1 files changed, 45 insertions, 6 deletions
diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1
index d83cb5ca8d..8cb96e8734 100644
--- a/src/usr.bin/nc/nc.1
+++ b/src/usr.bin/nc/nc.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: nc.1,v 1.68 2015/03/26 10:35:04 tobias Exp $
+.\"     $OpenBSD: nc.1,v 1.69 2015/09/11 21:07:01 beck Exp $
 .\"
 .\" Copyright (c) 1996 David Sacerdote
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 26 2015 $
+.Dd $Mdocdate: September 11 2015 $
 .Dt NC 1
 .Os
 .Sh NAME
@@ -41,7 +41,7 @@
 .Op Fl P Ar proxy_username
 .Op Fl p Ar source_port
 .Op Fl s Ar source
-.Op Fl T Ar toskeyword
+.Op Fl T Ar keyword
 .Op Fl V Ar rtable
 .Op Fl w Ar timeout
 .Op Fl X Ar proxy_protocol
@@ -98,10 +98,18 @@ to use IPv4 addresses only.
 Forces
 .Nm
 to use IPv6 addresses only.
+.It Fl C Ar certificate_filename
+Specifies the filename from which the public key part of the TLS
+certificate is loaded, in PEM format. May only be used with TLS.
+.It Fl c
+If using a TCP socket to connect or listen, use TLS. Illegal if not using TCP sockets.
 .It Fl D
 Enable debugging on the socket.
 .It Fl d
 Do not attempt to read from stdin.
+.It Fl e Ar name
+specify the name that must be present in the peer certificate when using TLS.
+Illegal if not using TLS.
 .It Fl F
 Pass the first connected socket using
 .Xr sendmsg 2
@@ -117,6 +125,11 @@ using the
 .Xr ssh_config 5
 .Cm ProxyUseFdpass
 option).
+.It Fl H Ar hash_string
+Specifies the required hash string of the peer certificate when using TLS.
+The string format required is that used by
+.Xr tls_peer_cert_hash 3 .
+Illegal if not using TLS, and may not be used with -T noverify.
 .It Fl h
 Prints out
 .Nm
@@ -126,6 +139,9 @@ Specifies the size of the TCP receive buffer.
 .It Fl i Ar interval
 Specifies a delay time interval between lines of text sent and received.
 Also causes a delay time between connections to multiple ports.
+.It Fl K Ar key_filename
+Specifies the filename from which the private key
+is loaded in PEM format. May only be used with TLS.
 .It Fl k
 Forces
 .Nm
@@ -172,6 +188,11 @@ should use, subject to privilege restrictions and availability.
 It is an error to use this option in conjunction with the
 .Fl l
 option.
+.It Fl R Ar CA_filename
+Specifies the filename from which the root CA bundle for Certificate
+verification is loaded in pem format. Illegal if not using TLS.
+Default value is
+.Pa /etc/ssl/cert.pem .
 .It Fl r
 Specifies that source and/or destination ports should be chosen randomly
 instead of sequentially within a range or in the order that the system
@@ -187,9 +208,22 @@ to create and use so that datagrams can be received.
 It is an error to use this option in conjunction with the
 .Fl l
 option.
-.It Fl T Ar toskeyword
+.It Fl T Ar keyword
-Change IPv4 TOS value.
+Change IPv4 TOS value or TLS options.
-.Ar toskeyword
+For TLS options
+.Ar keyword
+may be one of
+.Ar tlslegacy ,
+which allows legacy TLS protocols,
+.Ar noverify ,
+which disables certificate verification
+.Ar noname ,
+which disables certificate name checking, or
+.Ar clientcert,
+which requires a client certificate on incoming connections .
+It is illegal to specify TLS options if not using TLS.
+For IPv4 TOS value
+.Ar keyword
 may be one of
 .Ar critical ,
 .Ar inetcontrol ,
@@ -429,6 +463,11 @@ the source port, with a timeout of 5 seconds:
 .Pp
 .Dl $ nc -p 31337 -w 5 host.example.com 42
 .Pp
+Open a TCP connection to port 443 of www.google.ca, and negotiate
+TLS. Check for a different name in the certificate for validation.
+.Pp
+.Dl $  nc -v -c -e adsf.au.doubleclick.net www.google.ca 443
+.Pp
 Open a UDP connection to port 53 of host.example.com:
 .Pp
 .Dl $ nc -u host.example.com 53

diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1 index d83cb5ca8d..8cb96e8734 100644 --- a/src/usr.bin/nc/nc.1 +++ b/src/usr.bin/nc/nc.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: nc.1,v 1.68 2015/03/26 10:35:04 tobias Exp $	1	.\" $OpenBSD: nc.1,v 1.69 2015/09/11 21:07:01 beck Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 1996 David Sacerdote	3	.\" Copyright (c) 1996 David Sacerdote
4	.\" All rights reserved.	4	.\" All rights reserved.
@@ -25,7 +25,7 @@
25	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	25	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	26	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27	.\"	27	.\"
28	.Dd $Mdocdate: March 26 2015 $	28	.Dd $Mdocdate: September 11 2015 $
29	.Dt NC 1	29	.Dt NC 1
30	.Os	30	.Os
31	.Sh NAME	31	.Sh NAME
@@ -41,7 +41,7 @@
41	.Op Fl P Ar proxy_username	41	.Op Fl P Ar proxy_username
42	.Op Fl p Ar source_port	42	.Op Fl p Ar source_port
43	.Op Fl s Ar source	43	.Op Fl s Ar source
44	.Op Fl T Ar toskeyword	44	.Op Fl T Ar keyword
45	.Op Fl V Ar rtable	45	.Op Fl V Ar rtable
46	.Op Fl w Ar timeout	46	.Op Fl w Ar timeout
47	.Op Fl X Ar proxy_protocol	47	.Op Fl X Ar proxy_protocol
@@ -98,10 +98,18 @@ to use IPv4 addresses only.
98	Forces	98	Forces
99	.Nm	99	.Nm
100	to use IPv6 addresses only.	100	to use IPv6 addresses only.
		101	.It Fl C Ar certificate_filename
		102	Specifies the filename from which the public key part of the TLS
		103	certificate is loaded, in PEM format. May only be used with TLS.
		104	.It Fl c
		105	If using a TCP socket to connect or listen, use TLS. Illegal if not using TCP sockets.
101	.It Fl D	106	.It Fl D
102	Enable debugging on the socket.	107	Enable debugging on the socket.
103	.It Fl d	108	.It Fl d
104	Do not attempt to read from stdin.	109	Do not attempt to read from stdin.
		110	.It Fl e Ar name
		111	specify the name that must be present in the peer certificate when using TLS.
		112	Illegal if not using TLS.
105	.It Fl F	113	.It Fl F
106	Pass the first connected socket using	114	Pass the first connected socket using
107	.Xr sendmsg 2	115	.Xr sendmsg 2
@@ -117,6 +125,11 @@ using the
117	.Xr ssh_config 5	125	.Xr ssh_config 5
118	.Cm ProxyUseFdpass	126	.Cm ProxyUseFdpass
119	option).	127	option).
		128	.It Fl H Ar hash_string
		129	Specifies the required hash string of the peer certificate when using TLS.
		130	The string format required is that used by
		131	.Xr tls_peer_cert_hash 3 .
		132	Illegal if not using TLS, and may not be used with -T noverify.
120	.It Fl h	133	.It Fl h
121	Prints out	134	Prints out
122	.Nm	135	.Nm
@@ -126,6 +139,9 @@ Specifies the size of the TCP receive buffer.
126	.It Fl i Ar interval	139	.It Fl i Ar interval
127	Specifies a delay time interval between lines of text sent and received.	140	Specifies a delay time interval between lines of text sent and received.
128	Also causes a delay time between connections to multiple ports.	141	Also causes a delay time between connections to multiple ports.
		142	.It Fl K Ar key_filename
		143	Specifies the filename from which the private key
		144	is loaded in PEM format. May only be used with TLS.
129	.It Fl k	145	.It Fl k
130	Forces	146	Forces
131	.Nm	147	.Nm
@@ -172,6 +188,11 @@ should use, subject to privilege restrictions and availability.
172	It is an error to use this option in conjunction with the	188	It is an error to use this option in conjunction with the
173	.Fl l	189	.Fl l
174	option.	190	option.
		191	.It Fl R Ar CA_filename
		192	Specifies the filename from which the root CA bundle for Certificate
		193	verification is loaded in pem format. Illegal if not using TLS.
		194	Default value is
		195	.Pa /etc/ssl/cert.pem .
175	.It Fl r	196	.It Fl r
176	Specifies that source and/or destination ports should be chosen randomly	197	Specifies that source and/or destination ports should be chosen randomly
177	instead of sequentially within a range or in the order that the system	198	instead of sequentially within a range or in the order that the system
@@ -187,9 +208,22 @@ to create and use so that datagrams can be received.
187	It is an error to use this option in conjunction with the	208	It is an error to use this option in conjunction with the
188	.Fl l	209	.Fl l
189	option.	210	option.
190	.It Fl T Ar toskeyword	211	.It Fl T Ar keyword
191	Change IPv4 TOS value.	212	Change IPv4 TOS value or TLS options.
192	.Ar toskeyword	213	For TLS options
		214	.Ar keyword
		215	may be one of
		216	.Ar tlslegacy ,
		217	which allows legacy TLS protocols,
		218	.Ar noverify ,
		219	which disables certificate verification
		220	.Ar noname ,
		221	which disables certificate name checking, or
		222	.Ar clientcert,
		223	which requires a client certificate on incoming connections .
		224	It is illegal to specify TLS options if not using TLS.
		225	For IPv4 TOS value
		226	.Ar keyword
193	may be one of	227	may be one of
194	.Ar critical ,	228	.Ar critical ,
195	.Ar inetcontrol ,	229	.Ar inetcontrol ,
@@ -429,6 +463,11 @@ the source port, with a timeout of 5 seconds:
429	.Pp	463	.Pp
430	.Dl $ nc -p 31337 -w 5 host.example.com 42	464	.Dl $ nc -p 31337 -w 5 host.example.com 42
431	.Pp	465	.Pp
		466	Open a TCP connection to port 443 of www.google.ca, and negotiate
		467	TLS. Check for a different name in the certificate for validation.
		468	.Pp
		469	.Dl $ nc -v -c -e adsf.au.doubleclick.net www.google.ca 443
		470	.Pp
432	Open a UDP connection to port 53 of host.example.com:	471	Open a UDP connection to port 53 of host.example.com:
433	.Pp	472	.Pp
434	.Dl $ nc -u host.example.com 53	473	.Dl $ nc -u host.example.com 53