On 08/17/2015 07:27 PM, AJ ONeal (Home) wrote:
> My goal is to be able to access an arbitrary https website on
> http://localhost:3000
>
> From the examples I'm finding online it seems simple enough:
>
> socat TCP-LISTEN:3000,bind=localhost OPENSSL:coolaj86.com:443
>
> But then when I test I get
>
> curl http://localhost:3000
> curl: (56) Recv failure: Connection reset by peer
>
> And back in the console for socat I see
>
> 2015/08/18 01:20:18 socat[15346.1995730944] E SSL_connect():
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
>
>
>
>
> I've tried adding more options like
> socat TCP-LISTEN:3000,bind=localhost OPENSSL:coolaj86.com:443,commonname=
> coolaj86.com,cafile=./coolaj86.com.root.pem
>
> (here's the chain https://gist.github.com/coolaj86/327cee3eee6fc119b389)
>
> But still no dice. Any ideas why it fails certificate validation?
I'm not sure, but to get you going you can tell socat to not verify
certificates:
socat TCP-LISTEN:3000,bind=localhost OPENSSL:coolaj86.com:443,verify=0
Another way to do this is with xinetd and the stunnel program.
For example, here's an xinetd file for doing a plaintext localhost imap
that connects to gmail's secure imap:
service imap
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/bin/stunnel
server_args = /etc/stunnel/gmail-imap.conf
log_on_success += USERID
log_on_failure += USERID
}
And the /etc/stunnel/gmail-imap.conf:
client = yes
connect = imap.gmail.com:993
verify=0
fips=no
Apparently I had trouble with stunnel verifying certificates also...
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
