2 files changed, 12 insertions, 5 deletions

diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1
index b1fa272040..4dfef93986 100644
--- a/src/usr.bin/nc/nc.1
+++ b/src/usr.bin/nc/nc.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: nc.1,v 1.85 2017/05/10 21:56:53 bluhm Exp $
+.\"     $OpenBSD: nc.1,v 1.86 2017/07/15 17:27:39 jsing Exp $
 .\"
 .\" Copyright (c) 1996 David Sacerdote
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 10 2017 $
+.Dd $Mdocdate: July 15 2017 $
 .Dt NC 1
 .Os
 .Sh NAME
@@ -235,6 +235,8 @@ For TLS options
 may be one of
 .Ar tlsall ;
 which allows the use of all supported TLS protocols and ciphers,
+.Ar tlscompat ;
+which allows the use of all supported TLS protocols and "compat" ciphers,
 .Ar noverify ;
 which disables certificate verification;
 .Ar noname ,
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index 0d972ee53e..ce55972a7c 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.186 2017/06/11 14:38:52 tb Exp $ */
+/* $OpenBSD: netcat.c,v 1.187 2017/07/15 17:27:39 jsing Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -73,6 +73,7 @@
 #define TLS_NONAME      (1 << 3)
 #define TLS_CCERT       (1 << 4)
 #define TLS_MUSTSTAPLE  (1 << 5)
+#define TLS_COMPAT      (1 << 6)
 
 /* Command Line Options */
 int     dflag;                                  /* detached, no stdin */
@@ -401,6 +402,8 @@ main(int argc, char *argv[])
                 errx(1, "cannot use -c and -F");
         if (TLSopt && !usetls)
                 errx(1, "you must specify -c to use TLS options");
+        if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT))
+                errx(1, "cannot use -T tlsall and -T tlscompat");
         if (Cflag && !usetls)
                 errx(1, "you must specify -c to use -C");
         if (Kflag && !usetls)
@@ -494,11 +497,12 @@ main(int argc, char *argv[])
                         errx(1, "%s", tls_config_error(tls_cfg));
                 if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1)
                         errx(1, "%s", tls_config_error(tls_cfg));
-                if (TLSopt & TLS_ALL) {
+                if (TLSopt & (TLS_ALL|TLS_COMPAT)) {
                         if (tls_config_set_protocols(tls_cfg,
                             TLS_PROTOCOLS_ALL) != 0)
                                 errx(1, "%s", tls_config_error(tls_cfg));
-                        if (tls_config_set_ciphers(tls_cfg, "all") != 0)
+                        if (tls_config_set_ciphers(tls_cfg,
+                            (TLSopt & TLS_ALL) ? "all" : "compat") != 0)
                                 errx(1, "%s", tls_config_error(tls_cfg));
                 }
                 if (!lflag && (TLSopt & TLS_CCERT))
@@ -1565,6 +1569,7 @@ map_tls(char *s, int *val)
                 { "noname",             TLS_NONAME },
                 { "clientcert",         TLS_CCERT},
                 { "muststaple",         TLS_MUSTSTAPLE},
+                { "tlscompat",          TLS_COMPAT },
                 { NULL,                 -1 },
         };