In the easy case where I have access to the server and am able to tell the client to use a different TCP port:
socat TCP4-LISTEN:7080,fork,reuseaddr OPENSSL:localhost:443,verify=0 &
socat OPENSSL-LISTEN:7443,certificate={certfile},key={keyfile},fork,reuseaddr,verify=0 TCP4:localhost:7080 &
iptables -I INPUT -p TCP --dport 7443 -j ACCEPT
Some details:
- Verification is unnecessary when talking to localhost, although this could be readily tightened with a suitable cafile option.
- Using verify=0 in the OPENSSL-LISTEN section was an unexpected necessity; without it socat requires that the client present a certificate!
- {certfile} and {keyfile} are typically already present in a usable form for the existing TLS server.
To use Wireshark on my notebook to watch what's happening:
export LIBOVERLAY_SCROLLBAR=0
ssh root@{server} tcpdump -s 2000 -Uw - -i lo tcp port 7080 | wireshark -kli -
(the LIBOVERLAY_SCROLLBAR works around a nasty Ubuntu bug)