socat - how to listen on non-ssl TCP and forward to ssl TCP endpoint?

Question

I have seen an example of using socat to accept ssl TCP traffic and forward the traffic to a non-ssl host:

socat TCP-LISTEN:443,reuseaddr,fork "^OPENSSL-SERVER,cert=server.pem | TCP:somehost:80"

Is it possible to do the opposite? I.e. I have a remote host that is ssl enabled and requires a client certificate, but my client is only able to connect via non-ssl connections.

I understand the security implications of this approach.

score 10 · Accepted Answer · answered Sep 05 '17 at 08:40

10

The answer for me was:

$ socat TCP-LISTEN:51000,fork,reuseaddr OPENSSL:remotehost:51000,cafile=certificate.pem,verify=0

The certificate didn't match the hostname so I had to switch off verification (verify=0)

answered Sep 05 '17 at 08:40

Chris Snow

23,813
35
144
309

For me, the `cafile` wasn't necessary. I'm guessing it's only needed when verifying. – mwfearnley Jul 12 '22 at 14:34

socat - how to listen on non-ssl TCP and forward to ssl TCP endpoint?

1 Answers1