proxy_role/overlay/Linux/usr/local/bin/pr$

#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-

ROLE=proxy

. /usr/local/bin/usr_local_tput.bash || exit 2

## proxy_ami_cloudflared
proxy_ami_cloudflared() {
    [ $# -gt 0 ] || return 1
    local ip=$1
    # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
    # a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
    # https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
    for no in "${CLOUDF[@]}" ; do
	nopat=`sed -e 's/\.0.*//' <<< $no`
	[[ $ip =~ ${nopat}.* ]] && {
	    # WARN $url cloudflared $ip $no
	    echo True
	    return 0
	    }
    done
    echo False
    return 0
}
	
## proxy_ami_cloudflared_py
proxy_ami_cloudflared_py() {
    [ $# -gt 0 ] || return 1
    local ip=$1
    a=`proxy_ami_cloudflared $ip`
    if [ $? -eq 0 -a "$a" = True ] ; then
	echo $a
	return 0
    fi
    
    for no in "${CLOUDF[@]}" ; do
	a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
	if [ $? -eq 0 -a "$a" = True ] ; then
	    echo $a
	    return 0
	fi
    done
    echo False
    return 0
}

# /usr/include/openssl/x509_vfy.h
declare -A OPENSSL_X509_V
OPENSSL_X509_V=(
	[0]=OK
	[1]=ERR_UNSPECIFIED
	[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
	[3]=ERR_UNABLE_TO_GET_CRL
	[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
	[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
	[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
	[7]=ERR_CERT_SIGNATURE_FAILURE
	[8]=ERR_CRL_SIGNATURE_FAILURE
	[9]=ERR_CERT_NOT_YET_VALID
	[10]=ERR_CERT_HAS_EXPIRED
	[11]=ERR_CRL_NOT_YET_VALID
	[12]=ERR_CRL_HAS_EXPIRED
	[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
	[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
	[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
	[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
	[17]=ERR_OUT_OF_MEM
	[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
	[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
	[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
	[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
	[22]=ERR_CERT_CHAIN_TOO_LONG
	[23]=ERR_CERT_REVOKED
	[24]=ERR_INVALID_CA
	[25]=ERR_PATH_LENGTH_EXCEEDED
	[26]=ERR_INVALID_PURPOSE
	[27]=ERR_CERT_UNTRUSTED
	[28]=ERR_CERT_REJECTED
	# These are 'informational' when looking for issuer cert
	[29]=ERR_SUBJECT_ISSUER_MISMATCH
	[30]=ERR_AKID_SKID_MISMATCH
	[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
	[32]=ERR_KEYUSAGE_NO_CERTSIGN
	[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
	[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
	[35]=ERR_KEYUSAGE_NO_CRL_SIGN
	[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
	[37]=ERR_INVALID_NON_CA
	[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
	[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
	[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
	[41]=ERR_INVALID_EXTENSION
	[42]=ERR_INVALID_POLICY_EXTENSION
	[43]=ERR_NO_EXPLICIT_POLICY
	[44]=ERR_DIFFERENT_CRL_SCOPE
	[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
	[46]=ERR_UNNESTED_RESOURCE
	[47]=ERR_PERMITTED_VIOLATION
	[48]=ERR_EXCLUDED_VIOLATION
	[49]=ERR_SUBTREE_MINMAX
	# The application is not happy
	[50]=ERR_APPLICATION_VERIFICATION
	[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
	[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
	[53]=ERR_UNSUPPORTED_NAME_SYNTAX
	[54]=ERR_CRL_PATH_VALIDATION_ERROR
	# Another issuer check debug option
	[55]=ERR_PATH_LOOP
	# Suite B mode algorithm violation
	[56]=ERR_SUITE_B_INVALID_VERSION
	[57]=ERR_SUITE_B_INVALID_ALGORITHM
	[58]=ERR_SUITE_B_INVALID_CURVE
	[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
	[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
	[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
	# Host, email and IP check errors
	[62]=ERR_HOSTNAME_MISMATCH
	[63]=ERR_EMAIL_MISMATCH
	[64]=ERR_IP_ADDRESS_MISMATCH
	# DANE TLSA errors
	[65]=ERR_DANE_NO_MATCH
	# security level errors
	[66]=ERR_EE_KEY_TOO_SMALL
	[67]=ERR_CA_KEY_TOO_SMALL
	[68]=ERR_CA_MD_TOO_WEAK
	# Caller error
	[69]=ERR_INVALID_CALL
	# Issuer lookup error
	[70]=ERR_STORE_LOOKUP
	# Certificate transparency
	[71]=ERR_NO_VALID_SCTS

	[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
	# OCSP status errors
	[73]=ERR_OCSP_VERIFY_NEEDED  	# Need OCSP verification
	[74]=ERR_OCSP_VERIFY_FAILED  	# Couldn't verify cert through OCSP
	[75]=ERR_OCSP_CERT_UNKNOWN  	# Certificate wasn't recognized by the OCSP responder
	[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
	[77]=ERR_NO_ISSUER_PUBLIC_KEY
	[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
	[79]=ERR_EC_KEY_EXPLICIT_PARAMS
	)

# man 3 libcurl-errors
declare -A CURLE
CURLE=(
	[0]=CURLE_OK
	[1]=CURLE_UNSUPPORTED_PROTOCOL
	[2]=CURLE_FAILED_INIT
	[3]=CURLE_URL_MALFORMAT
	[4]=CURLE_NOT_BUILT_IN
	[5]=CURLE_COULDNT_RESOLVE_PROXY
	[6]=CURLE_COULDNT_RESOLVE_HOST
	[7]=CURLE_COULDNT_CONNECT
	[8]=CURLE_WEIRD_SERVER_REPLY
	[9]=CURLE_REMOTE_ACCESS_DENIED
	[10]=CURLE_FTP_ACCEPT_FAILED
	[11]=CURLE_FTP_WEIRD_PASS_REPLY
	[12]=CURLE_FTP_ACCEPT_TIMEOUT
	[13]=CURLE_FTP_WEIRD_PASV_REPLY
	[14]=CURLE_FTP_WEIRD_227_FORMAT
	[15]=CURLE_FTP_CANT_GET_HOST
	[16]=CURLE_HTTP2
	[17]=CURLE_FTP_COULDNT_SET_TYPE
	[18]=CURLE_PARTIAL_FILE
	[19]=CURLE_FTP_COULDNT_RETR_FILE
	[21]=CURLE_QUOTE_ERROR
	[22]=CURLE_HTTP_RETURNED_ERROR
	[23]=CURLE_WRITE_ERROR
	[25]=CURLE_UPLOAD_FAILED
	[26]=CURLE_READ_ERROR
	[27]=CURLE_OUT_OF_MEMORY
	[28]=CURLE_OPERATION_TIMEDOUT
	[30]=CURLE_FTP_PORT_FAILED
	[31]=CURLE_FTP_COULDNT_USE_REST
	[33]=CURLE_RANGE_ERROR
	[34]=CURLE_HTTP_POST_ERROR
	[35]=CURLE_SSL_CONNECT_ERROR
	[36]=CURLE_BAD_DOWNLOAD_RESUME
	[37]=CURLE_FILE_COULDNT_READ_FILE
	[38]=CURLE_LDAP_CANNOT_BIND
	[39]=CURLE_LDAP_SEARCH_FAILED
	[41]=CURLE_FUNCTION_NOT_FOUND
	[42]=CURLE_ABORTED_BY_CALLBACK
	[43]=CURLE_BAD_FUNCTION_ARGUMENT
	[45]=CURLE_INTERFACE_FAILED
	[47]=CURLE_TOO_MANY_REDIRECTS
	[48]=CURLE_UNKNOWN_OPTION
	[49]=CURLE_SETOPT_OPTION_SYNTAX
	[52]=CURLE_GOT_NOTHING
	[53]=CURLE_SSL_ENGINE_NOTFOUND
	[54]=CURLE_SSL_ENGINE_SETFAILED
	[55]=CURLE_SEND_ERROR
	[56]=CURLE_RECV_ERROR
	[58]=CURLE_SSL_CERTPROBLEM
	[59]=CURLE_SSL_CIPHER
	[60]=CURLE_PEER_FAILED_VERIFICATION
	[61]=CURLE_BAD_CONTENT_ENCODING
	[62]=CURLE_LDAP_INVALID_URL
	[63]=CURLE_FILESIZE_EXCEEDED
	[64]=CURLE_USE_SSL_FAILED
	[65]=CURLE_SEND_FAIL_REWIND
	[66]=CURLE_SSL_ENGINE_INITFAILED
	[67]=CURLE_LOGIN_DENIED
	[68]=CURLE_TFTP_NOTFOUND
	[69]=CURLE_TFTP_PERM
	[70]=CURLE_REMOTE_DISK_FULL
	[71]=CURLE_TFTP_ILLEGAL
	[72]=CURLE_TFTP_UNKNOWNID
	[73]=CURLE_REMOTE_FILE_EXISTS
	[74]=CURLE_TFTP_NOSUCHUSER
	[75]=CURLE_CONV_FAILED
	[76]=CURLE_CONV_REQD
	[77]=CURLE_SSL_CACERT_BADFILE
	[78]=CURLE_REMOTE_FILE_NOT_FOUND
	[79]=CURLE_SSH
	[80]=CURLE_SSL_SHUTDOWN_FAILED
	[81]=CURLE_AGAIN
	[82]=CURLE_SSL_CRL_BADFILE
	[83]=CURLE_SSL_ISSUER_ERROR
	[84]=CURLE_FTP_PRET_FAILED
	[85]=CURLE_RTSP_CSEQ_ERROR
	[86]=CURLE_RTSP_SESSION_ERROR
	[87]=CURLE_FTP_BAD_FILE_LIST
	[88]=CURLE_CHUNK_FAILED
	[89]=CURLE_NO_CONNECTION_AVAILABLE
	[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
	[91]=CURLE_SSL_INVALIDCERTSTATUS
	[92]=CURLE_HTTP2_STREAM
	[93]=CURLE_RECURSIVE_API_CALL
	[94]=CURLE_AUTH_ERROR
	[95]=CURLE_HTTP3
	[96]=CURLE_QUIC_CONNECT_ERROR
	[98]=CURLE_SSL_CLIENTCERT
	[99]=CURLE_UNRECOVERABLE_POLL
)

#    20 HTTP response status codes
declare -A HTTP_RESPONSE
HTTP_RESPONSE=(
	[100]="Continue"
	[101]="Switching Protocols"
	[103]="Early Hints"
	[200]="OK"
	[201]="Created"
	[202]="Accepted"
	[203]="Non-Authoritative Information"
	[204]="No Content"
	[205]="Reset Content"
	[206]="Partial Content"
	[300]="Multiple Choices"
	[301]="Moved Permanently"
	[302]="Found"
	[303]="See Other"
	[304]="Not Modified"
	[307]="Temporary Redirect"
	[308]="Permanent Redirect"
	[400]="Bad Request"
	[401]="Unauthorized"
	[402]="Payment Required"
	[403]="Forbidden"
	[404]="Not Found"
	[405]="Method Not Allowed"
	[406]="Not Acceptable"
	[407]="Proxy Authentication Required"
	[408]="Request Timeout"
	[409]="Conflict"
	[410]="Gone"
	[411]="Length Required"
	[412]="Precondition Failed"
	[413]="Payload Too Large"
	[414]="URI Too Long"
	[415]="Unsupported Media Type"
	[416]="Range Not Satisfiable"
	[417]="Expectation Failed"
	[418]="Im a teapot"
	[422]="Unprocessable Entity"
	[425]="Too Early"
	[426]="Upgrade Required"
	[428]="Precondition Required"
	[429]="Too Many Requests"
	[431]="Request Header Fields Too Large"
	[451]="Unavailable For Legal Reasons"
	[500]="Internal Server Error"
	[501]="Not Implemented"
	[502]="Bad Gateway"
	[503]="Service Unavailable"
	[504]="Gateway Timeout"
	[505]="HTTP Version Not Supported"
	[506]="Variant Also Negotiates"
	[507]="Insufficient Storage"
	[508]="Loop Detected"
	[510]="Not Extended"
	[511]="Network Authentication Required"
)

# https://curl.se/docs/ssl-ciphers.html

# openssl
# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html

# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
openssl=openssl
# CURLOPT_TLS13_CIPHERS --tls13-ciphers
if [ $openssl = openssl ] ; then
    export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
elif [ $openssl = nss ] ; then
    export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
fi

declare -a NOTLSV3
NOTLSV3=(
    # connection refused
    www.mirrorservice.org
    # no ipv3
    files.pythonhosted.org
)

#     https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
declare -a CLOUDFN
CLOUDFN=(
    173.245.48.0/20
    103.21.244.0/22
    103.22.200.0/22
    103.31.4.0/22
    141.101.64.0/18
    108.162.192.0/18
    190.93.240.0/20
    188.114.96.0/20
    197.234.240.0/22
    198.41.128.0/17
    162.158.0.0/15
    104.16.0.0/13
    104.24.0.0/14
    172.64.0.0/13
    131.0.72.0/22
)

#for no in "${CLOUDF[@]}" ; do
#  # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
#  a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
#done
first 2024-01-06 01:57:28 +00:00			`#!/bin/bash`
			`# -- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix --`

			`ROLE=proxy`

			`. /usr/local/bin/usr_local_tput.bash \|\| exit 2`

			`## proxy_ami_cloudflared`
			`proxy_ami_cloudflared() {`
			`[ $# -gt 0 ] \|\| return 1`
			`local ip=$1`
			`# https://netaddr.readthedocs.io/en/latest/tutorial_01.html`
			# a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
			`# https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python`
			`for no in "${CLOUDF[@]}" ; do`
			nopat=`sed -e 's/\.0.*//' <<< $no`
			`[[ $ip =~ ${nopat}.* ]] && {`
			`# WARN $url cloudflared $ip $no`
			`echo True`
			`return 0`
			`}`
			`done`
			`echo False`
			`return 0`
			`}`

			`## proxy_ami_cloudflared_py`
			`proxy_ami_cloudflared_py() {`
			`[ $# -gt 0 ] \|\| return 1`
			`local ip=$1`
			a=`proxy_ami_cloudflared $ip`
			`if [ $? -eq 0 -a "$a" = True ] ; then`
			`echo $a`
			`return 0`
			`fi`

			`for no in "${CLOUDF[@]}" ; do`
			a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
			`if [ $? -eq 0 -a "$a" = True ] ; then`
			`echo $a`
			`return 0`
			`fi`
			`done`
			`echo False`
			`return 0`
			`}`

			`# /usr/include/openssl/x509_vfy.h`
			`declare -A OPENSSL_X509_V`
			`OPENSSL_X509_V=(`
			`[0]=OK`
			`[1]=ERR_UNSPECIFIED`
			`[2]=ERR_UNABLE_TO_GET_ISSUER_CERT`
			`[3]=ERR_UNABLE_TO_GET_CRL`
			`[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE`
			`[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE`
			`[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY`
			`[7]=ERR_CERT_SIGNATURE_FAILURE`
			`[8]=ERR_CRL_SIGNATURE_FAILURE`
			`[9]=ERR_CERT_NOT_YET_VALID`
			`[10]=ERR_CERT_HAS_EXPIRED`
			`[11]=ERR_CRL_NOT_YET_VALID`
			`[12]=ERR_CRL_HAS_EXPIRED`
			`[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD`
			`[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD`
			`[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD`
			`[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD`
			`[17]=ERR_OUT_OF_MEM`
			`[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT`
			`[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN`
			`[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY`
			`[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE`
			`[22]=ERR_CERT_CHAIN_TOO_LONG`
			`[23]=ERR_CERT_REVOKED`
			`[24]=ERR_INVALID_CA`
			`[25]=ERR_PATH_LENGTH_EXCEEDED`
			`[26]=ERR_INVALID_PURPOSE`
			`[27]=ERR_CERT_UNTRUSTED`
			`[28]=ERR_CERT_REJECTED`
			`# These are 'informational' when looking for issuer cert`
			`[29]=ERR_SUBJECT_ISSUER_MISMATCH`
			`[30]=ERR_AKID_SKID_MISMATCH`
			`[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH`
			`[32]=ERR_KEYUSAGE_NO_CERTSIGN`
			`[33]=ERR_UNABLE_TO_GET_CRL_ISSUER`
			`[34]=ERR_UNHANDLED_CRITICAL_EXTENSION`
			`[35]=ERR_KEYUSAGE_NO_CRL_SIGN`
			`[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION`
			`[37]=ERR_INVALID_NON_CA`
			`[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED`
			`[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE`
			`[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED`
			`[41]=ERR_INVALID_EXTENSION`
			`[42]=ERR_INVALID_POLICY_EXTENSION`
			`[43]=ERR_NO_EXPLICIT_POLICY`
			`[44]=ERR_DIFFERENT_CRL_SCOPE`
			`[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE`
			`[46]=ERR_UNNESTED_RESOURCE`
			`[47]=ERR_PERMITTED_VIOLATION`
			`[48]=ERR_EXCLUDED_VIOLATION`
			`[49]=ERR_SUBTREE_MINMAX`
			`# The application is not happy`
			`[50]=ERR_APPLICATION_VERIFICATION`
			`[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE`
			`[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX`
			`[53]=ERR_UNSUPPORTED_NAME_SYNTAX`
			`[54]=ERR_CRL_PATH_VALIDATION_ERROR`
			`# Another issuer check debug option`
			`[55]=ERR_PATH_LOOP`
			`# Suite B mode algorithm violation`
			`[56]=ERR_SUITE_B_INVALID_VERSION`
			`[57]=ERR_SUITE_B_INVALID_ALGORITHM`
			`[58]=ERR_SUITE_B_INVALID_CURVE`
			`[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM`
			`[60]=ERR_SUITE_B_LOS_NOT_ALLOWED`
			`[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256`
			`# Host, email and IP check errors`
			`[62]=ERR_HOSTNAME_MISMATCH`
			`[63]=ERR_EMAIL_MISMATCH`
			`[64]=ERR_IP_ADDRESS_MISMATCH`
			`# DANE TLSA errors`
			`[65]=ERR_DANE_NO_MATCH`
			`# security level errors`
			`[66]=ERR_EE_KEY_TOO_SMALL`
			`[67]=ERR_CA_KEY_TOO_SMALL`
			`[68]=ERR_CA_MD_TOO_WEAK`
			`# Caller error`
			`[69]=ERR_INVALID_CALL`
			`# Issuer lookup error`
			`[70]=ERR_STORE_LOOKUP`
			`# Certificate transparency`
			`[71]=ERR_NO_VALID_SCTS`

			`[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION`
			`# OCSP status errors`
			`[73]=ERR_OCSP_VERIFY_NEEDED # Need OCSP verification`
			`[74]=ERR_OCSP_VERIFY_FAILED # Couldn't verify cert through OCSP`
			`[75]=ERR_OCSP_CERT_UNKNOWN # Certificate wasn't recognized by the OCSP responder`
			`[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH`
			`[77]=ERR_NO_ISSUER_PUBLIC_KEY`
			`[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM`
			`[79]=ERR_EC_KEY_EXPLICIT_PARAMS`
			`)`

			`# man 3 libcurl-errors`
			`declare -A CURLE`
			`CURLE=(`
			`[0]=CURLE_OK`
			`[1]=CURLE_UNSUPPORTED_PROTOCOL`
			`[2]=CURLE_FAILED_INIT`
			`[3]=CURLE_URL_MALFORMAT`
			`[4]=CURLE_NOT_BUILT_IN`
			`[5]=CURLE_COULDNT_RESOLVE_PROXY`
			`[6]=CURLE_COULDNT_RESOLVE_HOST`
			`[7]=CURLE_COULDNT_CONNECT`
			`[8]=CURLE_WEIRD_SERVER_REPLY`
			`[9]=CURLE_REMOTE_ACCESS_DENIED`
			`[10]=CURLE_FTP_ACCEPT_FAILED`
			`[11]=CURLE_FTP_WEIRD_PASS_REPLY`
			`[12]=CURLE_FTP_ACCEPT_TIMEOUT`
			`[13]=CURLE_FTP_WEIRD_PASV_REPLY`
			`[14]=CURLE_FTP_WEIRD_227_FORMAT`
			`[15]=CURLE_FTP_CANT_GET_HOST`
			`[16]=CURLE_HTTP2`
			`[17]=CURLE_FTP_COULDNT_SET_TYPE`
			`[18]=CURLE_PARTIAL_FILE`
			`[19]=CURLE_FTP_COULDNT_RETR_FILE`
			`[21]=CURLE_QUOTE_ERROR`
			`[22]=CURLE_HTTP_RETURNED_ERROR`
			`[23]=CURLE_WRITE_ERROR`
			`[25]=CURLE_UPLOAD_FAILED`
			`[26]=CURLE_READ_ERROR`
			`[27]=CURLE_OUT_OF_MEMORY`
			`[28]=CURLE_OPERATION_TIMEDOUT`
			`[30]=CURLE_FTP_PORT_FAILED`
			`[31]=CURLE_FTP_COULDNT_USE_REST`
			`[33]=CURLE_RANGE_ERROR`
			`[34]=CURLE_HTTP_POST_ERROR`
			`[35]=CURLE_SSL_CONNECT_ERROR`
			`[36]=CURLE_BAD_DOWNLOAD_RESUME`
			`[37]=CURLE_FILE_COULDNT_READ_FILE`
			`[38]=CURLE_LDAP_CANNOT_BIND`
			`[39]=CURLE_LDAP_SEARCH_FAILED`
			`[41]=CURLE_FUNCTION_NOT_FOUND`
			`[42]=CURLE_ABORTED_BY_CALLBACK`
			`[43]=CURLE_BAD_FUNCTION_ARGUMENT`
			`[45]=CURLE_INTERFACE_FAILED`
			`[47]=CURLE_TOO_MANY_REDIRECTS`
			`[48]=CURLE_UNKNOWN_OPTION`
			`[49]=CURLE_SETOPT_OPTION_SYNTAX`
			`[52]=CURLE_GOT_NOTHING`
			`[53]=CURLE_SSL_ENGINE_NOTFOUND`
			`[54]=CURLE_SSL_ENGINE_SETFAILED`
			`[55]=CURLE_SEND_ERROR`
			`[56]=CURLE_RECV_ERROR`
			`[58]=CURLE_SSL_CERTPROBLEM`
			`[59]=CURLE_SSL_CIPHER`
			`[60]=CURLE_PEER_FAILED_VERIFICATION`
			`[61]=CURLE_BAD_CONTENT_ENCODING`
			`[62]=CURLE_LDAP_INVALID_URL`
			`[63]=CURLE_FILESIZE_EXCEEDED`
			`[64]=CURLE_USE_SSL_FAILED`
			`[65]=CURLE_SEND_FAIL_REWIND`
			`[66]=CURLE_SSL_ENGINE_INITFAILED`
			`[67]=CURLE_LOGIN_DENIED`
			`[68]=CURLE_TFTP_NOTFOUND`
			`[69]=CURLE_TFTP_PERM`
			`[70]=CURLE_REMOTE_DISK_FULL`
			`[71]=CURLE_TFTP_ILLEGAL`
			`[72]=CURLE_TFTP_UNKNOWNID`
			`[73]=CURLE_REMOTE_FILE_EXISTS`
			`[74]=CURLE_TFTP_NOSUCHUSER`
			`[75]=CURLE_CONV_FAILED`
			`[76]=CURLE_CONV_REQD`
			`[77]=CURLE_SSL_CACERT_BADFILE`
			`[78]=CURLE_REMOTE_FILE_NOT_FOUND`
			`[79]=CURLE_SSH`
			`[80]=CURLE_SSL_SHUTDOWN_FAILED`
			`[81]=CURLE_AGAIN`
			`[82]=CURLE_SSL_CRL_BADFILE`
			`[83]=CURLE_SSL_ISSUER_ERROR`
			`[84]=CURLE_FTP_PRET_FAILED`
			`[85]=CURLE_RTSP_CSEQ_ERROR`
			`[86]=CURLE_RTSP_SESSION_ERROR`
			`[87]=CURLE_FTP_BAD_FILE_LIST`
			`[88]=CURLE_CHUNK_FAILED`
			`[89]=CURLE_NO_CONNECTION_AVAILABLE`
			`[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH`
			`[91]=CURLE_SSL_INVALIDCERTSTATUS`
			`[92]=CURLE_HTTP2_STREAM`
			`[93]=CURLE_RECURSIVE_API_CALL`
			`[94]=CURLE_AUTH_ERROR`
			`[95]=CURLE_HTTP3`
			`[96]=CURLE_QUIC_CONNECT_ERROR`
			`[98]=CURLE_SSL_CLIENTCERT`
			`[99]=CURLE_UNRECOVERABLE_POLL`
			`)`

			`# 20 HTTP response status codes`
			`declare -A HTTP_RESPONSE`
			`HTTP_RESPONSE=(`
			`[100]="Continue"`
			`[101]="Switching Protocols"`
			`[103]="Early Hints"`
			`[200]="OK"`
			`[201]="Created"`
			`[202]="Accepted"`
			`[203]="Non-Authoritative Information"`
			`[204]="No Content"`
			`[205]="Reset Content"`
			`[206]="Partial Content"`
			`[300]="Multiple Choices"`
			`[301]="Moved Permanently"`
			`[302]="Found"`
			`[303]="See Other"`
			`[304]="Not Modified"`
			`[307]="Temporary Redirect"`
			`[308]="Permanent Redirect"`
			`[400]="Bad Request"`
			`[401]="Unauthorized"`
			`[402]="Payment Required"`
			`[403]="Forbidden"`
			`[404]="Not Found"`
			`[405]="Method Not Allowed"`
			`[406]="Not Acceptable"`
			`[407]="Proxy Authentication Required"`
			`[408]="Request Timeout"`
			`[409]="Conflict"`
			`[410]="Gone"`
			`[411]="Length Required"`
			`[412]="Precondition Failed"`
			`[413]="Payload Too Large"`
			`[414]="URI Too Long"`
			`[415]="Unsupported Media Type"`
			`[416]="Range Not Satisfiable"`
			`[417]="Expectation Failed"`
			`[418]="Im a teapot"`
			`[422]="Unprocessable Entity"`
			`[425]="Too Early"`
			`[426]="Upgrade Required"`
			`[428]="Precondition Required"`
			`[429]="Too Many Requests"`
			`[431]="Request Header Fields Too Large"`
			`[451]="Unavailable For Legal Reasons"`
			`[500]="Internal Server Error"`
			`[501]="Not Implemented"`
			`[502]="Bad Gateway"`
			`[503]="Service Unavailable"`
			`[504]="Gateway Timeout"`
			`[505]="HTTP Version Not Supported"`
			`[506]="Variant Also Negotiates"`
			`[507]="Insufficient Storage"`
			`[508]="Loop Detected"`
			`[510]="Not Extended"`
			`[511]="Network Authentication Required"`
			`)`

			`# https://curl.se/docs/ssl-ciphers.html`

			`# openssl`
			`# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html`

			`# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html`
			`openssl=openssl`
			`# CURLOPT_TLS13_CIPHERS --tls13-ciphers`
			`if [ $openssl = openssl ] ; then`
			`export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"`
			`elif [ $openssl = nss ] ; then`
			`export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"`
			`fi`

			`declare -a NOTLSV3`
			`NOTLSV3=(`
			`# connection refused`
			`www.mirrorservice.org`
			`# no ipv3`
			`files.pythonhosted.org`
			`)`

			`# https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4`
			`declare -a CLOUDFN`
			`CLOUDFN=(`
			`173.245.48.0/20`
			`103.21.244.0/22`
			`103.22.200.0/22`
			`103.31.4.0/22`
			`141.101.64.0/18`
			`108.162.192.0/18`
			`190.93.240.0/20`
			`188.114.96.0/20`
			`197.234.240.0/22`
			`198.41.128.0/17`
			`162.158.0.0/15`
			`104.16.0.0/13`
			`104.24.0.0/14`
			`172.64.0.0/13`
			`131.0.72.0/22`
			`)`

			`#for no in "${CLOUDF[@]}" ; do`
			`# # https://netaddr.readthedocs.io/en/latest/tutorial_01.html`
			# a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
			`#done`