===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.186
retrieving revision 1.187
diff -u -r1.186 -r1.187
--- src/usr.bin/nc/netcat.c	2017/06/11 14:38:52	1.186
+++ src/usr.bin/nc/netcat.c	2017/07/15 17:27:39	1.187
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.186 2017/06/11 14:38:52 tb Exp $ */
+/* $OpenBSD: netcat.c,v 1.187 2017/07/15 17:27:39 jsing Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -73,6 +73,7 @@
 #define TLS_NONAME	(1 << 3)
 #define TLS_CCERT	(1 << 4)
 #define TLS_MUSTSTAPLE	(1 << 5)
+#define TLS_COMPAT	(1 << 6)
 
 /* Command Line Options */
 int	dflag;					/* detached, no stdin */
@@ -401,6 +402,8 @@
 		errx(1, "cannot use -c and -F");
 	if (TLSopt && !usetls)
 		errx(1, "you must specify -c to use TLS options");
+	if ((TLSopt & (TLS_ALL|TLS_COMPAT)) == (TLS_ALL|TLS_COMPAT))
+		errx(1, "cannot use -T tlsall and -T tlscompat");
 	if (Cflag && !usetls)
 		errx(1, "you must specify -c to use -C");
 	if (Kflag && !usetls)
@@ -494,11 +497,12 @@
 			errx(1, "%s", tls_config_error(tls_cfg));
 		if (oflag && tls_config_set_ocsp_staple_file(tls_cfg, oflag) == -1)
 			errx(1, "%s", tls_config_error(tls_cfg));
-		if (TLSopt & TLS_ALL) {
+		if (TLSopt & (TLS_ALL|TLS_COMPAT)) {
 			if (tls_config_set_protocols(tls_cfg,
 			    TLS_PROTOCOLS_ALL) != 0)
 				errx(1, "%s", tls_config_error(tls_cfg));
-			if (tls_config_set_ciphers(tls_cfg, "all") != 0)
+			if (tls_config_set_ciphers(tls_cfg,
+			    (TLSopt & TLS_ALL) ? "all" : "compat") != 0)
 				errx(1, "%s", tls_config_error(tls_cfg));
 		}
 		if (!lflag && (TLSopt & TLS_CCERT))
@@ -1565,6 +1569,7 @@
 		{ "noname",		TLS_NONAME },
 		{ "clientcert",		TLS_CCERT},
 		{ "muststaple",		TLS_MUSTSTAPLE},
+		{ "tlscompat",		TLS_COMPAT },
 		{ NULL,			-1 },
 	};