Some services are still provided using TLS 1.0 and older ciphers. It is possible to use the nc command to connect to these services using the "-T tlsall" option, but that also enables legacy and insecure ciphers and is not desirable.
Instead add a new "-T tlscompat" option that can be used to access older servers while not also enabling insecure and very old legacy ciphers possibly allowing them to be unintentionally used (perhaps because of a server misconfiguration). Signed-off-by: Kyle J. McKay <mack...@gmail.com> --- CHANGES SINCE v1: * Address comments by Joel Sing and combine code branches For those using the libressl-2.5.4.tar.gz distribution, an equivalent patch that updates the tarball files instead can be found here (#0001): https://gist.github.com/11ab5545aaa431b6cecda2188cbda73d src/usr.bin/nc/nc.1 | 2 ++ src/usr.bin/nc/netcat.c | 9 +++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1 index b1f96488..dd8bc70e 100644 --- a/src/usr.bin/nc/nc.1 +++ b/src/usr.bin/nc/nc.1 @@ -233,6 +233,8 @@ For TLS options may be one of .Ar tlsall ; which allows the use of all supported TLS protocols and ciphers, +.Ar tlscompat ; +which allows the use of all supported TLS protocols and "compat" ciphers, .Ar noverify ; which disables certificate verification; .Ar noname , diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index e222e1e7..69070850 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c @@ -72,6 +72,7 @@ #define TLS_NONAME (1 << 3) #define TLS_CCERT (1 << 4) #define TLS_MUSTSTAPLE (1 << 5) +#define TLS_COMPAT (1 << 6) /* Command Line Options */ int dflag; /* detached, no stdin */ @@ -381,6 +382,8 @@ main(int argc, char *argv[]) errx(1, "cannot use -c and -F"); if (TLSopt && !usetls) errx(1, "you must specify -c to use TLS options"); + if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT)) + errx(1, "cannot use -T tlsall and -T tlscompat"); if (Cflag && !usetls) errx(1, "you must specify -c to use -C"); if (Kflag && !usetls) @@ -478,11 +481,12 @@ main(int argc, char *argv[]) errx(1, "%s", tls_config_error(tls_cfg)); if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1) errx(1, "%s", tls_config_error(tls_cfg)); - if (TLSopt & TLS_ALL) { + if (TLSopt & (TLS_ALL|TLS_COMPAT)) { if (tls_config_set_protocols(tls_cfg, TLS_PROTOCOLS_ALL) != 0) errx(1, "%s", tls_config_error(tls_cfg)); - if (tls_config_set_ciphers(tls_cfg, "all") != 0) + if (tls_config_set_ciphers(tls_cfg, + (TLSopt & TLS_ALL) ? "all" : "compat") != 0) errx(1, "%s", tls_config_error(tls_cfg)); } if (!lflag && (TLSopt & TLS_CCERT)) @@ -1536,6 +1540,7 @@ map_tls(char *s, int *val) { "noname", TLS_NONAME }, { "clientcert", TLS_CCERT}, { "muststaple", TLS_MUSTSTAPLE}, + { "tlscompat", TLS_COMPAT }, { NULL, -1 }, }; ---
