diff --git a/CHANGES b/CHANGES index 82f5f80..0bdc133 100644 --- a/CHANGES +++ b/CHANGES @@ -88,6 +88,8 @@ Documentation: Fixed hard coded path in docu examples. Thanks to Jakub Wilk for sending a patch. + Updated doc/socat-openssltunnel.html: 2048 bits, commonname + Testing: Unset SOCAT_MAIN_WAIT on informational Socat calls diff --git a/doc/socat-openssltunnel.html b/doc/socat-openssltunnel.html index e2ce0fc..99d644e 100644 --- a/doc/socat-openssltunnel.html +++ b/doc/socat-openssltunnel.html @@ -42,13 +42,13 @@ installed. It might as well be the client or server host themselves.

FILENAME=server

Generate a public/private key pair:

-openssl genrsa -out $FILENAME.key 1024 +openssl genrsa -out $FILENAME.key 2048

Generate a self signed certificate:

openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt

You will be prompted for your country code, name etc.; you may quit all prompts -with the enter key.

+with the ENTER key, except for the Common Name which must be exactly the name or IP address of the server that the client will use.

Generate the PEM file by just appending the key and certificate files:

cat $FILENAME.key $FILENAME.crt >$FILENAME.pem @@ -70,7 +70,7 @@ are not critical.

First prepare a different basename for the files related to the client certificate:

FILENAME=client -

Repeat the procedure for certificate generation described above. +

Repeat the procedure for certificate generation described above. A special common name is not required. Copy client.pem to the SSL client, and client.crt to the server.

@@ -81,7 +81,7 @@ for the server, cert=... tells the program to the file containing its ceritificate and private key, and cafile=... points to the file containing the certificate of the peer; we trust clients only if they can proof that they have the related private key (OpenSSL handles this for us):

-socat openssl-listen:4433,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt echo +socat OPENSSL-LISTEN:4433,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt PIPE

After starting this command, socat should be listening on port 4433, but will require client authentication.

@@ -89,7 +89,7 @@ will require client authentication.

Substitute your tcp-connect or tcp address keyword with openssl-connect or just ssl and here too add the cert and cafile options:

-socat stdio openssl-connect:server.domain.org:4433,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt +socat STDIO OPENSSL-CONNECT:server.domain.org:4433,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt

This command should establish a secured connection to the server process.

@@ -100,10 +100,10 @@ to be adapted; ip6name.domain.org is assumed to resolve to the IPv6 address of the server:

Server:

socat -openssl-listen:4433,pf=ip6,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt echo +OPENSSL-LISTEN:4433,pf=ip6,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt PIPE

Client:

-socat stdio openssl-connect:ip6name.domain.org:4433,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt +socat STDIO OPENSSL-CONNECT:ip6name.domain.org:4433,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt

Troubleshooting

@@ -153,8 +153,11 @@ With socat version 1.6.0, the SSL server per default requires the client to present a trusted certificate. socat's OpenSSL implementation still does not check the contents of a certificate like host name or host address.

+

+ Socat 1.7.3.0 introduces check of servers commonname by the client, and optionally check of clients commonname by the server. +

-

This document was last modified in March 2007.

+

This document was last modified in Oct. 2023.

More info about socat OpenSSL