socat代理TLS1.0老旧网站以便本世代浏览器正常访问

参考文章:

https://security.stackexchange.com/questions/108676/need-to-access-old-forgotten-router-that-only-supports-sslv3/108850#108850
https://stackoverflow.com/questions/60178076/socat-openssl-listen-ensuring-tlsv1-3-is-in-use
http://www.dest-unreach.org/socat/doc/socat.html#OPTION_OPENSSL_VERIFY

手动编译socat

apt install -y openssl libssl-dev
wget http://www.dest-unreach.org/socat/download/socat-1.8.0.3.tar.gz
tar zxf socat-1.8.0.3.tar.gz && cd socat-1.8.0.3.tar.gz
./configure
make

代理命令:

./socat TCP-LISTEN:8078,bind=127.0.0.1,reuseaddr,fork OPENSSL:216.224.0.61:443,cipher=AES128-SHA,openssl-min-proto-version=TLS1.0,verify=0,snihost=example.yourserversni.com

命令解释: 监听本地127.0.0.1:8078 转发到216.224.0.61:443并指定最低TLS版本为TLS1.0，跳过证书验证，将SNI设置为example.yourserversni.com

更多socat参数详解参考官方文档: http://www.dest-unreach.org/socat/doc/socat.html#OPTION_OPENSSL_VERIFY

Q.E.D.