Checking client-side certificate verification with openssl

So you have some client software that claims it checks server SSL certs are issued by a valid CA, or better, by a specific CA? How do you check its claims? Set up a simple MITM attack (works for OS X and linux):

Create a self-signed cert:

openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem

Fire up the openssl server (man s_server for more options, including simple webserver functionality):

sudo openssl s_server -debug -cert cert.pem -accept 443

Edit your /etc/hosts file and add the domain you are attacking to resolve to localhost:

127.0.0.1 secure.company.com

Run your client.