From 1fbdea09ba3481095203751fdebdf4d0d9d21966 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= <lauri@pinecrypt.com>
Date: Thu, 22 Apr 2021 15:27:11 +0300
Subject: [PATCH] Prepare for TLS 1.3

---
 pinecrypt/client/cli.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/pinecrypt/client/cli.py b/pinecrypt/client/cli.py
index 62eb1d2..a4e5f33 100644
--- a/pinecrypt/client/cli.py
+++ b/pinecrypt/client/cli.py
@@ -383,8 +383,14 @@ def certidude_enroll(fork, no_wait, kerberos):
                 fh.write("nobind\n")
                 fh.write("remote %s 1194 udp\n" % endpoint)
                 fh.write("remote %s 443 tcp\n" % endpoint)
-                fh.write("tls-version-min 1.2\n")
-                fh.write("tls-cipher %s\n" % bootstrap["openvpn"]["tls_cipher"])
+                fh.write("tls-version-min %s\n" % bootstrap["openvpn"]["tls_version_min"])
+                if bootstrap["openvpn"]["tls_version_min"] == "1.3":
+                    fh.write("tls-ciphersuites %s\n" % bootstrap["openvpn"]["tls_ciphersuites"])
+                elif bootstrap["openvpn"]["tls_version_min"] == "1.2":
+                    fh.write("tls-cipher %s\n" % bootstrap["openvpn"]["tls_cipher"])
+                else:
+                    raise NotImplementedError("Unsupported TLS version")
+                fh.write("ncp-disable\n")
                 fh.write("cipher %s\n" % bootstrap["openvpn"]["cipher"])
                 fh.write("auth %s\n" % bootstrap["openvpn"]["auth"])
                 fh.write("mute-replay-warnings\n")