diff --git a/doc/ircd.conf.example b/doc/ircd.conf.example
index dbe97c2b..6c19c8e4 100644
--- a/doc/ircd.conf.example
+++ b/doc/ircd.conf.example
@@ -625,6 +625,7 @@ general {
 	away_interval = 30;
 	certfp_method = spki_sha256;
 	hide_opers_in_whois = no;
+	tls_ciphers_oper_only = no;
 };
 
 modules {
diff --git a/doc/reference.conf b/doc/reference.conf
index 72af5182..22438ff5 100644
--- a/doc/reference.conf
+++ b/doc/reference.conf
@@ -1436,6 +1436,9 @@ general {
 
 	/* hide_opers_in_whois: if set to YES, then oper status will be hidden in /WHOIS output. */
 	hide_opers_in_whois = no;
+
+	/* tls_ciphers_oper_only: show the TLS cipher string in /WHOIS only to opers and self */
+	tls_ciphers_oper_only = no;
 };
 
 modules {
diff --git a/include/s_conf.h b/include/s_conf.h
index fec5c8a8..a192a615 100644
--- a/include/s_conf.h
+++ b/include/s_conf.h
@@ -232,6 +232,7 @@ struct config_file_entry
 	int use_propagated_bans;
 	int max_ratelimit_tokens;
 	int away_interval;
+	int tls_ciphers_oper_only;
 
 	int client_flood_max_lines;
 	int client_flood_burst_rate;
diff --git a/ircd/newconf.c b/ircd/newconf.c
index b69c3bfc..a7e4b48e 100644
--- a/ircd/newconf.c
+++ b/ircd/newconf.c
@@ -2802,6 +2802,7 @@ static struct ConfEntry conf_general_table[] =
 	{ "hide_opers",		CF_YESNO, NULL, 0, &ConfigFileEntry.hide_opers		},
 	{ "certfp_method",	CF_STRING, conf_set_general_certfp_method, 0, NULL },
 	{ "drain_reason",	CF_QSTRING, NULL, BUFSIZE, &ConfigFileEntry.drain_reason	},
+	{ "tls_ciphers_oper_only",	CF_YESNO, NULL, 0, &ConfigFileEntry.tls_ciphers_oper_only	},
 	{ "\0", 		0, 	  NULL, 0, NULL }
 };
 
diff --git a/ircd/s_conf.c b/ircd/s_conf.c
index 20211851..c2ee0164 100644
--- a/ircd/s_conf.c
+++ b/ircd/s_conf.c
@@ -772,6 +772,7 @@ set_default_conf(void)
 	ConfigFileEntry.use_propagated_bans = true;
 	ConfigFileEntry.max_ratelimit_tokens = 30;
 	ConfigFileEntry.away_interval = 30;
+	ConfigFileEntry.tls_ciphers_oper_only = false;
 
 #ifdef HAVE_LIBZ
 	ConfigFileEntry.compression_level = 4;
diff --git a/modules/m_info.c b/modules/m_info.c
index d3c8e8c0..f7deda17 100644
--- a/modules/m_info.c
+++ b/modules/m_info.c
@@ -524,6 +524,12 @@ static struct InfoStruct info_table[] = {
 		&ConfigFileEntry.away_interval,
 		"The minimum time between aways",
 	},
+	{
+		"tls_ciphers_oper_only",
+		OUTPUT_BOOLEAN_YN,
+		&ConfigFileEntry.tls_ciphers_oper_only,
+		"TLS cipher strings are hidden in whois for non-opers",
+	},
 	{
 		"default_split_server_count",
 		OUTPUT_DECIMAL,
diff --git a/modules/m_whois.c b/modules/m_whois.c
index 0fc0f4f7..796d3084 100644
--- a/modules/m_whois.c
+++ b/modules/m_whois.c
@@ -334,7 +334,8 @@ single_whois(struct Client *source_p, struct Client *target_p, int operspy)
 	{
 		char cbuf[256] = "is using a secure connection";
 
-		if (MyClient(target_p) && target_p->localClient->cipher_string != NULL)
+		if (MyClient(target_p) && target_p->localClient->cipher_string != NULL &&
+				(!ConfigFileEntry.tls_ciphers_oper_only || source_p == target_p || IsOper(source_p)))
 			rb_snprintf_append(cbuf, sizeof(cbuf), " [%s]", target_p->localClient->cipher_string);
 
 		sendto_one_numeric(source_p, RPL_WHOISSECURE, form_str(RPL_WHOISSECURE),