Updated doc/socat-openssltunnel.html: 2048 bits, commonname

This commit is contained in:
Gerhard Rieger 2022-10-24 20:36:28 +02:00
parent 3fe7f7285d
commit d1d8f8f5e0
2 changed files with 13 additions and 8 deletions

View file

@ -88,6 +88,8 @@ Documentation:
Fixed hard coded path in docu examples. Fixed hard coded path in docu examples.
Thanks to Jakub Wilk for sending a patch. Thanks to Jakub Wilk for sending a patch.
Updated doc/socat-openssltunnel.html: 2048 bits, commonname
Testing: Testing:
Unset SOCAT_MAIN_WAIT on informational Socat calls Unset SOCAT_MAIN_WAIT on informational Socat calls

View file

@ -42,13 +42,13 @@ installed. It might as well be the client or server host themselves.</p>
<span class="frame"><span class="shell">FILENAME=server</span></span> <span class="frame"><span class="shell">FILENAME=server</span></span>
<p>Generate a public/private key pair:</p> <p>Generate a public/private key pair:</p>
<span class="frame"><span class="shell">openssl genrsa -out $FILENAME.key 1024</span></span> <span class="frame"><span class="shell">openssl genrsa -out $FILENAME.key 2048</span></span>
<p>Generate a self signed certificate:</p> <p>Generate a self signed certificate:</p>
<span class="frame"><span class="shell"> <span class="frame"><span class="shell">
openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt</span></span> openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt</span></span>
<p>You will be prompted for your country code, name etc.; you may quit all prompts <p>You will be prompted for your country code, name etc.; you may quit all prompts
with the enter key.</p> with the ENTER key, except for the Common Name which must be exactly the name or IP address of the server that the client will use.</p>
<p>Generate the PEM file by just appending the key and certificate files:<p> <p>Generate the PEM file by just appending the key and certificate files:<p>
<span class="frame"><span class="shell">cat $FILENAME.key $FILENAME.crt &gt;$FILENAME.pem</span></span> <span class="frame"><span class="shell">cat $FILENAME.key $FILENAME.crt &gt;$FILENAME.pem</span></span>
@ -70,7 +70,7 @@ are not critical.
<p>First prepare a different basename for the files related to the client certificate:</p> <p>First prepare a different basename for the files related to the client certificate:</p>
<span class="frame"><span class="shell">FILENAME=client</span></span> <span class="frame"><span class="shell">FILENAME=client</span></span>
<p>Repeat the procedure for certificate generation described above. <p>Repeat the procedure for certificate generation described above. A special common name is not required.
Copy <tt>client.pem</tt> to the SSL client, and <tt>client.crt</tt> to the Copy <tt>client.pem</tt> to the SSL client, and <tt>client.crt</tt> to the
server.</p> server.</p>
@ -81,7 +81,7 @@ for the server, <tt>cert=...</tt> tells the program to the file containing its
ceritificate and private key, and <tt>cafile=...</tt> points to the file ceritificate and private key, and <tt>cafile=...</tt> points to the file
containing the certificate of the peer; we trust clients only if they can proof containing the certificate of the peer; we trust clients only if they can proof
that they have the related private key (OpenSSL handles this for us):<p> that they have the related private key (OpenSSL handles this for us):<p>
<span class="frame"><span class="shell">socat openssl-listen:4433,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt echo</span></span> <span class="frame"><span class="shell">socat OPENSSL-LISTEN:4433,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt PIPE</span></span>
<p>After starting this command, socat should be listening on port 4433, but <p>After starting this command, socat should be listening on port 4433, but
will require client authentication.</p> will require client authentication.</p>
@ -89,7 +89,7 @@ will require client authentication.</p>
<p>Substitute your <tt>tcp-connect</tt> or <tt>tcp</tt> address keyword with <p>Substitute your <tt>tcp-connect</tt> or <tt>tcp</tt> address keyword with
<tt>openssl-connect</tt> or just <tt>ssl</tt> and here too add the <tt>openssl-connect</tt> or just <tt>ssl</tt> and here too add the
<tt>cert</tt> and <tt>cafile</tt> options:<p> <tt>cert</tt> and <tt>cafile</tt> options:<p>
<span class="frame"><span class="shell">socat stdio openssl-connect:server.domain.org:4433,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt</span></span> <span class="frame"><span class="shell">socat STDIO OPENSSL-CONNECT:server.domain.org:4433,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt</span></span>
<p>This command should establish a secured connection to the server <p>This command should establish a secured connection to the server
process.</p> process.</p>
@ -100,10 +100,10 @@ to be adapted; <tt>ip6name.domain.org</tt> is assumed to resolve to the IPv6
address of the server:</p> address of the server:</p>
<p>Server:</p> <p>Server:</p>
<span class="frame"><span class="shell">socat <span class="frame"><span class="shell">socat
openssl-listen:4433,<b style="color:yellow">pf=ip6</b>,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt echo</span></span> OPENSSL-LISTEN:4433,<b style="color:yellow">pf=ip6</b>,reuseaddr,cert=$HOME/etc/server.pem,cafile=$HOME/etc/client.crt PIPE</span></span>
<p>Client:</p> <p>Client:</p>
<span class="frame"><span class="shell">socat stdio openssl-connect:<b style="color:yellow">ip6name</b>.domain.org:4433,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt</span></span> <span class="frame"><span class="shell">socat STDIO OPENSSL-CONNECT:<b style="color:yellow">ip6name</b>.domain.org:4433,cert=$HOME/etc/client.pem,cafile=$HOME/etc/server.crt</span></span>
<h2>Troubleshooting</h2> <h2>Troubleshooting</h2>
@ -153,8 +153,11 @@ With socat version 1.6.0, the SSL server per default requires the client to
present a trusted certificate. socat's OpenSSL implementation still does not present a trusted certificate. socat's OpenSSL implementation still does not
check the contents of a certificate like host name or host address. check the contents of a certificate like host name or host address.
</p> </p>
<p>
Socat 1.7.3.0 introduces check of servers commonname by the client, and optionally check of clients commonname by the server.
</p>
<p>This document was last modified in March 2007.</p> <p>This document was last modified in Oct. 2023.</p>
<h2>More info about socat OpenSSL</h2> <h2>More info about socat OpenSSL</h2>