====== TLS1.2 <-> SSLv3 wrapper ======

Situation: there is a proprietary application that only supports SSLv3 and the vendor does not care.

Solution:
  - make the application listen to 127.0.0.1:4443 or something like this
  - socat -v openssl-listen:443,cert=/etc/ssl/our_key_cert.pem,verify=0,reuseaddr,fork ssl:127.0.0.1:4443,verify=0**,method=ssl3**

===== Disabled SSL3 support =====

As of 9/2016, Debian links socat against openssl without SSL3 support. Therefore the above no longer works.

I have managed to compile openssl with SSL3
<code>
./Configure --prefix=/opt/ssl3 linux-x86_64
</code>
and somehow compile socat with it
<code>
change /sw to /opt/ssl3 in configure
negate the condition above
LIBS=-ldl ./configure
</code>
openssl s_client supports ssl3 now (/opt/ssl3/bin/openssl s_client -connect xxx:443 -ssl3) and socat too.

===== Old ciphersuites only =====

Next, the following system was encountered during an... eh... //network security reconnaissance//.

<code>
443/tcp open  Ubiquity Crap
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - A
|     compressors: 
| 
|     cipher preference: client
|     warnings: 
|       CBC-mode cipher in SSLv3 (CVE-2014-3566)
|       Ciphersuite uses MD5 for message integrity
|       Weak certificate signature: SHA1
|_  least strength: D
</code>

Cipher suites need to be replaced in your socat in xio-openssl.c:
<code c>
   //char *ci_str = "HIGH:-NULL:-PSK:-aNULL";   /* cipher string */
   char *ci_str = "ALL:+NULL";  /* cipher string */
</code>