diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 196973857234..9f22a429c037 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1779,21 +1779,19 @@ static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
 }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
 static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
     mbedtls_ssl_mode_t base_mode,
     int encrypt_then_mac )
 {
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
     if( encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
         base_mode == MBEDTLS_SSL_MODE_CBC )
     {
         return( MBEDTLS_SSL_MODE_CBC_ETM );
     }
-#else
-    (void) encrypt_then_mac;
-#endif
     return( base_mode );
 }
+#endif
 
 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
                     const mbedtls_ssl_transform *transform )
@@ -1806,11 +1804,12 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
 #endif
         );
 
-    int encrypt_then_mac = 0;
 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
-    encrypt_then_mac = transform->encrypt_then_mac;
-#endif
+    int encrypt_then_mac = transform->encrypt_then_mac;
     return( mbedtls_ssl_get_actual_mode( base_mode, encrypt_then_mac ) );
+#else
+    return( base_mode );
+#endif
 }
 
 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
@@ -1840,10 +1839,11 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
     }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
-#if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
-    int encrypt_then_mac = 0;
-#endif
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
     return( mbedtls_ssl_get_actual_mode( base_mode, encrypt_then_mac ) );
+#else
+    return( base_mode );
+#endif
 }
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
@@ -7103,14 +7103,12 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
     mbedtls_ssl_mode_t ssl_mode;
 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
     const mbedtls_cipher_info_t *cipher_info;
-    const mbedtls_md_info_t *md_info;
 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_key_type_t key_type;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_algorithm_t alg;
-    psa_algorithm_t mac_alg = 0;
     size_t key_bits;
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
 #endif
@@ -7156,27 +7154,19 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
     }
 
-    ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
-                                        encrypt_then_mac,
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
-                                        ciphersuite_info );
-
-    if( ssl_mode == MBEDTLS_SSL_MODE_AEAD )
-        transform->taglen =
-            ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
-
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     if( ( status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher,
-                                 transform->taglen,
+                                 0,
                                  &alg,
                                  &key_type,
                                  &key_bits ) ) != PSA_SUCCESS )
     {
         ret = psa_ssl_status_to_mbedtls( status );
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cipher_to_psa", ret );
-        goto end;
+        return( ret );
     }
+
+    ssl_mode = mbedtls_ssl_get_base_mode( alg );
 #else
     cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
     if( cipher_info == NULL )
@@ -7185,25 +7175,24 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
                                     ciphersuite_info->cipher ) );
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
     }
+
+    ssl_mode = mbedtls_ssl_get_base_mode(
+                   mbedtls_cipher_info_get_mode( cipher_info ) );
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    mac_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
-    if( mac_alg == 0 )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_psa_translate_md for %u not found",
-                            (unsigned) ciphersuite_info->mac ) );
-        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
-    }
-#else
-    md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
-    if( md_info == NULL )
+    if( ssl_mode == MBEDTLS_SSL_MODE_AEAD )
     {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %u not found",
-                            (unsigned) ciphersuite_info->mac ) );
-        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
-    }
+        transform->taglen =
+            ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+        mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, transform->taglen,
+                                   &alg, &key_type, &key_bits );
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
+    }
+    else
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+        ssl_mode = mbedtls_ssl_get_actual_mode( ssl_mode, encrypt_then_mac );
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
     /* Copy own and peer's CID if the use of the CID
@@ -7291,9 +7280,25 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
         ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM )
     {
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-        size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type );
+        psa_algorithm_t mac_alg;
+        mac_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
+        if( mac_alg == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_psa_translate_md for %u not found",
+                                (unsigned) ciphersuite_info->mac ) );
+            ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+            goto end;
+        }
 #else
-        size_t block_size = cipher_info->block_size;
+        const mbedtls_md_info_t *md_info;
+        md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
+        if( md_info == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %u not found",
+                                (unsigned) ciphersuite_info->mac ) );
+            ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+            goto end;
+        }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -7331,6 +7336,11 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
              *    otherwise: * first multiple of blocklen greater than maclen
              * 2. IV
              */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+            size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type );
+#else
+            size_t block_size = cipher_info->block_size;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
             if( ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM )
             {
@@ -7361,7 +7371,8 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto end;
     }
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u",