A blog on Computer Science, Security, Programming, and more...

HeapSpray Blog » Linux » View Post


Using socat To Proxy SSL Connections

Written by Matt

socat is a greatly versatile networking tool, though the man page is ridiculous and it's hard to find an example of exactly what you want to do if you search since socat can do so many things, usually the results you get are close but not really what you want.

Something I need to do often is either intercept SSL connections and be able to analyze them on a packet level, or provide SSL capabilities to a program that doesn't support the ability to communicate over SSL / encrypted streams. Here is the socat command to be able to do that:

socat TCP-LISTEN:LPORT,fork openssl:IP:PORT,verify=0

This binds a listening socket to local port LPORT, and tunnels that request through to IP:PORT over an SSL connection. So if this was to proxy an HTTPS request, you would connect to and it would be redirected to domain.com:443 with SSL by socat, but the traffic from the browser to socat would still be in plaintext for you to analyze. You would need to set a custom Host: directive to make sure it all works.

This is also useful if, say, you have written some IRC bot without SSL support, but you want it to be able to connect securely without having to add in that support yourself, and you're not using a language where you can just import ssl, just run the command above with IP/PORT as the IP of IRC server on the SSL PORT, and connect your bot to localhost:LPORT and it will connect securely to the IRC. You would probably want to actually verify the certificate in this case.

  • Name and Email fields are optional
  • Your email will not be public, only the administrator can see it
  • You are rate limited to one comment for every 10 minutes