348 reads

socat: patch for OpenSSL certificate hash verification

by Giuseppe D.M.December 25th, 2017

Too Long; Didn't Read

The procedure to trust a specific certificate (self-signed for example, or with another CA which is not part of a public chain) on a server requires access to <code class="markup--code markup--p-code">/etc/ssl/certificates</code> (root access) or an option in your favorite command-line interface tool to provide a different certificates storage. <code class="markup--code markup--p-code">socat</code> does not provide such option (yet).

Coin Mentioned

featured image - socat: patch for OpenSSL certificate hash verification

The procedure to trust a specific certificate (self-signed for example, or with another CA which is not part of a public chain) on a server requires access to /etc/ssl/certificates (root access) or an option in your favorite command-line interface tool to provide a different certificates storage. socat does not provide such option (yet).

You might also be in a situation where the certificate is expired, yet you want to trust only a specific expired certificate and not completely disable certificate verification.

To cover these and similar use cases I developed a patch that goes instead in another direction by using certificate pinning by their SHA256 hash (see gist below).

Example usage:

socat TCP-LISTEN:4443,reuseaddr,fork OPENSSL:example.com:8443,verify=0,verify-hash=654f3537fbff41fef5addf323dd01b7171dd14c54a5ae5b20f988e4c7a84c256

You can omit verify=0 from the above example if you wish to use the regular verification after the SHA256 hash verification.

Enjoy the new --verify-hash feature and please let me know in comments if it helps in some of your socat use-cases.