--- rpms/smeserver-openvpn-s2s/contribs10/smeserver-openvpn-s2s-0.2-sme10.patch	2021/03/30 06:52:58	1.6
+++ rpms/smeserver-openvpn-s2s/contribs10/smeserver-openvpn-s2s-0.2-sme10.patch	2021/03/31 20:54:54	1.7
@@ -173,9 +173,9 @@ diff -Nur --no-dereference smeserver-ope
 +my $tlsCipher12 = (  $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
 +
 +
-+# cipher default to BF if empty,  we really want higher on new setup, but keep empty for default on existing one...
-+# here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
-+my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher')  : undef; 
++
++
++ 
 +
 +
  if ($auth eq 'SharedKey'){
@@ -186,7 +186,7 @@ diff -Nur --no-dereference smeserver-ope
          $OUT .= "tls-server\n";
 +	$OUT .= "tls-version-min $tlsVmin\n";
 +        $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
-+        $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13;
++        $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined tlsCipherSuites13;
          $OUT .= "ca pub/$key" . "_cacert.pem\n";
          $OUT .= "cert pub/$key" . "_cert.pem\n";
          $OUT .= "key priv/$key" . "_key.pem\n";
@@ -202,7 +202,7 @@ diff -Nur --no-dereference smeserver-ope
          $OUT .= "tls-client\n";
 +        $OUT .= "tls-version-min $tlsVmin\n";
 +        $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
-+        $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13;
++        $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined tlsCipherSuites13;
          $OUT .= "ca pub/$key" . "_cacert.pem\n";
          $OUT .= "cert pub/$key" . "_cert.pem\n";
          $OUT .= "key priv/$key" . "_key.pem\n";