diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2017-07-15 17:27:40 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2017-07-15 17:27:40 +0000 |
| commit | a3252acb3a31329487d59b331685b4f35fde6ffc (patch) | |
| tree | b41384fffbc8ceb608aeb846d8b28d21d6d9f4a6 /usr.bin | |
| parent | 83ca1f449416f2033a0bd579a306a75b5b316537 (diff) | |
Add a "-T tlscompat" option to nc(1), which enables the use of all TLS
protocols and "compat" ciphers. This allows for TLS connections to TLS
servers that are using less than ideal cipher suites, without having to
resort to "-T tlsall" which enables all known cipher suites.
Diff from Kyle J. McKay <mackyle at gmail dot com>
ok beck@
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/nc/nc.1 | 6 | ||||
| -rw-r--r-- | usr.bin/nc/netcat.c | 11 |
2 files changed, 12 insertions, 5 deletions
diff --git a/usr.bin/nc/nc.1 b/usr.bin/nc/nc.1 index b1fa2720403..4dfef939866 100644 --- a/usr.bin/nc/nc.1 +++ b/usr.bin/nc/nc.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: nc.1,v 1.85 2017/05/10 21:56:53 bluhm Exp $ +.\" $OpenBSD: nc.1,v 1.86 2017/07/15 17:27:39 jsing Exp $ .\" .\" Copyright (c) 1996 David Sacerdote .\" All rights reserved. @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 10 2017 $ +.Dd $Mdocdate: July 15 2017 $ .Dt NC 1 .Os .Sh NAME @@ -235,6 +235,8 @@ For TLS options may be one of .Ar tlsall ; which allows the use of all supported TLS protocols and ciphers, +.Ar tlscompat ; +which allows the use of all supported TLS protocols and "compat" ciphers, .Ar noverify ; which disables certificate verification; .Ar noname , diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c index 0d972ee53e7..ce55972a7c2 100644 --- a/usr.bin/nc/netcat.c +++ b/usr.bin/nc/netcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.186 2017/06/11 14:38:52 tb Exp $ */ +/* $OpenBSD: netcat.c,v 1.187 2017/07/15 17:27:39 jsing Exp $ */ /* * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -73,6 +73,7 @@ #define TLS_NONAME (1 << 3) #define TLS_CCERT (1 << 4) #define TLS_MUSTSTAPLE (1 << 5) +#define TLS_COMPAT (1 << 6) /* Command Line Options */ int dflag; /* detached, no stdin */ @@ -401,6 +402,8 @@ main(int argc, char *argv[]) errx(1, "cannot use -c and -F"); if (TLSopt && !usetls) errx(1, "you must specify -c to use TLS options"); + if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT)) + errx(1, "cannot use -T tlsall and -T tlscompat"); if (Cflag && !usetls) errx(1, "you must specify -c to use -C"); if (Kflag && !usetls) @@ -494,11 +497,12 @@ main(int argc, char *argv[]) errx(1, "%s", tls_config_error(tls_cfg)); if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1) errx(1, "%s", tls_config_error(tls_cfg)); - if (TLSopt & TLS_ALL) { + if (TLSopt & (TLS_ALL|TLS_COMPAT)) { if (tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL) != 0) errx(1, "%s", tls_config_error(tls_cfg)); - if (tls_config_set_ciphers(tls_cfg, "all") != 0) + if (tls_config_set_ciphers(tls_cfg, + (TLSopt & TLS_ALL) ? "all" : "compat") != 0) errx(1, "%s", tls_config_error(tls_cfg)); } if (!lflag && (TLSopt & TLS_CCERT)) @@ -1565,6 +1569,7 @@ map_tls(char *s, int *val) { "noname", TLS_NONAME }, { "clientcert", TLS_CCERT}, { "muststaple", TLS_MUSTSTAPLE}, + { "tlscompat", TLS_COMPAT }, { NULL, -1 }, }; |