diff --git a/docs/changes.txt b/docs/changes.txt
index 7e50633..fe9805b 100644
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -481,3 +481,7 @@ nfqws: update default TLS ClientHello fake. firefox 136.0.4 finger, no kyber, SN
 nfqws: multiple mods for multiple TLS fakes
 init.d: remove 50-discord
 blockcheck: use tpws --fix-seg on linux for multiple splits
+
+v70.7
+
+nfqws,tpws: debug tls version
diff --git a/nfq/desync.c b/nfq/desync.c
index 5bd1397..54fb3d5 100644
--- a/nfq/desync.c
+++ b/nfq/desync.c
@@ -83,6 +83,35 @@ const uint8_t fake_tls_clienthello_default[680] = {
 #define TCP_MAX_REASM 16384
 #define UDP_MAX_REASM 16384
 
+void TLSDebug(const uint8_t *tls,size_t sz)
+{
+	if (sz<11) return;
+
+	uint16_t v_rec=pntoh16(tls+1), v_handshake=pntoh16(tls+9), v;
+	DLOG("TLS record layer version : %s\nTLS handshake version : %s\n",TLSVersionStr(v_rec),TLSVersionStr(v_handshake));
+
+	const uint8_t *ext_supvers;
+	size_t len_supvers,len_supvers2;
+	if (TLSFindExt(tls,sz,43,&ext_supvers,&len_supvers,false))
+	{
+		if (len_supvers)
+		{
+			len_supvers2 = ext_supvers[0];
+			if (len_supvers2<len_supvers)
+			{
+				for(ext_supvers++,len_supvers2&=~1 ; len_supvers2 ; len_supvers2-=2,ext_supvers+=2)
+				{
+					v = pntoh16(ext_supvers);
+					DLOG("TLS supported versions ext : %s\n",TLSVersionStr(v));
+				}
+			}
+		}
+	}
+	else
+		DLOG("TLS supported versions ext : not present\n");
+}
+
+
 bool desync_valid_zero_stage(enum dpi_desync_mode mode)
 {
 	return mode==DESYNC_SYNACK || mode==DESYNC_SYNDATA;
@@ -966,6 +995,8 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 			DLOG(bReqFull ? "packet contains full TLS ClientHello\n" : "packet contains partial TLS ClientHello\n");
 			l7proto = TLS;
 
+			if (bReqFull && params.debug) TLSDebug(rdata_payload,rlen_payload);
+
 			bHaveHost=TLSHelloExtractHost(rdata_payload,rlen_payload,host,sizeof(host),TLS_PARTIALS_ENABLE);
 
 			if (ctrack)
diff --git a/nfq/protocol.c b/nfq/protocol.c
index 2035a9a..26c8adf 100644
--- a/nfq/protocol.c
+++ b/nfq/protocol.c
@@ -345,6 +345,19 @@ size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz)
 }
 
 
+const char *TLSVersionStr(uint16_t tlsver)
+{
+	switch(tlsver)
+	{
+		case 0x0301: return "TLS 1.0";
+		case 0x0302: return "TLS 1.1";
+		case 0x0303: return "TLS 1.2";
+		case 0x0304: return "TLS 1.3";
+		default:
+			// 0x0a0a, 0x1a1a, ..., 0xfafa
+			return (((tlsver & 0x0F0F) == 0x0A0A) && ((tlsver>>12)==((tlsver>>4)&0xF))) ? "GREASE" : "UNKNOWN";
+	}
+}
 
 uint16_t TLSRecordDataLen(const uint8_t *data)
 {
diff --git a/nfq/protocol.h b/nfq/protocol.h
index 8658b80..df7dc24 100644
--- a/nfq/protocol.h
+++ b/nfq/protocol.h
@@ -57,6 +57,7 @@ int HttpReplyCode(const uint8_t *data, size_t len);
 // must be pre-checked by IsHttpReply
 bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host);
 
+const char *TLSVersionStr(uint16_t tlsver);
 uint16_t TLSRecordDataLen(const uint8_t *data);
 size_t TLSRecordLen(const uint8_t *data);
 bool IsTLSRecordFull(const uint8_t *data, size_t len);
diff --git a/tpws/protocol.c b/tpws/protocol.c
index 9639186..2668d4d 100644
--- a/tpws/protocol.c
+++ b/tpws/protocol.c
@@ -339,6 +339,20 @@ size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz)
 
 
 
+const char *TLSVersionStr(uint16_t tlsver)
+{
+	switch(tlsver)
+	{
+		case 0x0301: return "TLS 1.0";
+		case 0x0302: return "TLS 1.1";
+		case 0x0303: return "TLS 1.2";
+		case 0x0304: return "TLS 1.3";
+		default:
+			// 0x0a0a, 0x1a1a, ..., 0xfafa
+			return (((tlsver & 0x0F0F) == 0x0A0A) && ((tlsver>>12)==((tlsver>>4)&0xF))) ? "GREASE" : "UNKNOWN";
+	}
+}
+
 uint16_t TLSRecordDataLen(const uint8_t *data)
 {
 	return pntoh16(data + 3);
diff --git a/tpws/protocol.h b/tpws/protocol.h
index 82318c6..7bd0cf4 100644
--- a/tpws/protocol.h
+++ b/tpws/protocol.h
@@ -53,6 +53,7 @@ int HttpReplyCode(const uint8_t *data, size_t len);
 // must be pre-checked by IsHttpReply
 bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host);
 
+const char *TLSVersionStr(uint16_t tlsver);
 uint16_t TLSRecordDataLen(const uint8_t *data);
 size_t TLSRecordLen(const uint8_t *data);
 bool IsTLSRecordFull(const uint8_t *data, size_t len);
diff --git a/tpws/tamper.c b/tpws/tamper.c
index 00b653d..caae979 100644
--- a/tpws/tamper.c
+++ b/tpws/tamper.c
@@ -15,6 +15,34 @@ void packet_debug(const uint8_t *data, size_t sz)
 	hexdump_limited_dlog(data, sz, PKTDATA_MAXDUMP); VPRINT("\n");
 }
 
+void TLSDebug(const uint8_t *tls,size_t sz)
+{
+	if (sz<11) return;
+
+	uint16_t v_rec=pntoh16(tls+1), v_handshake=pntoh16(tls+9), v;
+	VPRINT("TLS record layer version : %s\nTLS handshake version : %s\n",TLSVersionStr(v_rec),TLSVersionStr(v_handshake));
+
+	const uint8_t *ext_supvers;
+	size_t len_supvers,len_supvers2;
+	if (TLSFindExt(tls,sz,43,&ext_supvers,&len_supvers,false))
+	{
+		if (len_supvers)
+		{
+			len_supvers2 = ext_supvers[0];
+			if (len_supvers2<len_supvers)
+			{
+				for(ext_supvers++,len_supvers2&=~1 ; len_supvers2 ; len_supvers2-=2,ext_supvers+=2)
+				{
+					v = pntoh16(ext_supvers);
+					VPRINT("TLS supported versions ext : %s\n",TLSVersionStr(v));
+				}
+			}
+		}
+	}
+	else
+		VPRINT("TLS supported versions ext : not present\n");
+}
+
 static bool dp_match(struct desync_profile *dp, const struct sockaddr *dest, const char *hostname, t_l7proto l7proto)
 {
 	bool bHostlistsEmpty;
@@ -130,6 +158,7 @@ void tamper_out(t_ctrack *ctrack, const struct sockaddr *dest, uint8_t *segment,
 	{
 		VPRINT("Data block contains TLS ClientHello\n");
 		l7proto=TLS;
+		if (params.debug) TLSDebug(segment,*size);
 		bHaveHost=TLSHelloExtractHost((uint8_t*)segment,*size,Host,sizeof(Host),false);
 	}
 	else