I have a working client/server scenario using socat with the following commands:
Server
socat openssl-listen:5000,reuseaddr,cert=server.pem,cafile=server.crt,verify=0 STDIO
Client
socat stdio openssl-connect:localhost:5000,cert=server.pem,cafile=server.crt,verify=0
This is part of a larger system, but the commands above work well for what we are trying to achieve. However, I need to ensure that TLS v1.3 is in use, and ensure it is the only version of encryption being used. I can ensure version 1.2 is used using something like:
socat - OPENSSL-LISTEN:443,method=TLS1.2,verify=0,cert=cert.pem,key=key.pem
openssl is at the latest (1.1.1 version), which is supposed to support TLS1.3
At time of writing (Feb 2020), almost all the documentation I can find for socat only makes reference to setting TLS1.2, and no reference to TLS1.3. For the openssl command line, you can set -tls1_3, for instance:
openssl s_server -accept 443 -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384 -key key.pem -cert cert.pem
[1] https://8gwifi.org/docs/tlsv13.jsp
This command works (alongside the relevant s_client command), but I cannot get the same parameters passed in through socat.
socat version 1.7.4.0 and later supports the option openssl-min-proto-version[1] for which a valid value is TLS1.3. This will enforce that TLS v1.3 or later is used.
Your commands would thus become:
socat openssl-listen:5000,reuseaddr,cert=server.pem,cafile=server.crt,verify=0,openssl-min-proto-version=TLS1.3 STDIO
socat stdio openssl-connect:localhost:5000,cert=server.pem,cafile=server.crt,verify=0,openssl-min-proto-version=TLS1.3
Note that this does not enforce that exactly TLS v1.3 is used. To do that, append ,openssl-max-proto-version=TLS1.3 to the list of options (so that both min and max equals TLS1.3).