On Mon, Aug 17, 2015, at 07:27 PM, AJ ONeal (Home) wrote: > My goal is to be able to access an arbitrary https website on > http://localhost:3000 > > From the examples I'm finding online it seems simple enough: > > socat TCP-LISTEN:3000,bind=localhost OPENSSL:coolaj86.com:443 > > But then when I test I get > > curl http://localhost:3000 > curl: (56) Recv failure: Connection reset by peer > > And back in the console for socat I see > > 2015/08/18 01:20:18 socat[15346.1995730944] E SSL_connect(): > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify > failed > > > > > I've tried adding more options like > socat TCP-LISTEN:3000,bind=localhost OPENSSL:coolaj86.com:443,commonname= > coolaj86.com,cafile=./coolaj86.com.root.pem > > (here's the chain https://gist.github.com/coolaj86/327cee3eee6fc119b389) > > But still no dice. Any ideas why it fails certificate validation? > > > (my actual end goal is a little more complex than that, but if I can get > this far, I think I'll figure out the rest) > > AJ ONeal
did you configure the ssl server you're trying to connect to with the ssl chain file as well? common mistake i've seen with ssl is that the chain is not included in the ssl certificate that the server presents to the client and so the client can't verify the server cert. some applications let you specify it as an additional option next to the server ssl cert, such as SSLCertificateChainFile in apache. some applications don't have a dedicated option for it but you usually can just append the chain certificate to the end of the server certificate file. i.e. 'cat chain.pem >> cert.pem' you can use openssl s_client to verify things are working by doing something like 'openssl s_client -CAfile /path/to/ca/root.pem -connect server:port'. the first few lines of output should say "CONNECTED" and then a few lines for each of the certificates and then a "verify return:1". if the verify return says 1 then openssl was able to verify the chain and 0 means it failed. if its failing, you can add -showcerts to have it print the pem encoded cert for the server and any chain certificates that the server presents. you should be able to trace the CN of one cert to the issuer of the next and where it stops is the problem. oh. and you're cert that you listed on github has a CN of "www.coolaj86.com" and not "coolaj86.com". you would need to use the www hostname for the verification to work. mike /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
