From 96a18b2d8de3996a558dc5b5553734d75bac0b0f Mon Sep 17 00:00:00 2001
From: bol-van <k@vodka.home.kg>
Date: Sat, 11 Dec 2021 11:52:53 +0300
Subject: [PATCH] blockcheck: test for tls-max option present (curl 7.54+)

---
 blockcheck.sh | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/blockcheck.sh b/blockcheck.sh
index f5d32be..359caa1 100755
--- a/blockcheck.sh
+++ b/blockcheck.sh
@@ -141,6 +141,13 @@ curl_supports_tls13()
 	curl --tlsv1.3 -Is -o /dev/null https://w3.org 2>/dev/null
 	[ $? != 4 ]
 }
+curl_supports_tlsmax()
+{
+	# supported since curl 7.54
+	curl --tls-max 1.2 -Is -o /dev/null http://$LOCALHOST_IPT:65535 2>/dev/null
+	# return code 2 = init failed. likely bad command line options
+	[ $? != 2 ]
+}
 
 hdrfile_http_code()
 {
@@ -184,7 +191,7 @@ curl_test_https_tls12()
 
 	# prevent using QUIC if available in curl
 	# do not use tls 1.3 to make sure server certificate is not encrypted
-	curl -${1}Ss --max-time $CURL_MAX_TIME $CURL_OPT --http1.1 --tls-max 1.2 "https://$2" -o /dev/null 2>&1 
+	curl -${1}Ss --max-time $CURL_MAX_TIME $CURL_OPT --http1.1 $TLSMAX12 "https://$2" -o /dev/null 2>&1 
 }
 curl_test_https_tls13()
 {
@@ -193,7 +200,7 @@ curl_test_https_tls13()
 
 	# prevent using QUIC if available in curl
 	# force TLS1.3 mode
-	curl -${1}Ss --max-time $CURL_MAX_TIME $CURL_OPT --http1.1 --tlsv1.3 --tls-max 1.3 "https://$2" -o /dev/null 2>&1 
+	curl -${1}Ss --max-time $CURL_MAX_TIME $CURL_OPT --http1.1 --tlsv1.3 $TLSMAX13 "https://$2" -o /dev/null 2>&1 
 }
 
 nfqws_ipt_prepare()
@@ -484,6 +491,17 @@ configure_ip_version()
 		LOCALHOST_IPT=127.0.0.1
 	fi
 }
+configure_curl_opt()
+{
+	TLSMAX12=
+	TLSMAX13=
+	curl_supports_tlsmax && {
+		TLSMAX12="--tls-max 1.2"
+		TLSMAX13="--tls-max 1.3"
+	}
+	TLS13=
+	curl_supports_tls13 && TLS13=1
+}
 
 ask_params()
 {
@@ -503,6 +521,7 @@ ask_params()
 		exitp 1
 	}
 	configure_ip_version
+	configure_curl_opt
 
 	ENABLE_HTTP=1
 	ask_yes_no_var ENABLE_HTTP "check http"
@@ -512,7 +531,7 @@ ask_params()
 
 	ENABLE_HTTPS_TLS13=0
 	echo
-	if curl_supports_tls13; then
+	if [ -n "$TLS13" ]; then
 		echo "TLS 1.3 is the new standard for encrypted communications over TCP"
 		echo "its the most important feature for DPI bypass is encrypted TLS ServerHello"
 		echo "more and more sites enable TLS 1.3 but still there're many sites with only TLS 1.2 support"