On Thursday 18 May 2017 07:03:31 Kyle J. McKay wrote: > Some services are still provided using TLS 1.0 and older ciphers. > It is possible to use the nc command to connect to these services > using the "-T tlsall" option, but that also enables legacy and > insecure ciphers and is not desirable. > > Instead add a new "-T tlscompat" option that can be used to access > older servers while not also enabling insecure and very old legacy > ciphers possibly allowing them to be unintentionally used (perhaps > because of a server misconfiguration).
I'm not a fan of the continued alphabet soup options - I suspect we need to revisit this so that you can actually specify a cipher string and/or the list of protocols, rather than just adding more options that map to different things. That said, this is no worse than the status quo - see comment inline. > Signed-off-by: Kyle J. McKay <[email protected]> > --- > > For those using the libressl-2.5.4.tar.gz distribution, an equivalent > patch that updates the tarball files instead can be found here (#0001): > > https://gist.github.com/11ab5545aaa431b6cecda2188cbda73d > > src/usr.bin/nc/nc.1 | 2 ++ > src/usr.bin/nc/netcat.c | 12 +++++++++++- > 2 files changed, 13 insertions(+), 1 deletion(-) > > diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1 > index b1f96488..dd8bc70e 100644 > --- a/src/usr.bin/nc/nc.1 > +++ b/src/usr.bin/nc/nc.1 > @@ -233,6 +233,8 @@ For TLS options > may be one of > .Ar tlsall ; > which allows the use of all supported TLS protocols and ciphers, > +.Ar tlscompat ; > +which allows the use of all supported TLS protocols and "compat" ciphers, > .Ar noverify ; > which disables certificate verification; > .Ar noname , > diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c > index e222e1e7..cae85594 100644 > --- a/src/usr.bin/nc/netcat.c > +++ b/src/usr.bin/nc/netcat.c > @@ -72,6 +72,7 @@ > #define TLS_NONAME (1 << 3) > #define TLS_CCERT (1 << 4) > #define TLS_MUSTSTAPLE (1 << 5) > +#define TLS_COMPAT (1 << 6) > > /* Command Line Options */ > int dflag; /* detached, no stdin */ > @@ -381,6 +382,8 @@ main(int argc, char *argv[]) > errx(1, "cannot use -c and -F"); > if (TLSopt && !usetls) > errx(1, "you must specify -c to use TLS options"); > + if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT)) > + errx(1, "cannot use -T tlsall and -T tlscompat"); > if (Cflag && !usetls) > errx(1, "you must specify -c to use -C"); > if (Kflag && !usetls) > @@ -478,7 +481,13 @@ main(int argc, char *argv[]) > errx(1, "%s", tls_config_error(tls_cfg)); > if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == > -1) > errx(1, "%s", tls_config_error(tls_cfg)); > - if (TLSopt & TLS_ALL) { > + if (TLSopt & TLS_COMPAT) { > + if (tls_config_set_protocols(tls_cfg, > + TLS_PROTOCOLS_ALL) != 0) > + errx(1, "%s", tls_config_error(tls_cfg)); > + if (tls_config_set_ciphers(tls_cfg, "compat") != 0) > + errx(1, "%s", tls_config_error(tls_cfg)); > + } else if (TLSopt & TLS_ALL) { These two are essentially duplicates - you might as well use the same code for both and just select the appropriate value to pass to tls_config_set_ciphers() based on the flag in question. > if (tls_config_set_protocols(tls_cfg, > TLS_PROTOCOLS_ALL) != 0) > errx(1, "%s", tls_config_error(tls_cfg)); > @@ -1536,6 +1545,7 @@ map_tls(char *s, int *val) > { "noname", TLS_NONAME }, > { "clientcert", TLS_CCERT}, > { "muststaple", TLS_MUSTSTAPLE}, > + { "tlscompat", TLS_COMPAT }, > { NULL, -1 }, > }; > > ---
