4

I have a working client/server scenario using socat with the following commands:

Server

socat openssl-listen:5000,reuseaddr,cert=server.pem,cafile=server.crt,verify=0 STDIO

Client

socat stdio openssl-connect:localhost:5000,cert=server.pem,cafile=server.crt,verify=0

This is part of a larger system, but the commands above work well for what we are trying to achieve. However, I need to ensure that TLS v1.3 is in use, and ensure it is the only version of encryption being used. I can ensure version 1.2 is used using something like:

socat - OPENSSL-LISTEN:443,method=TLS1.2,verify=0,cert=cert.pem,key=key.pem

openssl is at the latest (1.1.1 version), which is supposed to support TLS1.3

At time of writing (Feb 2020), almost all the documentation I can find for socat only makes reference to setting TLS1.2, and no reference to TLS1.3. For the openssl command line, you can set -tls1_3, for instance:

openssl s_server -accept 443 -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384 -key key.pem -cert cert.pem

[1] https://8gwifi.org/docs/tlsv13.jsp

This command works (alongside the relevant s_client command), but I cannot get the same parameters passed in through socat.

robertlayton
  • 612
  • 1
  • 7
  • 20

1 Answers1

3

socat version 1.7.4.0 and later supports the option openssl-min-proto-version[1] for which a valid value is TLS1.3. This will enforce that TLS v1.3 or later is used.

Your commands would thus become:

Server

socat openssl-listen:5000,reuseaddr,cert=server.pem,cafile=server.crt,verify=0,openssl-min-proto-version=TLS1.3 STDIO

Client

socat stdio openssl-connect:localhost:5000,cert=server.pem,cafile=server.crt,verify=0,openssl-min-proto-version=TLS1.3

Note that this does not enforce that exactly TLS v1.3 is used. To do that, append ,openssl-max-proto-version=TLS1.3 to the list of options (so that both min and max equals TLS1.3).

[1] https://fossies.org/linux/socat/CHANGES

runeks
  • 1,745
  • 2
  • 17
  • 26