From 6ba23f26247a0491ff6deee5ce62bd4d686dd74d Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 26 Mar 2023 12:52:30 +0300 Subject: [PATCH] blockcheck: return tls-max for openssl --- blockcheck.sh | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/blockcheck.sh b/blockcheck.sh index c50052e..ebb9def 100755 --- a/blockcheck.sh +++ b/blockcheck.sh @@ -253,6 +253,16 @@ curl_supports_tls13() [ $? != 4 ] } +curl_supports_tlsmax() +{ + # supported only in OpenSSL and LibreSSL + curl --version | grep -Fq -e OpenSSL -e LibreSSL -e GnuTLS || return 1 + # supported since curl 7.54 + curl --tls-max 1.2 -Is -o /dev/null http://$LOCALHOST_IPT:65535 2>/dev/null + # return code 2 = init failed. likely bad command line options + [ $? != 2 ] +} + hdrfile_http_code() { # $1 - hdr file @@ -294,7 +304,7 @@ curl_test_https_tls12() # $2 - domain name # do not use tls 1.3 to make sure server certificate is not encrypted - curl -${1}ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 "https://$2" -o /dev/null 2>&1 + curl -${1}ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.2 $TLSMAX12 "https://$2" -o /dev/null 2>&1 } curl_test_https_tls13() { @@ -302,7 +312,7 @@ curl_test_https_tls13() # $2 - domain name # force TLS1.3 mode - curl -${1}ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 "https://$2" -o /dev/null 2>&1 + curl -${1}ISs -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT --tlsv1.3 $TLSMAX13 "https://$2" -o /dev/null 2>&1 } pktws_ipt_prepare() @@ -715,6 +725,14 @@ configure_ip_version() } configure_curl_opt() { + # wolfssl : --tlsv1.x mandates exact ssl version, tls-max not supported + # openssl : --tlsv1.x means "version equal or greater", tls-max supported + TLSMAX12= + TLSMAX13= + curl_supports_tlsmax && { + TLSMAX12="--tls-max 1.2" + TLSMAX13="--tls-max 1.3" + } TLS13= curl_supports_tls13 && TLS13=1 }