From 9eaa4cb6e81813fe936e19a8268bea5bbff1076f Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sat, 15 Jul 2017 17:27:39 +0000 Subject: Add a "-T tlscompat" option to nc(1), which enables the use of all TLS protocols and "compat" ciphers. This allows for TLS connections to TLS servers that are using less than ideal cipher suites, without having to resort to "-T tlsall" which enables all known cipher suites. Diff from Kyle J. McKay ok beck@ --- src/usr.bin/nc/nc.1 | 6 ++++-- src/usr.bin/nc/netcat.c | 11 ++++++++--- 2 files changed, 12 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1 index b1fa272040..4dfef93986 100644 --- a/src/usr.bin/nc/nc.1 +++ b/src/usr.bin/nc/nc.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: nc.1,v 1.85 2017/05/10 21:56:53 bluhm Exp $ +.\" $OpenBSD: nc.1,v 1.86 2017/07/15 17:27:39 jsing Exp $ .\" .\" Copyright (c) 1996 David Sacerdote .\" All rights reserved. @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 10 2017 $ +.Dd $Mdocdate: July 15 2017 $ .Dt NC 1 .Os .Sh NAME @@ -235,6 +235,8 @@ For TLS options may be one of .Ar tlsall ; which allows the use of all supported TLS protocols and ciphers, +.Ar tlscompat ; +which allows the use of all supported TLS protocols and "compat" ciphers, .Ar noverify ; which disables certificate verification; .Ar noname , diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index 0d972ee53e..ce55972a7c 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.186 2017/06/11 14:38:52 tb Exp $ */ +/* $OpenBSD: netcat.c,v 1.187 2017/07/15 17:27:39 jsing Exp $ */ /* * Copyright (c) 2001 Eric Jackson * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -73,6 +73,7 @@ #define TLS_NONAME (1 << 3) #define TLS_CCERT (1 << 4) #define TLS_MUSTSTAPLE (1 << 5) +#define TLS_COMPAT (1 << 6) /* Command Line Options */ int dflag; /* detached, no stdin */ @@ -401,6 +402,8 @@ main(int argc, char *argv[]) errx(1, "cannot use -c and -F"); if (TLSopt && !usetls) errx(1, "you must specify -c to use TLS options"); + if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT)) + errx(1, "cannot use -T tlsall and -T tlscompat"); if (Cflag && !usetls) errx(1, "you must specify -c to use -C"); if (Kflag && !usetls) @@ -494,11 +497,12 @@ main(int argc, char *argv[]) errx(1, "%s", tls_config_error(tls_cfg)); if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1) errx(1, "%s", tls_config_error(tls_cfg)); - if (TLSopt & TLS_ALL) { + if (TLSopt & (TLS_ALL|TLS_COMPAT)) { if (tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL) != 0) errx(1, "%s", tls_config_error(tls_cfg)); - if (tls_config_set_ciphers(tls_cfg, "all") != 0) + if (tls_config_set_ciphers(tls_cfg, + (TLSopt & TLS_ALL) ? "all" : "compat") != 0) errx(1, "%s", tls_config_error(tls_cfg)); } if (!lflag && (TLSopt & TLS_CCERT)) @@ -1565,6 +1569,7 @@ map_tls(char *s, int *val) { "noname", TLS_NONAME }, { "clientcert", TLS_CCERT}, { "muststaple", TLS_MUSTSTAPLE}, + { "tlscompat", TLS_COMPAT }, { NULL, -1 }, }; -- cgit v1.2.3-55-g6feb