{
    #HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
    # need to be changed on both side
    my $HMAC = ( ${'openvpn-bridge'}{'HMAC'} ) ?  ${'openvpn-bridge'}{'HMAC'} : undef;
    # cipher default to BF if empty,  we really want higher on new setup, but keep empty for default on existing one...
    # # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
    my $cipher = ( ${'openvpn-bridge'}{'Cipher'} && ${'openvpn-bridge'}{'Cipher'} ne 'auto')? ${'openvpn-bridge'}{'Cipher'}  : undef;

    ## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
    my $tlsVmin = (  ${'openvpn-bridge'}{'tlsVmin'} && ( ${'openvpn-bridge'}{'tlsVmin'} =~ /^1\.[0-9]{1}$/  ) ) ? ${'openvpn-bridge'}{'tlsVmin'}  : "1.2";
    # TLS 1.3 encryption settings
    my $tlsCipherSuites13 = (  ${'openvpn-bridge'}{'tlsCipherSuites13'} ) ?  ${'openvpn-bridge'}{'tlsCipherSuites13'} : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
    # # TLS 1.2 encryption settings
    my $tlsCipher12 = (  ${'openvpn-bridge'}{'tlsCipher12'} ) ? ${'openvpn-bridge'}{'tlsCipher12'} : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";



     $OUT .= "#securing control channel\n";
     $OUT .= "tls-version-min $tlsVmin\n";
     $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
     $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13;
     #$OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
     #$OUT .= "ecdh-curve secp384r1\n";

     # data channel
     $OUT .= "#securing data channel\n";
     $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
     #auth SHA512
     $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";



}
