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 tls_out_resumption not requested or offered
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 our cert subject    
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 peer cert subject    CN=server1.example.com
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 peer cert verified    1
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 peer dn    CN=server1.example.com
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbX-000000005vi-0000"
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 -> xyz@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbX-000000005vi-0000"
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 => hostnotresume@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbY-000000005vi-0000"
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmbZ-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for renewal@???
+1999-03-02 09:44:33 10HmbZ-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmbZ-000000005vi-0000 tls_out_resumption session resumed, also new ticket
 1999-03-02 09:44:33 10HmbZ-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbZ-000000005vi-0000 peer cert subject    CN=server1.example.com
 1999-03-02 09:44:33 10HmbZ-000000005vi-0000 peer cert verified    1
 1999-03-02 09:44:33 10HmbZ-000000005vi-0000 peer dn    CN=server1.example.com
-1999-03-02 09:44:33 10HmbZ-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbZ-000000005vi-0000 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbZ-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbZ-000000005vi-0000 => notreq@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcA-000000005vi-0000"
+1999-03-02 09:44:33 10HmbZ-000000005vi-0000 => renewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcA-000000005vi-0000"
 1999-03-02 09:44:33 10HmbZ-000000005vi-0000 Completed
-1999-03-02 09:44:33 10HmcB-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for getticket@???
-1999-03-02 09:44:33 10HmcB-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 10HmcB-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for postrenewal@???
+1999-03-02 09:44:33 10HmcB-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmcB-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmcB-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmcB-000000005vi-0000 peer cert subject    CN=server1.example.com
 1999-03-02 09:44:33 10HmcB-000000005vi-0000 peer cert verified    1
 1999-03-02 09:44:33 10HmcB-000000005vi-0000 peer dn    CN=server1.example.com
-1999-03-02 09:44:33 10HmcB-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmcB-000000005vi-0000 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmcB-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmcB-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcC-000000005vi-0000"
+1999-03-02 09:44:33 10HmcB-000000005vi-0000 => postrenewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcC-000000005vi-0000"
 1999-03-02 09:44:33 10HmcB-000000005vi-0000 Completed
-1999-03-02 09:44:33 10HmcD-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for noresume@???
-1999-03-02 09:44:33 10HmcD-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 10HmcD-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for timeout@???
+1999-03-02 09:44:33 10HmcD-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmcD-000000005vi-0000 tls_out_resumption client offered session, server only provided new ticket
 1999-03-02 09:44:33 10HmcD-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmcD-000000005vi-0000 peer cert subject    CN=server1.example.com
 1999-03-02 09:44:33 10HmcD-000000005vi-0000 peer cert verified    1
 1999-03-02 09:44:33 10HmcD-000000005vi-0000 peer dn    CN=server1.example.com
 1999-03-02 09:44:33 10HmcD-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmcD-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmcD-000000005vi-0000 => noresume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcE-000000005vi-0000"
+1999-03-02 09:44:33 10HmcD-000000005vi-0000 => timeout@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcE-000000005vi-0000"
 1999-03-02 09:44:33 10HmcD-000000005vi-0000 Completed
-1999-03-02 09:44:33 10HmcF-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@???
-1999-03-02 09:44:33 10HmcF-000000005vi-0000 tls_out_resumption session resumed, also new ticket
+1999-03-02 09:44:33 10HmcF-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for notreq@???
+1999-03-02 09:44:33 10HmcF-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmcF-000000005vi-0000 tls_out_resumption no client request
 1999-03-02 09:44:33 10HmcF-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmcF-000000005vi-0000 peer cert subject    CN=server1.example.com
 1999-03-02 09:44:33 10HmcF-000000005vi-0000 peer cert verified    1
 1999-03-02 09:44:33 10HmcF-000000005vi-0000 peer dn    CN=server1.example.com
-1999-03-02 09:44:33 10HmcF-000000005vi-0000 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmcF-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmcF-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmcF-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcG-000000005vi-0000"
+1999-03-02 09:44:33 10HmcF-000000005vi-0000 => notreq@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcG-000000005vi-0000"
 1999-03-02 09:44:33 10HmcF-000000005vi-0000 Completed
-1999-03-02 09:44:33 10HmcH-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@???
-1999-03-02 09:44:33 10HmcH-000000005vi-0000 tls_out_resumption session resumed, also new ticket
+1999-03-02 09:44:33 10HmcH-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for getticket@???
+1999-03-02 09:44:33 10HmcH-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmcH-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
 1999-03-02 09:44:33 10HmcH-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmcH-000000005vi-0000 peer cert subject    CN=server1.example.com
 1999-03-02 09:44:33 10HmcH-000000005vi-0000 peer cert verified    1
 1999-03-02 09:44:33 10HmcH-000000005vi-0000 peer dn    CN=server1.example.com
-1999-03-02 09:44:33 10HmcH-000000005vi-0000 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmcH-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmcH-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmcH-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcI-000000005vi-0000"
+1999-03-02 09:44:33 10HmcH-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcI-000000005vi-0000"
 1999-03-02 09:44:33 10HmcH-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmcJ-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for noresume@???
+1999-03-02 09:44:33 10HmcJ-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmcJ-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 10HmcJ-000000005vi-0000 our cert subject    
+1999-03-02 09:44:33 10HmcJ-000000005vi-0000 peer cert subject    CN=server1.example.com
+1999-03-02 09:44:33 10HmcJ-000000005vi-0000 peer cert verified    1
+1999-03-02 09:44:33 10HmcJ-000000005vi-0000 peer dn    CN=server1.example.com
+1999-03-02 09:44:33 10HmcJ-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmcJ-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmcJ-000000005vi-0000 => noresume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcK-000000005vi-0000"
+1999-03-02 09:44:33 10HmcJ-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmcL-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@???
+1999-03-02 09:44:33 10HmcL-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmcL-000000005vi-0000 tls_out_resumption session resumed, also new ticket
+1999-03-02 09:44:33 10HmcL-000000005vi-0000 our cert subject    
+1999-03-02 09:44:33 10HmcL-000000005vi-0000 peer cert subject    CN=server1.example.com
+1999-03-02 09:44:33 10HmcL-000000005vi-0000 peer cert verified    1
+1999-03-02 09:44:33 10HmcL-000000005vi-0000 peer dn    CN=server1.example.com
+1999-03-02 09:44:33 10HmcL-000000005vi-0000 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmcL-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmcL-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcM-000000005vi-0000"
+1999-03-02 09:44:33 10HmcL-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmcN-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@???
+1999-03-02 09:44:33 10HmcN-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmcN-000000005vi-0000 tls_out_resumption session resumed, also new ticket
+1999-03-02 09:44:33 10HmcN-000000005vi-0000 our cert subject    
+1999-03-02 09:44:33 10HmcN-000000005vi-0000 peer cert subject    CN=server1.example.com
+1999-03-02 09:44:33 10HmcN-000000005vi-0000 peer cert verified    1
+1999-03-02 09:44:33 10HmcN-000000005vi-0000 peer dn    CN=server1.example.com
+1999-03-02 09:44:33 10HmcN-000000005vi-0000 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmcN-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmcN-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcO-000000005vi-0000"
+1999-03-02 09:44:33 10HmcN-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmcP-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for getticket@???
+1999-03-02 09:44:33 10HmcP-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmcP-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 10HmcP-000000005vi-0000 our cert subject    
+1999-03-02 09:44:33 10HmcP-000000005vi-0000 peer cert subject    CN=server1.example.com
+1999-03-02 09:44:33 10HmcP-000000005vi-0000 peer cert verified    1
+1999-03-02 09:44:33 10HmcP-000000005vi-0000 peer dn    CN=server1.example.com
+1999-03-02 09:44:33 10HmcP-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmcP-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmcP-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D2 X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcQ-000000005vi-0000"
+1999-03-02 09:44:33 10HmcP-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmcR-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@???
+1999-03-02 09:44:33 10HmcR-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmcR-000000005vi-0000 tls_out_resumption session resumed, also new ticket
+1999-03-02 09:44:33 10HmcR-000000005vi-0000 our cert subject    
+1999-03-02 09:44:33 10HmcR-000000005vi-0000 peer cert subject    CN=server1.example.com
+1999-03-02 09:44:33 10HmcR-000000005vi-0000 peer cert verified    1
+1999-03-02 09:44:33 10HmcR-000000005vi-0000 peer dn    CN=server1.example.com
+1999-03-02 09:44:33 10HmcR-000000005vi-0000 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmcR-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmcR-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D2 X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcS-000000005vi-0000"
+1999-03-02 09:44:33 10HmcR-000000005vi-0000 Completed


 ******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D and for SMTPS on port PORT_D2
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -209,6 +285,7 @@
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-000000005vi-0000@??? for getticket@???
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 => :blackhole: <getticket@???> R=server
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    session resumed
 1999-03-02 09:44:33 our cert subject    
 1999-03-02 09:44:33 peer cert subject    
@@ -220,6 +297,7 @@
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 => :blackhole: <xyz@???> R=server
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 => :blackhole: <resume@???> R=server
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    not requested or offered
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -227,9 +305,10 @@
 1999-03-02 09:44:33 peer dn    
 1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits    256
-1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-000000005vi-0000@??? for abcd@???
-1999-03-02 09:44:33 10HmbB-000000005vi-0000 => :blackhole: <abcd@???> R=server
+1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-000000005vi-0000@??? for hostnotresume@???
+1999-03-02 09:44:33 10HmbB-000000005vi-0000 => :blackhole: <hostnotresume@???> R=server
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    session resumed
 1999-03-02 09:44:33 our cert subject    
 1999-03-02 09:44:33 peer cert subject    
@@ -240,6 +319,7 @@
 1999-03-02 09:44:33 10HmbD-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbC-000000005vi-0000@??? for renewal@???
 1999-03-02 09:44:33 10HmbD-000000005vi-0000 => :blackhole: <renewal@???> R=server
 1999-03-02 09:44:33 10HmbD-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    session resumed
 1999-03-02 09:44:33 our cert subject    
 1999-03-02 09:44:33 peer cert subject    
@@ -250,6 +330,7 @@
 1999-03-02 09:44:33 10HmbF-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbE-000000005vi-0000@??? for postrenewal@???
 1999-03-02 09:44:33 10HmbF-000000005vi-0000 => :blackhole: <postrenewal@???> R=server
 1999-03-02 09:44:33 10HmbF-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    client offered session, server only provided new ticket
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -260,6 +341,7 @@
 1999-03-02 09:44:33 10HmbH-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbG-000000005vi-0000@??? for timeout@???
 1999-03-02 09:44:33 10HmbH-000000005vi-0000 => :blackhole: <timeout@???> R=server
 1999-03-02 09:44:33 10HmbH-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -270,6 +352,7 @@
 1999-03-02 09:44:33 10HmbJ-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbI-000000005vi-0000@??? for notreq@???
 1999-03-02 09:44:33 10HmbJ-000000005vi-0000 => :blackhole: <notreq@???> R=server
 1999-03-02 09:44:33 10HmbJ-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -280,6 +363,7 @@
 1999-03-02 09:44:33 10HmbL-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbK-000000005vi-0000@??? for noverify_getticket@???
 1999-03-02 09:44:33 10HmbL-000000005vi-0000 => :blackhole: <noverify_getticket@???> R=server
 1999-03-02 09:44:33 10HmbL-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    session resumed
 1999-03-02 09:44:33 our cert subject    
 1999-03-02 09:44:33 peer cert subject    
@@ -290,7 +374,41 @@
 1999-03-02 09:44:33 10HmbN-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbM-000000005vi-0000@??? for noverify_resume@???
 1999-03-02 09:44:33 10HmbN-000000005vi-0000 => :blackhole: <noverify_resume@???> R=server
 1999-03-02 09:44:33 10HmbN-000000005vi-0000 Completed
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
+1999-03-02 09:44:33 tls_in_resumption    session resumed
+1999-03-02 09:44:33 our cert subject    
+1999-03-02 09:44:33 peer cert subject    
+1999-03-02 09:44:33 peer cert verified    0
+1999-03-02 09:44:33 peer dn    
+1999-03-02 09:44:33 cipher    TLS1.x:ke--AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits    256
+1999-03-02 09:44:33 10HmbP-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbO-000000005vi-0000@??? for resume@???
+1999-03-02 09:44:33 10HmbP-000000005vi-0000 => :blackhole: <resume@???> R=server
+1999-03-02 09:44:33 10HmbP-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
+1999-03-02 09:44:33 tls_in_resumption    client offered session, server only provided new ticket
+1999-03-02 09:44:33 our cert subject    CN=server1.example.com
+1999-03-02 09:44:33 peer cert subject    
+1999-03-02 09:44:33 peer cert verified    0
+1999-03-02 09:44:33 peer dn    
+1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits    256
+1999-03-02 09:44:33 10HmbR-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] TFO* P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbQ-000000005vi-0000@??? for getticket@???
+1999-03-02 09:44:33 10HmbR-000000005vi-0000 => :blackhole: <getticket@???> R=server
+1999-03-02 09:44:33 10HmbR-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
+1999-03-02 09:44:33 tls_in_resumption    session resumed
+1999-03-02 09:44:33 our cert subject    
+1999-03-02 09:44:33 peer cert subject    
+1999-03-02 09:44:33 peer cert verified    0
+1999-03-02 09:44:33 peer dn    
+1999-03-02 09:44:33 cipher    TLS1.x:ke--AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits    256
+1999-03-02 09:44:33 10HmbT-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] TFO* P=smtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbS-000000005vi-0000@??? for resume@???
+1999-03-02 09:44:33 10HmbT-000000005vi-0000 => :blackhole: <resume@???> R=server
+1999-03-02 09:44:33 10HmbT-000000005vi-0000 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D and for SMTPS on port PORT_D2
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -298,9 +416,10 @@
 1999-03-02 09:44:33 peer dn    
 1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits    256
-1999-03-02 09:44:33 10HmbP-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbO-000000005vi-0000@??? for getticket@???
-1999-03-02 09:44:33 10HmbP-000000005vi-0000 => :blackhole: <getticket@???> R=server
-1999-03-02 09:44:33 10HmbP-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmbV-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbU-000000005vi-0000@??? for getticket@???
+1999-03-02 09:44:33 10HmbV-000000005vi-0000 => :blackhole: <getticket@???> R=server
+1999-03-02 09:44:33 10HmbV-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    session resumed, also new ticket
 1999-03-02 09:44:33 our cert subject    
 1999-03-02 09:44:33 peer cert subject    
@@ -308,10 +427,11 @@
 1999-03-02 09:44:33 peer dn    
 1999-03-02 09:44:33 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits    256
-1999-03-02 09:44:33 10HmbR-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbQ-000000005vi-0000@??? for resume@??? xyz@???
-1999-03-02 09:44:33 10HmbR-000000005vi-0000 => :blackhole: <xyz@???> R=server
-1999-03-02 09:44:33 10HmbR-000000005vi-0000 => :blackhole: <resume@???> R=server
-1999-03-02 09:44:33 10HmbR-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmbX-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbW-000000005vi-0000@??? for resume@??? xyz@???
+1999-03-02 09:44:33 10HmbX-000000005vi-0000 => :blackhole: <xyz@???> R=server
+1999-03-02 09:44:33 10HmbX-000000005vi-0000 => :blackhole: <resume@???> R=server
+1999-03-02 09:44:33 10HmbX-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    not requested or offered
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -319,9 +439,10 @@
 1999-03-02 09:44:33 peer dn    
 1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits    256
-1999-03-02 09:44:33 10HmbS-000000005vi-0000 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbQ-000000005vi-0000@??? for abcd@???
-1999-03-02 09:44:33 10HmbS-000000005vi-0000 => :blackhole: <abcd@???> R=server
-1999-03-02 09:44:33 10HmbS-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbW-000000005vi-0000@??? for hostnotresume@???
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 => :blackhole: <hostnotresume@???> R=server
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    session resumed, also new ticket
 1999-03-02 09:44:33 our cert subject    
 1999-03-02 09:44:33 peer cert subject    
@@ -329,9 +450,10 @@
 1999-03-02 09:44:33 peer dn    
 1999-03-02 09:44:33 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits    256
-1999-03-02 09:44:33 10HmbU-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbT-000000005vi-0000@??? for renewal@???
-1999-03-02 09:44:33 10HmbU-000000005vi-0000 => :blackhole: <renewal@???> R=server
-1999-03-02 09:44:33 10HmbU-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmcA-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbZ-000000005vi-0000@??? for renewal@???
+1999-03-02 09:44:33 10HmcA-000000005vi-0000 => :blackhole: <renewal@???> R=server
+1999-03-02 09:44:33 10HmcA-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    session resumed
 1999-03-02 09:44:33 our cert subject    
 1999-03-02 09:44:33 peer cert subject    
@@ -339,9 +461,10 @@
 1999-03-02 09:44:33 peer dn    
 1999-03-02 09:44:33 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits    256
-1999-03-02 09:44:33 10HmbW-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbV-000000005vi-0000@??? for postrenewal@???
-1999-03-02 09:44:33 10HmbW-000000005vi-0000 => :blackhole: <postrenewal@???> R=server
-1999-03-02 09:44:33 10HmbW-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmcC-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmcB-000000005vi-0000@??? for postrenewal@???
+1999-03-02 09:44:33 10HmcC-000000005vi-0000 => :blackhole: <postrenewal@???> R=server
+1999-03-02 09:44:33 10HmcC-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -349,9 +472,10 @@
 1999-03-02 09:44:33 peer dn    
 1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits    256
-1999-03-02 09:44:33 10HmbY-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbX-000000005vi-0000@??? for timeout@???
-1999-03-02 09:44:33 10HmbY-000000005vi-0000 => :blackhole: <timeout@???> R=server
-1999-03-02 09:44:33 10HmbY-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmcE-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcD-000000005vi-0000@??? for timeout@???
+1999-03-02 09:44:33 10HmcE-000000005vi-0000 => :blackhole: <timeout@???> R=server
+1999-03-02 09:44:33 10HmcE-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -359,9 +483,10 @@
 1999-03-02 09:44:33 peer dn    
 1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits    256
-1999-03-02 09:44:33 10HmcA-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-000000005vi-0000@??? for notreq@???
-1999-03-02 09:44:33 10HmcA-000000005vi-0000 => :blackhole: <notreq@???> R=server
-1999-03-02 09:44:33 10HmcA-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmcG-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcF-000000005vi-0000@??? for notreq@???
+1999-03-02 09:44:33 10HmcG-000000005vi-0000 => :blackhole: <notreq@???> R=server
+1999-03-02 09:44:33 10HmcG-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -369,9 +494,10 @@
 1999-03-02 09:44:33 peer dn    
 1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits    256
-1999-03-02 09:44:33 10HmcC-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcB-000000005vi-0000@??? for getticket@???
-1999-03-02 09:44:33 10HmcC-000000005vi-0000 => :blackhole: <getticket@???> R=server
-1999-03-02 09:44:33 10HmcC-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmcI-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcH-000000005vi-0000@??? for getticket@???
+1999-03-02 09:44:33 10HmcI-000000005vi-0000 => :blackhole: <getticket@???> R=server
+1999-03-02 09:44:33 10HmcI-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -379,9 +505,10 @@
 1999-03-02 09:44:33 peer dn    
 1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits    256
-1999-03-02 09:44:33 10HmcE-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcD-000000005vi-0000@??? for noresume@???
-1999-03-02 09:44:33 10HmcE-000000005vi-0000 => :blackhole: <noresume@???> R=server
-1999-03-02 09:44:33 10HmcE-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmcK-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcJ-000000005vi-0000@??? for noresume@???
+1999-03-02 09:44:33 10HmcK-000000005vi-0000 => :blackhole: <noresume@???> R=server
+1999-03-02 09:44:33 10HmcK-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    session resumed, also new ticket
 1999-03-02 09:44:33 our cert subject    
 1999-03-02 09:44:33 peer cert subject    
@@ -389,9 +516,10 @@
 1999-03-02 09:44:33 peer dn    
 1999-03-02 09:44:33 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits    256
-1999-03-02 09:44:33 10HmcG-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmcF-000000005vi-0000@??? for resume@???
-1999-03-02 09:44:33 10HmcG-000000005vi-0000 => :blackhole: <resume@???> R=server
-1999-03-02 09:44:33 10HmcG-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmcM-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmcL-000000005vi-0000@??? for resume@???
+1999-03-02 09:44:33 10HmcM-000000005vi-0000 => :blackhole: <resume@???> R=server
+1999-03-02 09:44:33 10HmcM-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    session resumed, also new ticket
 1999-03-02 09:44:33 our cert subject    
 1999-03-02 09:44:33 peer cert subject    
@@ -399,6 +527,28 @@
 1999-03-02 09:44:33 peer dn    
 1999-03-02 09:44:33 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits    256
-1999-03-02 09:44:33 10HmcI-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmcH-000000005vi-0000@??? for resume@???
-1999-03-02 09:44:33 10HmcI-000000005vi-0000 => :blackhole: <resume@???> R=server
-1999-03-02 09:44:33 10HmcI-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmcO-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmcN-000000005vi-0000@??? for resume@???
+1999-03-02 09:44:33 10HmcO-000000005vi-0000 => :blackhole: <resume@???> R=server
+1999-03-02 09:44:33 10HmcO-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
+1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
+1999-03-02 09:44:33 our cert subject    CN=server1.example.com
+1999-03-02 09:44:33 peer cert subject    
+1999-03-02 09:44:33 peer cert verified    0
+1999-03-02 09:44:33 peer dn    
+1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits    256
+1999-03-02 09:44:33 10HmcQ-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] TFO* P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcP-000000005vi-0000@??? for getticket@???
+1999-03-02 09:44:33 10HmcQ-000000005vi-0000 => :blackhole: <getticket@???> R=server
+1999-03-02 09:44:33 10HmcQ-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
+1999-03-02 09:44:33 tls_in_resumption    session resumed, also new ticket
+1999-03-02 09:44:33 our cert subject    
+1999-03-02 09:44:33 peer cert subject    
+1999-03-02 09:44:33 peer cert verified    0
+1999-03-02 09:44:33 peer dn    
+1999-03-02 09:44:33 cipher    TLS1.x:ke-PSK-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits    256
+1999-03-02 09:44:33 10HmcS-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] TFO* P=smtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmcR-000000005vi-0000@??? for resume@???
+1999-03-02 09:44:33 10HmcS-000000005vi-0000 => :blackhole: <resume@???> R=server
+1999-03-02 09:44:33 10HmcS-000000005vi-0000 Completed
diff --git a/test/log/5892 b/test/log/5892
index aeaae546a..21b6cc597 100644
--- a/test/log/5892
+++ b/test/log/5892
@@ -1,4 +1,5 @@
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for getticket@???
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -6,9 +7,10 @@
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmaX-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-000000005vi-0000"
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-000000005vi-0000"
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@??? hostnotresume@??? xyz@???
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -16,8 +18,9 @@
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmaZ-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-000000005vi-0000"
-1999-03-02 09:44:33 10HmaZ-000000005vi-0000 -> xyz@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-000000005vi-0000"
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-000000005vi-0000"
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 -> xyz@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-000000005vi-0000"
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 tls_out_resumption not requested or offered
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -25,9 +28,10 @@
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmaZ-000000005vi-0000 => hostnotresume@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbB-000000005vi-0000"
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 => hostnotresume@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbB-000000005vi-0000"
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for renewal@???
+1999-03-02 09:44:33 10HmbC-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -35,9 +39,10 @@
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbC-000000005vi-0000 => renewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-000000005vi-0000"
+1999-03-02 09:44:33 10HmbC-000000005vi-0000 => renewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-000000005vi-0000"
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for postrenewal@???
+1999-03-02 09:44:33 10HmbE-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -45,9 +50,10 @@
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbE-000000005vi-0000 => postrenewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbF-000000005vi-0000"
+1999-03-02 09:44:33 10HmbE-000000005vi-0000 => postrenewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbF-000000005vi-0000"
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for aftertimeout@???
+1999-03-02 09:44:33 10HmbG-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -55,9 +61,10 @@
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbG-000000005vi-0000 => aftertimeout@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbH-000000005vi-0000"
+1999-03-02 09:44:33 10HmbG-000000005vi-0000 => aftertimeout@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbH-000000005vi-0000"
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for notreq@???
+1999-03-02 09:44:33 10HmbI-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 tls_out_resumption not requested or offered
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -65,10 +72,11 @@
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbI-000000005vi-0000 => notreq@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbJ-000000005vi-0000"
+1999-03-02 09:44:33 10HmbI-000000005vi-0000 => notreq@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbJ-000000005vi-0000"
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for noverify_getticket@???
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="127.0.0.1"
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -76,9 +84,10 @@
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbK-000000005vi-0000 => noverify_getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbL-000000005vi-0000"
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 => noverify_getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbL-000000005vi-0000"
 1999-03-02 09:44:33 10HmbK-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for noverify_resume@???
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -86,9 +95,10 @@
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbM-000000005vi-0000 => noverify_resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbN-000000005vi-0000"
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 => noverify_resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbN-000000005vi-0000"
 1999-03-02 09:44:33 10HmbM-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for getticket@???
+1999-03-02 09:44:33 10HmbO-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -96,9 +106,10 @@
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbO-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbP-000000005vi-0000"
+1999-03-02 09:44:33 10HmbO-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbP-000000005vi-0000"
 1999-03-02 09:44:33 10HmbO-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for noresume@???
+1999-03-02 09:44:33 10HmbQ-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -106,9 +117,10 @@
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbQ-000000005vi-0000 => noresume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbR-000000005vi-0000"
+1999-03-02 09:44:33 10HmbQ-000000005vi-0000 => noresume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbR-000000005vi-0000"
 1999-03-02 09:44:33 10HmbQ-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbS-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@???
+1999-03-02 09:44:33 10HmbS-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbS-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmbS-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbS-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -116,9 +128,10 @@
 1999-03-02 09:44:33 10HmbS-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbS-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbS-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbS-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbT-000000005vi-0000"
+1999-03-02 09:44:33 10HmbS-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbT-000000005vi-0000"
 1999-03-02 09:44:33 10HmbS-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbU-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@???
+1999-03-02 09:44:33 10HmbU-000000005vi-0000 tls_out_ver    TLS1.2
 1999-03-02 09:44:33 10HmbU-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmbU-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbU-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -126,11 +139,34 @@
 1999-03-02 09:44:33 10HmbU-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbU-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbU-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbU-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbV-000000005vi-0000"
+1999-03-02 09:44:33 10HmbU-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbV-000000005vi-0000"
 1999-03-02 09:44:33 10HmbU-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for getticket@???
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 tls_out_ver    TLS1.2
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 our cert subject    
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 peer cert subject    CN=server1.example.com
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 peer cert verified    1
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 peer dn    /CN=server1.example.com
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D2 X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbX-000000005vi-0000"
+1999-03-02 09:44:33 10HmbW-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@???
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 tls_out_ver    TLS1.2
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 tls_out_resumption session resumed
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 our cert subject    
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 peer cert subject    CN=server1.example.com
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 peer cert verified    1
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 peer dn    /CN=server1.example.com
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D2 X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbZ-000000005vi-0000"
+1999-03-02 09:44:33 10HmbY-000000005vi-0000 Completed


 ******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D and for SMTPS on port PORT_D2
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -141,6 +177,7 @@
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-000000005vi-0000@??? for getticket@???
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 => :blackhole: <getticket@???> R=server
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    session resumed
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -152,6 +189,7 @@
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 => :blackhole: <xyz@???> R=server
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 => :blackhole: <resume@???> R=server
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    not requested or offered
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -162,6 +200,7 @@
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-000000005vi-0000@??? for hostnotresume@???
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 => :blackhole: <hostnotresume@???> R=server
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    session resumed, also new ticket
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -172,6 +211,7 @@
 1999-03-02 09:44:33 10HmbD-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbC-000000005vi-0000@??? for renewal@???
 1999-03-02 09:44:33 10HmbD-000000005vi-0000 => :blackhole: <renewal@???> R=server
 1999-03-02 09:44:33 10HmbD-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    session resumed, also new ticket
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -182,6 +222,7 @@
 1999-03-02 09:44:33 10HmbF-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbE-000000005vi-0000@??? for postrenewal@???
 1999-03-02 09:44:33 10HmbF-000000005vi-0000 => :blackhole: <postrenewal@???> R=server
 1999-03-02 09:44:33 10HmbF-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -192,6 +233,7 @@
 1999-03-02 09:44:33 10HmbH-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbG-000000005vi-0000@??? for aftertimeout@???
 1999-03-02 09:44:33 10HmbH-000000005vi-0000 => :blackhole: <aftertimeout@???> R=server
 1999-03-02 09:44:33 10HmbH-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    no client request
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -202,6 +244,7 @@
 1999-03-02 09:44:33 10HmbJ-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbI-000000005vi-0000@??? for notreq@???
 1999-03-02 09:44:33 10HmbJ-000000005vi-0000 => :blackhole: <notreq@???> R=server
 1999-03-02 09:44:33 10HmbJ-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -212,6 +255,7 @@
 1999-03-02 09:44:33 10HmbL-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbK-000000005vi-0000@??? for noverify_getticket@???
 1999-03-02 09:44:33 10HmbL-000000005vi-0000 => :blackhole: <noverify_getticket@???> R=server
 1999-03-02 09:44:33 10HmbL-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    session resumed
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -222,6 +266,7 @@
 1999-03-02 09:44:33 10HmbN-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbM-000000005vi-0000@??? for noverify_resume@???
 1999-03-02 09:44:33 10HmbN-000000005vi-0000 => :blackhole: <noverify_resume@???> R=server
 1999-03-02 09:44:33 10HmbN-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -232,6 +277,7 @@
 1999-03-02 09:44:33 10HmbP-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbO-000000005vi-0000@??? for getticket@???
 1999-03-02 09:44:33 10HmbP-000000005vi-0000 => :blackhole: <getticket@???> R=server
 1999-03-02 09:44:33 10HmbP-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -242,6 +288,7 @@
 1999-03-02 09:44:33 10HmbR-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbQ-000000005vi-0000@??? for noresume@???
 1999-03-02 09:44:33 10HmbR-000000005vi-0000 => :blackhole: <noresume@???> R=server
 1999-03-02 09:44:33 10HmbR-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    session resumed
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -252,6 +299,7 @@
 1999-03-02 09:44:33 10HmbT-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbS-000000005vi-0000@??? for resume@???
 1999-03-02 09:44:33 10HmbT-000000005vi-0000 => :blackhole: <resume@???> R=server
 1999-03-02 09:44:33 10HmbT-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
 1999-03-02 09:44:33 tls_in_resumption    session resumed
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -262,3 +310,25 @@
 1999-03-02 09:44:33 10HmbV-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbU-000000005vi-0000@??? for resume@???
 1999-03-02 09:44:33 10HmbV-000000005vi-0000 => :blackhole: <resume@???> R=server
 1999-03-02 09:44:33 10HmbV-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
+1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
+1999-03-02 09:44:33 our cert subject    CN=server1.example.com
+1999-03-02 09:44:33 peer cert subject    
+1999-03-02 09:44:33 peer cert verified    0
+1999-03-02 09:44:33 peer dn    
+1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits    256
+1999-03-02 09:44:33 10HmbX-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] TFO* P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbW-000000005vi-0000@??? for getticket@???
+1999-03-02 09:44:33 10HmbX-000000005vi-0000 => :blackhole: <getticket@???> R=server
+1999-03-02 09:44:33 10HmbX-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.2
+1999-03-02 09:44:33 tls_in_resumption    session resumed
+1999-03-02 09:44:33 our cert subject    CN=server1.example.com
+1999-03-02 09:44:33 peer cert subject    
+1999-03-02 09:44:33 peer cert verified    0
+1999-03-02 09:44:33 peer dn    
+1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits    256
+1999-03-02 09:44:33 10HmbZ-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] TFO* P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbY-000000005vi-0000@??? for resume@???
+1999-03-02 09:44:33 10HmbZ-000000005vi-0000 => :blackhole: <resume@???> R=server
+1999-03-02 09:44:33 10HmbZ-000000005vi-0000 Completed
diff --git a/test/log/5894 b/test/log/5894
index ab0d53703..f3d447c2a 100644
--- a/test/log/5894
+++ b/test/log/5894
@@ -1,4 +1,5 @@
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for getticket@???
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 tls_out_ver    TLS1.3
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -6,9 +7,10 @@
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmaX-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-000000005vi-0000"
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-000000005vi-0000"
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Completed
-1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@??? abcd@??? xyz@???
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@??? hostnotresume@??? xyz@???
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 tls_out_ver    TLS1.3
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -16,6 +18,7 @@
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 tls_out_ver    TLS1.3
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 tls_out_resumption not requested or offered
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -23,41 +26,45 @@
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmaZ-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-000000005vi-0000"
-1999-03-02 09:44:33 10HmaZ-000000005vi-0000 -> xyz@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-000000005vi-0000"
-1999-03-02 09:44:33 10HmaZ-000000005vi-0000 => abcd@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbB-000000005vi-0000"
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-000000005vi-0000"
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 -> xyz@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-000000005vi-0000"
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 => hostnotresume@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbB-000000005vi-0000"
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for renewal@???
-1999-03-02 09:44:33 10HmbC-000000005vi-0000 tls_out_resumption session resumed, also new ticket
+1999-03-02 09:44:33 10HmbC-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmbC-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 peer cert subject    CN=server1.example.com
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 peer cert verified    1
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbC-000000005vi-0000 => renewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-000000005vi-0000"
+1999-03-02 09:44:33 10HmbC-000000005vi-0000 => renewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-000000005vi-0000"
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for postrenewal@???
-1999-03-02 09:44:33 10HmbE-000000005vi-0000 tls_out_resumption session resumed
+1999-03-02 09:44:33 10HmbE-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmbE-000000005vi-0000 tls_out_resumption session resumed, also new ticket
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 peer cert subject    CN=server1.example.com
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 peer cert verified    1
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbE-000000005vi-0000 => postrenewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbF-000000005vi-0000"
+1999-03-02 09:44:33 10HmbE-000000005vi-0000 => postrenewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbF-000000005vi-0000"
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for timeout@???
-1999-03-02 09:44:33 10HmbG-000000005vi-0000 tls_out_resumption session resumed, also new ticket
+1999-03-02 09:44:33 10HmbG-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmbG-000000005vi-0000 tls_out_resumption session resumed
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 peer cert subject    CN=server1.example.com
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 peer cert verified    1
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbG-000000005vi-0000 => timeout@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbH-000000005vi-0000"
+1999-03-02 09:44:33 10HmbG-000000005vi-0000 => timeout@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbH-000000005vi-0000"
 1999-03-02 09:44:33 10HmbG-000000005vi-0000 Completed
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for notreq@???
+1999-03-02 09:44:33 10HmbI-000000005vi-0000 tls_out_ver    TLS1.3
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 tls_out_resumption not requested or offered
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 our cert subject    
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 peer cert subject    CN=server1.example.com
@@ -65,11 +72,34 @@
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 peer dn    /CN=server1.example.com
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 bits    256
-1999-03-02 09:44:33 10HmbI-000000005vi-0000 => notreq@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbJ-000000005vi-0000"
+1999-03-02 09:44:33 10HmbI-000000005vi-0000 => notreq@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbJ-000000005vi-0000"
 1999-03-02 09:44:33 10HmbI-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for getticket@???
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 tls_out_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 our cert subject    
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 peer cert subject    CN=server1.example.com
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 peer cert verified    1
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 peer dn    /CN=server1.example.com
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 => getticket@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D2 X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbL-000000005vi-0000"
+1999-03-02 09:44:33 10HmbK-000000005vi-0000 Completed
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 <= CALLER@??? U=CALLER P=local S=sss for resume@???
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 tls_out_ver    TLS1.3
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 tls_out_resumption session resumed, also new ticket
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 our cert subject    
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 peer cert subject    CN=server1.example.com
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 peer cert verified    1
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 peer dn    /CN=server1.example.com
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 bits    256
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 => resume@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1]:PORT_D2 X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbN-000000005vi-0000"
+1999-03-02 09:44:33 10HmbM-000000005vi-0000 Completed


 ******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D and for SMTPS on port PORT_D2
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -80,6 +110,7 @@
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-000000005vi-0000@??? for getticket@???
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 => :blackhole: <getticket@???> R=server
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    session resumed
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -91,6 +122,7 @@
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 => :blackhole: <xyz@???> R=server
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 => :blackhole: <resume@???> R=server
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    not requested or offered
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -98,9 +130,10 @@
 1999-03-02 09:44:33 peer dn    
 1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits    256
-1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-000000005vi-0000@??? for abcd@???
-1999-03-02 09:44:33 10HmbB-000000005vi-0000 => :blackhole: <abcd@???> R=server
+1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-000000005vi-0000@??? for hostnotresume@???
+1999-03-02 09:44:33 10HmbB-000000005vi-0000 => :blackhole: <hostnotresume@???> R=server
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    session resumed, also new ticket
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -111,6 +144,7 @@
 1999-03-02 09:44:33 10HmbD-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbC-000000005vi-0000@??? for renewal@???
 1999-03-02 09:44:33 10HmbD-000000005vi-0000 => :blackhole: <renewal@???> R=server
 1999-03-02 09:44:33 10HmbD-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    session resumed
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -121,6 +155,7 @@
 1999-03-02 09:44:33 10HmbF-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbE-000000005vi-0000@??? for postrenewal@???
 1999-03-02 09:44:33 10HmbF-000000005vi-0000 => :blackhole: <postrenewal@???> R=server
 1999-03-02 09:44:33 10HmbF-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    session resumed, also new ticket
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -131,6 +166,7 @@
 1999-03-02 09:44:33 10HmbH-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbG-000000005vi-0000@??? for timeout@???
 1999-03-02 09:44:33 10HmbH-000000005vi-0000 => :blackhole: <timeout@???> R=server
 1999-03-02 09:44:33 10HmbH-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
 1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject    CN=server1.example.com
 1999-03-02 09:44:33 peer cert subject    
@@ -141,3 +177,25 @@
 1999-03-02 09:44:33 10HmbJ-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbI-000000005vi-0000@??? for notreq@???
 1999-03-02 09:44:33 10HmbJ-000000005vi-0000 => :blackhole: <notreq@???> R=server
 1999-03-02 09:44:33 10HmbJ-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
+1999-03-02 09:44:33 tls_in_resumption    client requested new ticket, server provided
+1999-03-02 09:44:33 our cert subject    CN=server1.example.com
+1999-03-02 09:44:33 peer cert subject    
+1999-03-02 09:44:33 peer cert verified    0
+1999-03-02 09:44:33 peer dn    
+1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits    256
+1999-03-02 09:44:33 10HmbL-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] TFO* P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbK-000000005vi-0000@??? for getticket@???
+1999-03-02 09:44:33 10HmbL-000000005vi-0000 => :blackhole: <getticket@???> R=server
+1999-03-02 09:44:33 10HmbL-000000005vi-0000 Completed
+1999-03-02 09:44:33 tls_in_ver    TLS1.3
+1999-03-02 09:44:33 tls_in_resumption    session resumed, also new ticket
+1999-03-02 09:44:33 our cert subject    CN=server1.example.com
+1999-03-02 09:44:33 peer cert subject    
+1999-03-02 09:44:33 peer cert verified    0
+1999-03-02 09:44:33 peer dn    
+1999-03-02 09:44:33 cipher    TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits    256
+1999-03-02 09:44:33 10HmbN-000000005vi-0000 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] TFO* P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbM-000000005vi-0000@??? for resume@???
+1999-03-02 09:44:33 10HmbN-000000005vi-0000 => :blackhole: <resume@???> R=server
+1999-03-02 09:44:33 10HmbN-000000005vi-0000 Completed
diff --git a/test/scripts/5890-Resume-GnuTLS/5890 b/test/scripts/5890-Resume-GnuTLS/5890
index d129da2db..3395218fa 100644
--- a/test/scripts/5890-Resume-GnuTLS/5890
+++ b/test/scripts/5890-Resume-GnuTLS/5890
@@ -6,12 +6,12 @@ gnutls
 # SSLKEYLOGFILE=/home/jgh/git/exim/test/foo sudo exim -DSERVER=server -bd -oX PORT_D
 #
 ### TLS1.2
-exim -DSERVER=server -DOPTION=NORMAL:!VERS-TLS1.3 -bd -oX PORT_D
+exim -DSERVER=server -DOPTION=NORMAL:!VERS-TLS1.3 -bd -oX PORT_D:PORT_D2
 ****
 exim -DVALUE=resume -odf getticket@???
 ****
-exim -DVALUE=resume -odf resume@??? abcd@??? xyz@???
+exim -DVALUE=resume -odf resume@??? hostnotresume@??? xyz@???
 Test message to two different hosts, one does not support resume
 ****
 # allow time for ticket to hit renewal time
@@ -36,18 +36,25 @@ Dest on this means the server cert will not verify (but try_verify will permit i
 exim -odf -DVALUE=resume noverify_resume@???
 Dest on this means the server cert will not verify (but try_verify will permit it)
 ****
+# Test TLS-on-connect
+exim -DVALUE=resume -odf resume@???
+****
+exim -DVALUE=resume -DSELECTOR=smtps -odf getticket@???
+****
+exim -DVALUE=resume -DSELECTOR=smtps -odf resume@???
+****
 killdaemon
 sleep 1
 sudo rm -f DIR/spool/db/tls
 #
 #
 ### TLS1.3
-exim -DSERVER=server -DOPTION=NORMAL -bd -oX PORT_D
+exim -DSERVER=server -DOPTION=NORMAL -bd -oX PORT_D:PORT_D2
 ****
 exim -DVALUE=resume -odf getticket@???
 ****
-exim -DVALUE=resume -odf resume@??? abcd@??? xyz@???
+exim -DVALUE=resume -odf resume@??? hostnotresume@??? xyz@???
 Test message to two different hosts, one does not support resume
 ****
 # allow time for ticket to hit renewal time
@@ -78,6 +85,11 @@ exim -DVALUE=resume -DHELO_MSG=differenthost -odf resume@???
 ****
 exim -DVALUE=resume -odf resume@???
 ****
+# Test TLS-on-connect
+exim -DVALUE=resume -DSELECTOR=smtps -odf getticket@???
+****
+exim -DVALUE=resume -DSELECTOR=smtps -odf resume@???
+****
 #
 killdaemon
 no_msglog_check
diff --git a/test/scripts/5892-Resume-OpenSSL/5892 b/test/scripts/5892-Resume-OpenSSL/5892
index 77b93704b..92eed04d2 100644
--- a/test/scripts/5892-Resume-OpenSSL/5892
+++ b/test/scripts/5892-Resume-OpenSSL/5892
@@ -1,7 +1,7 @@
 # TLSv1.2 session resumption
 #
 ### TLS1.2
-exim -DSERVER=server -DOPTION=+no_tlsv1_3 -bd -oX PORT_D
+exim -DSERVER=server -DOPTION=+no_tlsv1_3 -bd -oX PORT_D:PORT_D2
 ****
 exim -DVALUE=resume -odf getticket@???
 Test message.
@@ -46,6 +46,12 @@ exim -DVALUE=resume -DHELO_MSG=differenthost -odf resume@???
 exim -DVALUE=resume -odf resume@???
 ****
 #
+# Test TLS-on-connect
+exim -DVALUE=resume -DSELECTOR=smtps -odf getticket@???
+****
+exim -DVALUE=resume -DSELECTOR=smtps -odf resume@???
+****
+#
 # Check the -k (key only) option on dumpdb
 perl
 system 'DIR/eximdir/exim_dumpdb -k DIR/spool tls';
diff --git a/test/scripts/5894-Resume-OpenSSL-TLS1.3/5894 b/test/scripts/5894-Resume-OpenSSL-TLS1.3/5894
index 722bc9b08..b85351bd5 100644
--- a/test/scripts/5894-Resume-OpenSSL-TLS1.3/5894
+++ b/test/scripts/5894-Resume-OpenSSL-TLS1.3/5894
@@ -1,12 +1,12 @@
 # TLSv1.3 session resumption
 #
 ### TLS1.3
-exim -DSERVER=server -bd -oX PORT_D
+exim -DSERVER=server -DOPTION=+no_tlsv1_3 -bd -oX PORT_D:PORT_D2
 ****
 exim -DVALUE=resume -odf getticket@???
 ****
-exim -DVALUE=resume -odf resume@??? abcd@??? xyz@???
+exim -DVALUE=resume -odf resume@??? hostnotresume@??? xyz@???
 Test message to two different hosts, one does not support resume
 ****
 # allow time for ticket to hit renewal time
@@ -24,5 +24,12 @@ Test message.
 exim -odf notreq@???
 Test message, not requesting resumption.
 ****
+#
+# Test TLS-on-connect
+exim -DVALUE=resume -DSELECTOR=smtps -odf getticket@???
+****
+exim -DVALUE=resume -DSELECTOR=smtps -odf resume@???
+****
+#
 killdaemon
 no_msglog_check
diff --git a/test/stdout/5892 b/test/stdout/5892
index 23a7bcf3e..077a3dd0e 100644
--- a/test/stdout/5892
+++ b/test/stdout/5892
@@ -1,5 +1,6 @@
 ### TLS1.2
   4686560d7a1d9becb8fd0c62406eaaf169b2ea1b889244342653024281bca106
+  8ff2965550bd60d7e4496ad508a8cff91ac5de6fbec4806e8c9c3d6959300e3e
   b90422e57483069e0b7dbcebbdf1be3504bae64df49ea1f699cc773acc8a76d5


******** SERVER ********

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/