1#!/bin/sh
 2# check what tls versions a given hosts support, using brssl cli. doesn't support tls 1.3, but 
 3# that's mostly fine, if a site doesn't support all 3, you can assume it's using tls 1.3 most
 4# of the time. this is mostly to check why some site is bugging under bearssl, usually it's 
 5# because they force tls 1.3 :(
 6#
 7# dependencies:
 8#     shell
 9#     brssl cli from bearssl
10
11set -eu
12
13usage() {
14	printf 'usage: %s host[:port]\n' "${0##*/}" >&2
15	exit 2
16}
17
18[ "$#" -eq 1 ] || usage
19
20target=$1
21
22case $target in
23*:[0-9]*)
24		;;
25	*)
26		target=$target:443
27		;;
28esac
29
30for ver in tls10 tls11 tls12; do
31	out=$(
32		brssl client "$target" -vmin "$ver" -vmax "$ver" </dev/null 2>&1 || true
33	)
34
35	case $out in
36	*"Handshake completed"*)
37		printf '%s yes\n' "$ver"
38		;;
39	*)
40		printf '%s no\n' "$ver"
41		;;
42	esac
43done