diff options
| author | jsing <> | 2017-07-15 17:27:39 +0000 |
|---|---|---|
| committer | jsing <> | 2017-07-15 17:27:39 +0000 |
| commit | 9eaa4cb6e81813fe936e19a8268bea5bbff1076f (patch) | |
| tree | 703ecdf262b5973e5d7a099cf012d0a0894b8e93 | |
| parent | af3b67bd96b09e3317ac761a44d87f718bc54020 (diff) | |
| download | openbsd-9eaa4cb6e81813fe936e19a8268bea5bbff1076f.tar.gz openbsd-9eaa4cb6e81813fe936e19a8268bea5bbff1076f.tar.bz2 openbsd-9eaa4cb6e81813fe936e19a8268bea5bbff1076f.zip | |
Add a "-T tlscompat" option to nc(1), which enables the use of all TLS
protocols and "compat" ciphers. This allows for TLS connections to TLS
servers that are using less than ideal cipher suites, without having to
resort to "-T tlsall" which enables all known cipher suites.
Diff from Kyle J. McKay <mackyle at gmail dot com>
ok beck@
| -rw-r--r-- | src/usr.bin/nc/nc.1 | 6 | ||||
| -rw-r--r-- | src/usr.bin/nc/netcat.c | 11 |
2 files changed, 12 insertions, 5 deletions
diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1 index b1fa272040..4dfef93986 100644 --- a/src/usr.bin/nc/nc.1 +++ b/src/usr.bin/nc/nc.1 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: nc.1,v 1.85 2017/05/10 21:56:53 bluhm Exp $ | 1 | .\" $OpenBSD: nc.1,v 1.86 2017/07/15 17:27:39 jsing Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Copyright (c) 1996 David Sacerdote | 3 | .\" Copyright (c) 1996 David Sacerdote |
| 4 | .\" All rights reserved. | 4 | .\" All rights reserved. |
| @@ -25,7 +25,7 @@ | |||
| 25 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 25 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 26 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 26 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 | .\" | 27 | .\" |
| 28 | .Dd $Mdocdate: May 10 2017 $ | 28 | .Dd $Mdocdate: July 15 2017 $ |
| 29 | .Dt NC 1 | 29 | .Dt NC 1 |
| 30 | .Os | 30 | .Os |
| 31 | .Sh NAME | 31 | .Sh NAME |
| @@ -235,6 +235,8 @@ For TLS options | |||
| 235 | may be one of | 235 | may be one of |
| 236 | .Ar tlsall ; | 236 | .Ar tlsall ; |
| 237 | which allows the use of all supported TLS protocols and ciphers, | 237 | which allows the use of all supported TLS protocols and ciphers, |
| 238 | .Ar tlscompat ; | ||
| 239 | which allows the use of all supported TLS protocols and "compat" ciphers, | ||
| 238 | .Ar noverify ; | 240 | .Ar noverify ; |
| 239 | which disables certificate verification; | 241 | which disables certificate verification; |
| 240 | .Ar noname , | 242 | .Ar noname , |
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index 0d972ee53e..ce55972a7c 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: netcat.c,v 1.186 2017/06/11 14:38:52 tb Exp $ */ | 1 | /* $OpenBSD: netcat.c,v 1.187 2017/07/15 17:27:39 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> | 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> |
| 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. | 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. |
| @@ -73,6 +73,7 @@ | |||
| 73 | #define TLS_NONAME (1 << 3) | 73 | #define TLS_NONAME (1 << 3) |
| 74 | #define TLS_CCERT (1 << 4) | 74 | #define TLS_CCERT (1 << 4) |
| 75 | #define TLS_MUSTSTAPLE (1 << 5) | 75 | #define TLS_MUSTSTAPLE (1 << 5) |
| 76 | #define TLS_COMPAT (1 << 6) | ||
| 76 | 77 | ||
| 77 | /* Command Line Options */ | 78 | /* Command Line Options */ |
| 78 | int dflag; /* detached, no stdin */ | 79 | int dflag; /* detached, no stdin */ |
| @@ -401,6 +402,8 @@ main(int argc, char *argv[]) | |||
| 401 | errx(1, "cannot use -c and -F"); | 402 | errx(1, "cannot use -c and -F"); |
| 402 | if (TLSopt && !usetls) | 403 | if (TLSopt && !usetls) |
| 403 | errx(1, "you must specify -c to use TLS options"); | 404 | errx(1, "you must specify -c to use TLS options"); |
| 405 | if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT)) | ||
| 406 | errx(1, "cannot use -T tlsall and -T tlscompat"); | ||
| 404 | if (Cflag && !usetls) | 407 | if (Cflag && !usetls) |
| 405 | errx(1, "you must specify -c to use -C"); | 408 | errx(1, "you must specify -c to use -C"); |
| 406 | if (Kflag && !usetls) | 409 | if (Kflag && !usetls) |
| @@ -494,11 +497,12 @@ main(int argc, char *argv[]) | |||
| 494 | errx(1, "%s", tls_config_error(tls_cfg)); | 497 | errx(1, "%s", tls_config_error(tls_cfg)); |
| 495 | if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1) | 498 | if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1) |
| 496 | errx(1, "%s", tls_config_error(tls_cfg)); | 499 | errx(1, "%s", tls_config_error(tls_cfg)); |
| 497 | if (TLSopt & TLS_ALL) { | 500 | if (TLSopt & (TLS_ALL|TLS_COMPAT)) { |
| 498 | if (tls_config_set_protocols(tls_cfg, | 501 | if (tls_config_set_protocols(tls_cfg, |
| 499 | TLS_PROTOCOLS_ALL) != 0) | 502 | TLS_PROTOCOLS_ALL) != 0) |
| 500 | errx(1, "%s", tls_config_error(tls_cfg)); | 503 | errx(1, "%s", tls_config_error(tls_cfg)); |
| 501 | if (tls_config_set_ciphers(tls_cfg, "all") != 0) | 504 | if (tls_config_set_ciphers(tls_cfg, |
| 505 | (TLSopt & TLS_ALL) ? "all" : "compat") != 0) | ||
| 502 | errx(1, "%s", tls_config_error(tls_cfg)); | 506 | errx(1, "%s", tls_config_error(tls_cfg)); |
| 503 | } | 507 | } |
| 504 | if (!lflag && (TLSopt & TLS_CCERT)) | 508 | if (!lflag && (TLSopt & TLS_CCERT)) |
| @@ -1565,6 +1569,7 @@ map_tls(char *s, int *val) | |||
| 1565 | { "noname", TLS_NONAME }, | 1569 | { "noname", TLS_NONAME }, |
| 1566 | { "clientcert", TLS_CCERT}, | 1570 | { "clientcert", TLS_CCERT}, |
| 1567 | { "muststaple", TLS_MUSTSTAPLE}, | 1571 | { "muststaple", TLS_MUSTSTAPLE}, |
| 1572 | { "tlscompat", TLS_COMPAT }, | ||
| 1568 | { NULL, -1 }, | 1573 | { NULL, -1 }, |
| 1569 | }; | 1574 | }; |
| 1570 | 1575 | ||