From d1d8f8f5e0b22faa6988771ec2e0d63b051b09ad Mon Sep 17 00:00:00 2001
From: Gerhard Rieger
Generate a public/private key pair:
-openssl genrsa -out $FILENAME.key 1024 +openssl genrsa -out $FILENAME.key 2048Generate a self signed certificate:
openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crtYou will be prompted for your country code, name etc.; you may quit all prompts -with the enter key.
+with the ENTER key, except for the Common Name which must be exactly the name or IP address of the server that the client will use.Generate the PEM file by just appending the key and certificate files:
cat $FILENAME.key $FILENAME.crt >$FILENAME.pem @@ -70,7 +70,7 @@ are not critical.
First prepare a different basename for the files related to the client certificate:
FILENAME=client -Repeat the procedure for certificate generation described above. +
Repeat the procedure for certificate generation described above. A special common name is not required. Copy client.pem to the SSL client, and client.crt to the server.
@@ -81,7 +81,7 @@ for the server, cert=... tells the program to the file containing its ceritificate and private key, and cafile=... points to the file containing the certificate of the peer; we trust clients only if they can proof that they have the related private key (OpenSSL handles this for us):-socat openssl-listen:4433,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt echo +socat OPENSSL-LISTEN:4433,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt PIPE
After starting this command, socat should be listening on port 4433, but will require client authentication.
@@ -89,7 +89,7 @@ will require client authentication.Substitute your tcp-connect or tcp address keyword with openssl-connect or just ssl and here too add the cert and cafile options:
-socat stdio openssl-connect:server.domain.org:4433,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt +socat STDIO OPENSSL-CONNECT:server.domain.org:4433,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt
This command should establish a secured connection to the server process.
@@ -100,10 +100,10 @@ to be adapted; ip6name.domain.org is assumed to resolve to the IPv6 address of the server:Server:
socat -openssl-listen:4433,pf=ip6,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt echo +OPENSSL-LISTEN:4433,pf=ip6,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt PIPEClient:
-socat stdio openssl-connect:ip6name.domain.org:4433,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt +socat STDIO OPENSSL-CONNECT:ip6name.domain.org:4433,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt+ Socat 1.7.3.0 introduces check of servers commonname by the client, and optionally check of clients commonname by the server. +
-This document was last modified in March 2007.
+This document was last modified in Oct. 2023.