From 97099b374278c2303fb1736a2bacd953b1bc9d64 Mon Sep 17 00:00:00 2001
From: Andrey Arapov <andrey.arapov@nixaid.com>
Date: Sun, 15 Jul 2018 19:14:59 +0200
Subject: [PATCH] update readme

---
 README.md | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index c81adfa..5b41d70 100644
--- a/README.md
+++ b/README.md
@@ -88,8 +88,10 @@ services:
 ### helloworld with socat
 
 socat could be handy when you need to see the TLS flow between the reverse
-proxy and a backend. It may also let you secure the traffic between them in
-case when the backend application does not support TLS on its own.
+proxy and a backend.
+
+It may also help you secure the traffic between the reverse proxy and a backend
+in case when the latter service does not support TLS on its own.
 
 > Minimum socat version should be [1.7.3.2](https://fossies.org/linux/privat/socat-1.7.3.2.tar.gz/socat-1.7.3.2/CHANGES) so it will work with the
 > ECDHE- OpenSSL ciphers.
@@ -115,6 +117,12 @@ services:
       traefik.protocol: 'https'
 ```
 
+If you get ``sslv3 alert bad certificate`` error, then make sure you have
+either updated the CA bundle with your CA file which was used to sign your x509
+certificates at the reverse proxy server or disable TLS verification between
+the reverse proxy and your backend (e.g. Traefik has a global option
+``insecureSkipVerify = true``)
+
 ## Testing
 
 I have added a simplistic script [testme.sh](testme.sh) that helps to test this