diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..fb9f1a6
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2025-01-09 - Hardcoded Cipher Suite
+**Vulnerability:** The `entrypoint.sh` script hardcoded `DHE-RSA-AES256-SHA` as the only allowed cipher suite using `ServerCipherSet`.
+**Learning:** This restriction prevents users from utilizing modern, stronger ciphers like `AES256-GCM-SHA384` (TLS 1.2) unless they modify the entrypoint script. Hardcoding security configurations limits adaptability and improvements.
+**Prevention:** Always expose security parameters (like cipher suites, protocols, key lengths) as configuration variables (env vars) with secure defaults.
diff --git a/copyables/entrypoint.sh b/copyables/entrypoint.sh
index 0d224a0..927c007 100644
--- a/copyables/entrypoint.sh
+++ b/copyables/entrypoint.sh
@@ -63,9 +63,10 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
 
   # while-loop to wait until server comes up
   # switch cipher
+  : ${CIPHER_SUITES:='DHE-RSA-AES256-SHA'}
   while :; do
     set +e
-    vpncmd_server ServerCipherSet DHE-RSA-AES256-SHA 2>&1 >/dev/null
+    vpncmd_server ServerCipherSet "${CIPHER_SUITES}" 2>&1 >/dev/null
     [[ $? -eq 0 ]] && break
     set -e
     sleep 1