- s/TLS1.[0123]: # TLS version
- ((EC)?DHE(_((?<psk>PSK)_)?((?<auth>RSA|ECDSA)_)?(SECP256R1|X25519))?__?)? # key-exchange
- ((?<auth>RSA|ECDSA)((_PSS_RSAE)?_SHA(512|256))?__?)? # authentication
- AES_(256|128)_(CBC|GCM) # cipher
- (__?SHA(1|256|384))?: # PRF
- (256|128) # cipher strength
+ s/TLS1.[0123](-PKIX)?: # TLS version
+ ((EC)?DHE(_((?<psk>PSK)_)?((?<auth>RSA|ECDSA)_)?
+ (SECP(256|521)R1|X25519))?__?)? # key-exchange
+ ((?<auth>RSA|ECDSA)((_PSS_RSAE)?_SHA(512|256))?__?)? # authentication
+ AES_(256|128)_(CBC|GCM) # cipher
+ (__?AEAD)? # pseudo-MAC
+ (__?SHA(1|256|384))? # PRF
+ :(256|128) # cipher strength