2 files changed, 18 insertions, 0 deletions

diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
index 84e7975d..fd30ea5a 100644
--- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -385,6 +385,9 @@ public class VpnProfile implements Serializable, Cloneable {
 
             if (mUseLegacyProvider)
                 cfg.append("provider legacy:default\n");
+
+            if (!TextUtils.isEmpty(mTlSCertProfile))
+                cfg.append(String.format("tls-cert-profile %s\n", mTlSCertProfile));
         } else {
             cfg.append("# Config for OpenVPN 3 C++\n");
         }
diff --git a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
index a1b1bcb6..4126f65c 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
@@ -546,6 +546,21 @@ public class ConfigParser {
         {
             np.mDataCiphers = ncp_ciphers.get(1);
         }
+        Vector<String> tls_cert_profile = getOption("tls-cert-profile", 1, 1);
+        if (tls_cert_profile != null)
+        {
+            String profile = tls_cert_profile.get(1);
+            for (String choice : new String[]{"insecure", "preferred", "legacy", "suiteb"}) {
+                if (choice.equals(profile)) {
+                    np.mTlSCertProfile = profile;
+                    break;
+                }
+            }
+            if (!profile.equals(np.mTlSCertProfile))
+            {
+                throw new ConfigParseError("Invalid tls-cert-profile '" + profile + "'");
+            }
+        }
 
 
         Vector<String> compatmode = getOption("compat-mode", 1, 1);