The procedure to trust a specific certificate (self-signed for example, or with another CA which is not part of a public chain) on a server requires access to /etc/ssl/certificates (root access) or an option in your favorite command-line interface tool to provide a different certificates storage. socat does not provide such option (yet).
You might also be in a situation where the certificate is expired, yet you want to trust only a specific expired certificate and not completely disable certificate verification.
To cover these and similar use cases I developed a patch that goes instead in another direction by using certificate pinning by their SHA256 hash (see gist below).
Example usage:
socat TCP-LISTEN:4443,reuseaddr,fork OPENSSL:example.com:8443,verify=0,verify-hash=654f3537fbff41fef5addf323dd01b7171dd14c54a5ae5b20f988e4c7a84c256
You can omit verify=0 from the above example if you wish to use the regular verification after the SHA256 hash verification.
Enjoy the new --verify-hash feature and please let me know in comments if it helps in some of your socat use-cases.