diff --git a/TunnelKit/Sources/Core/SessionProxy+Authenticator.swift b/TunnelKit/Sources/Core/SessionProxy+Authenticator.swift
index 364763e..41d7478 100644
--- a/TunnelKit/Sources/Core/SessionProxy+Authenticator.swift
+++ b/TunnelKit/Sources/Core/SessionProxy+Authenticator.swift
@@ -86,7 +86,7 @@ extension SessionProxy {
         // MARK: Authentication request
 
         // Ruby: on_tls_connect
-        func putAuth(into: TLSBox) throws {
+        func putAuth(into: TLSBox, options: SessionProxy.Configuration) throws {
             let raw = Z(ProtocolMacros.tlsPrefix)
             
             // local keys
@@ -94,8 +94,37 @@ extension SessionProxy {
             raw.append(random1)
             raw.append(random2)
             
-            // opts (empty string)
-            raw.appendSized(Z(UInt8(0)))
+            // options string
+            var opts = [
+                "V4",
+                "cipher \(options.fallbackCipher.rawValue)",
+                "auth \(options.fallbackDigest.rawValue)",
+                "keysize \(options.fallbackCipher.keySize)"
+            ]
+            if let comp = options.compressionFraming {
+                switch comp {
+                case .compLZO:
+                    opts.append("comp-lzo")
+                    
+                case .compress:
+                    opts.append("compress")
+                    
+                default:
+                    break
+                }
+            }
+            if let strategy = options.tlsWrap?.strategy {
+                switch strategy {
+                case .auth:
+                    opts.append("tls-auth")
+                    
+                case .crypt:
+                    opts.append("tls-crypt")
+                }
+            }
+            let optsString = opts.joined(separator: ",")
+            log.debug("TLS.auth: Local options: \(optsString)")
+            raw.appendSized(Z(optsString, nullTerminated: true))
             
             // credentials
             if let username = username, let password = password {
diff --git a/TunnelKit/Sources/Core/SessionProxy+Configuration.swift b/TunnelKit/Sources/Core/SessionProxy+Configuration.swift
index 68d2482..de1419a 100644
--- a/TunnelKit/Sources/Core/SessionProxy+Configuration.swift
+++ b/TunnelKit/Sources/Core/SessionProxy+Configuration.swift
@@ -85,6 +85,20 @@ extension SessionProxy {
         /// AES encryption with 256-bit key size and GCM.
         case aes256gcm = "AES-256-GCM"
         
+        /// Returns the key size for this cipher.
+        public var keySize: Int {
+            switch self {
+            case .aes128cbc, .aes128gcm:
+                return 128
+                
+            case .aes192cbc, .aes192gcm:
+                return 192
+                
+            case .aes256cbc, .aes256gcm:
+                return 256
+            }
+        }
+        
         /// Digest should be ignored when this is `true`.
         public var embedsDigest: Bool {
             return rawValue.hasSuffix("-GCM")
diff --git a/TunnelKit/Sources/Core/SessionProxy.swift b/TunnelKit/Sources/Core/SessionProxy.swift
index 5f278ce..b09b812 100644
--- a/TunnelKit/Sources/Core/SessionProxy.swift
+++ b/TunnelKit/Sources/Core/SessionProxy.swift
@@ -671,7 +671,7 @@ public class SessionProxy {
         
         do {
             authenticator = try Authenticator(credentials?.username, pushReply?.options.authToken ?? credentials?.password)
-            try authenticator?.putAuth(into: negotiationKey.tls)
+            try authenticator?.putAuth(into: negotiationKey.tls, options: configuration)
         } catch let e {
             deferStop(.shutdown, e)
             return