diff --git a/blockcheck.sh b/blockcheck.sh
index c50052e..ebb9def 100755
--- a/blockcheck.sh
+++ b/blockcheck.sh
@@ -253,6 +253,16 @@ curl_supports_tls13()
 	[ $? != 4 ]
 }
 
+curl_supports_tlsmax()
+{
+	# supported only in OpenSSL and LibreSSL
+	curl --version | grep -Fq -e OpenSSL -e LibreSSL -e GnuTLS || return 1
+	# supported since curl 7.54
+	curl --tls-max 1.2 -Is -o /dev/null http://$LOCALHOST_IPT:65535 2>/dev/null
+	# return code 2 = init failed. likely bad command line options
+	[ $? != 2 ]
+}
+
 hdrfile_http_code()
 {
 	# $1 - hdr file
@@ -294,7 +304,7 @@ curl_test_https_tls12()
 	# $2 - domain name
 
 	# do not use tls 1.3 to make sure server certificate is not encrypted
-	curl -${1}ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 "https://$2" -o /dev/null 2>&1 
+	curl -${1}ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 $TLSMAX12 "https://$2" -o /dev/null 2>&1 
 }
 curl_test_https_tls13()
 {
@@ -302,7 +312,7 @@ curl_test_https_tls13()
 	# $2 - domain name
 
 	# force TLS1.3 mode
-	curl -${1}ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 "https://$2" -o /dev/null 2>&1 
+	curl -${1}ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 $TLSMAX13 "https://$2" -o /dev/null 2>&1 
 }
 
 pktws_ipt_prepare()
@@ -715,6 +725,14 @@ configure_ip_version()
 }
 configure_curl_opt()
 {
+	# wolfssl : --tlsv1.x mandates exact ssl version, tls-max not supported
+	# openssl : --tlsv1.x means "version equal or greater", tls-max supported
+	TLSMAX12=
+	TLSMAX13=
+	curl_supports_tlsmax && {
+		TLSMAX12="--tls-max 1.2"
+		TLSMAX13="--tls-max 1.3"
+	}
 	TLS13=
 	curl_supports_tls13 && TLS13=1
 }