The procedure to trust a specific certificate (self-signed for example, or with another CA which is not part of a public chain) on a server requires access to (root access) or an option in your favorite command-line interface tool to provide a different certificates storage. does not provide such option (yet). /etc/ssl/certificates socat You might also be in a situation where the certificate is expired, yet you want to trust only a specific expired certificate and not completely disable certificate verification. To cover these and similar use cases I developed a patch that goes instead in another direction by using certificate pinning by their SHA256 hash (see below). gist Example usage: socat TCP-LISTEN:4443,reuseaddr,fork OPENSSL:example.com:8443,verify=0,verify-hash=654f3537fbff41fef5addf323dd01b7171dd14c54a5ae5b20f988e4c7a84c256 You can omit from the above example if you wish to use the regular verification after the SHA256 hash verification. verify=0 Enjoy the new feature and please let me know in comments if it helps in some of your use-cases. --verify-hash socat
