The procedure to trust a specific certificate (self-signed for example, or with another CA which is not part of a public chain) on a server requires access to (root access) or an option in your favorite command-line interface tool to provide a different certificates storage. does not provide such option (yet). /etc/ssl/certificates socat You might also be in a situation where the certificate is expired, yet you want to trust only a specific expired certificate and not completely disable certificate verification. To cover these and similar use cases I developed a patch that goes instead in another direction by using certificate pinning by their SHA256 hash (see below). gist Example usage: socat TCP-LISTEN:4443,reuseaddr,fork OPENSSL:example.com:8443,verify=0,verify-hash=654f3537fbff41fef5addf323dd01b7171dd14c54a5ae5b20f988e4c7a84c256 You can omit from the above example if you wish to use the regular verification after the SHA256 hash verification. verify=0 Enjoy the new feature and please let me know in comments if it helps in some of your use-cases. --verify-hash socat

Chain

Ubuntu 16 installer boot image for Dell Chromebook 13 (Lulu)

Too Long; Didn't Read

Make resilience your competitive advantage

socat: patch for OpenSSL certificate hash verification

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

A RESTful API for iftop

Strengthen TLS in React Native through Certificate Pinning

Strengthen TLS in React Native Through Certificate Pinning — iOS Edition

Creating a Self-Signed Certificate from Scratch

Digital Signature vs. Digital Certificates – A Comprehensive Guide

A RESTful API for iftop

Strengthen TLS in React Native through Certificate Pinning

Strengthen TLS in React Native Through Certificate Pinning — iOS Edition

Creating a Self-Signed Certificate from Scratch

Digital Signature vs. Digital Certificates – A Comprehensive Guide

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps