From: David Leadbeater <dgl@dgl.cx>
Subject: nc: Add ALPN TLS option
To: tech@openbsd.org
Date: Wed, 28 May 2025 13:34:34 +1000

The only way to test alpn in base is with openssl s_client, which has
some quirks. Here's a diff adding -T alpn=value to nc.

diff --git a/usr.bin/nc/nc.1 b/usr.bin/nc/nc.1
index e7dc770fca9..ed018b89d50 100644
--- a/usr.bin/nc/nc.1
+++ b/usr.bin/nc/nc.1
@@ -265,6 +265,10 @@ for further details);
 which allows the supported TLS protocols to be specified (see
 .Xr tls_config_parse_protocols 3
 for further details).
+.Cm alpn ,
+which allows the TLS ALPN to be specified (see
+.Xr tls_config_set_alpn 3
+for further details).
 Specifying TLS options requires
 .Fl c .
 .Pp
diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c
index baf36bb60b1..a7935f8a4d6 100644
--- a/usr.bin/nc/netcat.c
+++ b/usr.bin/nc/netcat.c
@@ -108,6 +108,7 @@ char	*tls_expectname;			/* required name in peer cert */
 char	*tls_expecthash;			/* required hash of peer cert */
 char	*tls_ciphers;				/* TLS ciphers */
 char	*tls_protocols;				/* TLS protocols */
+char	*tls_alpn;				/* TLS ALPN */
 FILE	*Zflag;					/* file to save peer cert */
 
 int recvcount, recvlimit;
@@ -534,6 +535,8 @@ main(int argc, char *argv[])
 			errx(1, "%s", tls_config_error(tls_cfg));
 		if (tls_config_set_ciphers(tls_cfg, tls_ciphers) == -1)
 			errx(1, "%s", tls_config_error(tls_cfg));
+		if (tls_alpn != NULL && tls_config_set_alpn(tls_cfg, tls_alpn) == -1)
+			errx(1, "%s", tls_config_error(tls_cfg));
 		if (!lflag && (TLSopt & TLS_CCERT))
 			errx(1, "clientcert is only valid with -l");
 		if (TLSopt & TLS_NONAME)
@@ -1677,6 +1680,7 @@ process_tls_opt(char *s, int *flags)
 		{ "noverify",		TLS_NOVERIFY,		NULL },
 		{ "noname",		TLS_NONAME,		NULL },
 		{ "protocols",		-1,			&tls_protocols },
+		{ "alpn",		-1,			&tls_alpn },
 		{ NULL,			-1,			NULL },
 	};