diff --git a/tools/regression/netinet/tcpconnect/README.tcp-md5 b/tools/regression/netinet/tcpconnect/README.tcp-md5
new file mode 100644
index 000000000000..c5090234b1c6
--- /dev/null
+++ b/tools/regression/netinet/tcpconnect/README.tcp-md5
@@ -0,0 +1,30 @@
+# $FreeBSD$
+
+To test tcp-md5 do:
+
+* compile and install kernel with TCP_SIGNATURE support
+
+* add this to /etc/ipsec.conf (the md5 'secret' is just a sample)
+	add 127.0.0.1 127.0.0.1 tcp 0x1000 -A tcp-md5 "0e3a9ac42ceca8260f1d6fbc46a9707c";
+
+* enable it in /etc/rc.conf with
+	ipsec_enable="YES"
+  and apply it with sh /etc/rc.d/ipsec start
+
+ [ off course you can also manually add it using setkey(8) ]
+
+* compile tcpconnect in here running:
+    make
+
+* start tcpdump (secret as above, port is just a sample):
+    tcpdump -l -n -i lo0 -s 0 -M "0e3a9ac42ceca8260f1d6fbc46a9707c" tcp and port 2345
+
+* run the server (use same port as given to tcpdump):
+    ./tcpconnect server 2345
+
+* run the client (use same port as given to tcpdump):
+    ./tcpconnect client 127.0.0.1 2345 1 tcpmd5
+
+* check tcpdump output
+
+# end
diff --git a/tools/regression/netinet/tcpconnect/tcpconnect.c b/tools/regression/netinet/tcpconnect/tcpconnect.c
index 5037a988d9a5..bce9b976e96c 100644
--- a/tools/regression/netinet/tcpconnect/tcpconnect.c
+++ b/tools/regression/netinet/tcpconnect/tcpconnect.c
@@ -30,21 +30,24 @@
 #include <sys/socket.h>
 
 #include <netinet/in.h>
+#include <netinet/tcp.h>
 
 #include <arpa/inet.h>
 
 #include <errno.h>
+#include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 
+
 static void
 usage(void)
 {
 
 	fprintf(stderr, "tcpconnect server port\n");
-	fprintf(stderr, "tcpconnect client ip port count\n");
+	fprintf(stderr, "tcpconnect client ip port count [nonblock] [tcpmd5]\n");
 	exit(-1);
 }
 
@@ -92,9 +95,16 @@ tcpconnect_client(int argc, char *argv[])
 	long count, i, port;
 	char *dummy;
 	int sock;
+	int nonblock = 0, md5enable = 0;
 
-	if (argc != 3)
+	if (argc < 3 || argc > 5)
 		usage();
+	for (i=3; i < argc; i++) {
+		if (strcmp(argv[i], "nonblock") == 0)
+			nonblock = 1;
+		if (strcmp(argv[i], "tcpmd5") == 0)
+			md5enable = 1;
+	}
 
 	bzero(&sin, sizeof(sin));
 	sin.sin_len = sizeof(sin);
@@ -116,17 +126,27 @@ tcpconnect_client(int argc, char *argv[])
 		if (sock == -1)
 			errx(-1, "socket: %s", strerror(errno));
 
-#ifdef NONBLOCK
-		if (fcntl(sock, F_SETFL, O_NONBLOCK) != 0)
-			errx(-1, "fcntl(F_SETFL): %s", strerror(errno));
+		/* No warning in default case on ENOPROTOOPT. */
+		if (setsockopt(sock, IPPROTO_TCP, TCP_MD5SIG,
+		    &md5enable, sizeof(md5enable)) != 0) {
+			if (errno == ENOPROTOOPT && md5enable > 0)
+				err(-1, "setsockopt(TCP_MD5SIG)");
+			else if (errno != ENOPROTOOPT)
+				warn("setsockopt(TCP_MD5SIG)");
+		}
 
-		if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) == -1
-		    && errno != EINPROGRESS)
-			errx(-1, "connect: %s", strerror(errno));
-#else
-		if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) == -1)
-			errx(-1, "connect: %s", strerror(errno));
-#endif
+		if (nonblock) {
+			if (fcntl(sock, F_SETFL, O_NONBLOCK) != 0)
+				errx(-1, "fcntl(F_SETFL): %s", strerror(errno));
+
+			if (connect(sock, (struct sockaddr *)&sin,
+			    sizeof(sin)) == -1 && errno != EINPROGRESS)
+				errx(-1, "connect: %s", strerror(errno));
+		} else {
+			if (connect(sock, (struct sockaddr *)&sin,
+			    sizeof(sin)) == -1)
+				errx(-1, "connect: %s", strerror(errno));
+		}
 
 		close(sock);
 	}