Quantcast

[PATCHv2 1/2] nc: support -T tlscompat option

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[PATCHv2 1/2] nc: support -T tlscompat option

Kyle J. McKay
Some services are still provided using TLS 1.0 and older ciphers.
It is possible to use the nc command to connect to these services
using the "-T tlsall" option, but that also enables legacy and
insecure ciphers and is not desirable.

Instead add a new "-T tlscompat" option that can be used to access
older servers while not also enabling insecure and very old legacy
ciphers possibly allowing them to be unintentionally used (perhaps
because of a server misconfiguration).

Signed-off-by: Kyle J. McKay <[hidden email]>
---

CHANGES SINCE v1:

  * Address comments by Joel Sing and combine code branches

For those using the libressl-2.5.4.tar.gz distribution, an equivalent
patch that updates the tarball files instead can be found here (#0001):

  https://gist.github.com/11ab5545aaa431b6cecda2188cbda73d

 src/usr.bin/nc/nc.1     | 2 ++
 src/usr.bin/nc/netcat.c | 9 +++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1
index b1f96488..dd8bc70e 100644
--- a/src/usr.bin/nc/nc.1
+++ b/src/usr.bin/nc/nc.1
@@ -233,6 +233,8 @@ For TLS options
 may be one of
 .Ar tlsall ;
 which allows the use of all supported TLS protocols and ciphers,
+.Ar tlscompat ;
+which allows the use of all supported TLS protocols and "compat" ciphers,
 .Ar noverify ;
 which disables certificate verification;
 .Ar noname ,
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index e222e1e7..69070850 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -72,6 +72,7 @@
 #define TLS_NONAME (1 << 3)
 #define TLS_CCERT (1 << 4)
 #define TLS_MUSTSTAPLE (1 << 5)
+#define TLS_COMPAT (1 << 6)
 
 /* Command Line Options */
 int dflag; /* detached, no stdin */
@@ -381,6 +382,8 @@ main(int argc, char *argv[])
  errx(1, "cannot use -c and -F");
  if (TLSopt && !usetls)
  errx(1, "you must specify -c to use TLS options");
+ if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT))
+ errx(1, "cannot use -T tlsall and -T tlscompat");
  if (Cflag && !usetls)
  errx(1, "you must specify -c to use -C");
  if (Kflag && !usetls)
@@ -478,11 +481,12 @@ main(int argc, char *argv[])
  errx(1, "%s", tls_config_error(tls_cfg));
  if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1)
  errx(1, "%s", tls_config_error(tls_cfg));
- if (TLSopt & TLS_ALL) {
+ if (TLSopt & (TLS_ALL|TLS_COMPAT)) {
  if (tls_config_set_protocols(tls_cfg,
     TLS_PROTOCOLS_ALL) != 0)
  errx(1, "%s", tls_config_error(tls_cfg));
- if (tls_config_set_ciphers(tls_cfg, "all") != 0)
+ if (tls_config_set_ciphers(tls_cfg,
+    (TLSopt & TLS_ALL) ? "all" : "compat") != 0)
  errx(1, "%s", tls_config_error(tls_cfg));
  }
  if (!lflag && (TLSopt & TLS_CCERT))
@@ -1536,6 +1540,7 @@ map_tls(char *s, int *val)
  { "noname", TLS_NONAME },
  { "clientcert", TLS_CCERT},
  { "muststaple", TLS_MUSTSTAPLE},
+ { "tlscompat", TLS_COMPAT },
  { NULL, -1 },
  };
 
---

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[PATCHv2 2/2] nc: do not require IPV6_TCLASS

Kyle J. McKay
Older IPv6 implementations may not have an IPV6_TCLASS
option.  Tolerate this situation by simply returning an
error if an attempt is made to use IPV6_TCLASS on such
a system.

Signed-off-by: Kyle J. McKay <[hidden email]>
---

CHANGES SINCE v1:

  * Regenerate patch so it applies cleanly; no other changes

For those using the libressl-2.5.4.tar.gz distribution, an equivalent
patch that updates the tarball files instead can be found here (#0002):

  https://gist.github.com/11ab5545aaa431b6cecda2188cbda73d

Older darwin IPv6 stacks are afflicted by this issue.  It would be nice
if they (and other affected systems) could build nc from libressl-portable
without needing to hack up netcat.c first.

The "ENOPROTOOPT" code used is a POSIX-specified error code and is the
one that would normally be returned by setsockopt for an unknown option.

 src/usr.bin/nc/netcat.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index 69070850..cbd1ef49 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1444,9 +1444,15 @@ set_common_sockopts(int s, int af)
     IP_TOS, &Tflag, sizeof(Tflag)) == -1)
  err(1, "set IP ToS");
 
+#ifdef IPV6_TCLASS
  else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
     IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1)
  err(1, "set IPv6 traffic class");
+#else
+ else if (af == AF_INET6)
+ errno = ENOPROTOOPT,
+ err(1, "set IPv6 traffic class not supported");
+#endif
  }
  if (Iflag) {
  if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
---

Loading...