# Authentication
{

my $auth = $db->get_prop($key,'Authentication') || 'TLS';
my $checkcrt = $db->get_prop($key,'CheckCertificateUsage') || 'disabled';
my $tlsremote = $db->get_prop($key,'RemoteCommonName') || '';

#HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
# need to be changed on both side
my $HMAC = ( $db->get_prop($key,'HMAC') ) ?  $db->get_prop($key,'HMAC') : undef;
# cipher default to BF if empty,  we really want higher on new setup, but keep empty for default on existing one...
# # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher')  : undef;

## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
my $tlsVmin = (  $db->get_prop($key,'tlsVmin') && ( $db->get_prop($key,'tlsVmin') =~ /^1\.[0-9]{1}$/  ) ) ? $db->get_prop($key,'tlsVmin')  : "1.2";
# TLS 1.3 encryption settings
my $tlsCipherSuites13 = (  $db->get_prop($key,'tlsCipherSuites13') ) ?  $db->get_prop($key,'tlsCipherSuites13') : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
# # TLS 1.2 encryption settings
my $tlsCipher12 = (  $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";




 


if ($auth eq 'SharedKey'){
    $OUT .= "secret priv/$key"."_sharedkey.pem\n";
}
elsif ($auth eq 'TLS'){
    if ($type eq 'server'){
        $OUT .= "tls-server\n";
	$OUT .= "tls-version-min $tlsVmin\n";
        $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
        $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
        $OUT .= "ca pub/$key" . "_cacert.pem\n";
        $OUT .= "cert pub/$key" . "_cert.pem\n";
        $OUT .= "key priv/$key" . "_key.pem\n";
        $OUT .= "dh pub/$key" . "_dh.pem\n";
	$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
        $OUT .= "ecdh-curve secp384r1\n";
        $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n"
           if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
              ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
        $OUT .= "crl-verify pub/$key" . "_cacrl.pem\n"
           if ( -e "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' ) &&
              ( ! -z "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' );
        $OUT .= "ns-cert-type client\n" if ($checkcrt eq 'enabled');
        $OUT .= "verify-x509-name $tlsremote name\n" if ($tlsremote ne '');
    }
    else{
        $OUT .= "tls-client\n";
        $OUT .= "tls-version-min $tlsVmin\n";
        $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
        $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
        $OUT .= "ca pub/$key" . "_cacert.pem\n";
        $OUT .= "cert pub/$key" . "_cert.pem\n";
        $OUT .= "key priv/$key" . "_key.pem\n";
        $OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
        $OUT .= "ecdh-curve secp384r1\n";
        $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n"
           if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
              ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
                $OUT .= "crl-verify pub/$key" . "_cacrl.pem\n"
           if ( -e "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' ) &&
              ( ! -z "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' );
        $OUT .= "ns-cert-type server\n" if ($checkcrt eq 'enabled');
        $OUT .= "verify-x509-name $tlsremote name\n" if ($tlsremote ne '');
    }
}

     # available for both sharedkey and tls
     # data channel
     $OUT .= "#securing data channel\n";
     $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
     #auth SHA512
     $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
#
}

