The procedure to trust a specific certificate (self-signed for example, or with another CA which is not part of a public chain) on a server requires access to /etc/ssl/certificates (root access) or an option in your favorite command-line interface tool to provide a different certificates storage. socat does not provide such option (yet).

You might also be in a situation where the certificate is expired, yet you want to trust only a specific expired certificate and not completely disable certificate verification.

To cover these and similar use cases I developed a patch that goes instead in another direction by using certificate pinning by their SHA256 hash (see gist below).

Example usage:

socat TCP-LISTEN:4443,reuseaddr,fork OPENSSL:example.com:8443,verify=0,verify-hash=654f3537fbff41fef5addf323dd01b7171dd14c54a5ae5b20f988e4c7a84c256

You can omit verify=0 from the above example if you wish to use the regular verification after the SHA256 hash verification.