OpenSSL client checks SubjectAltName IP addresses

[socat.git] / README

about
-----

socat is a relay for bidirectional data transfer between two independent data
channels. Each of these data channels may be a file, pipe, device (serial line
etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an
SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU
line editor (readline), a program, or a combination of two of these. 
These modes include generation of "listening" sockets, named pipes, and pseudo
terminals.

socat can be used, e.g., as TCP port forwarder (one-shot or daemon), as an
external socksifier, for attacking weak firewalls, as a shell interface to UNIX
sockets, IP6 relay, for redirecting TCP oriented programs to a serial line, to
logically connect serial lines on different computers, or to establish a
relatively secure environment (su and  chroot) for running client or server
shell scripts with network connections. 

Many options are available to refine socats behaviour:
terminal parameters, open() options, file permissions, file and process owners,
basic socket options like bind address, advanced socket options like IP source
routing, linger, TTL, TOS (type of service), or TCP performance tuning.

More capabilities, like daemon mode with forking, client address check,
"tail -f" mode, some stream data processing (line terminator conversion),
choosing sockets, pipes, or ptys for interprocess communication, debug and
trace options, logging to syslog, stderr or file, and last but not least
precise error messages make it a versatile tool for many different purposes.

In fact, many of these features already exist in specialized tools; but until
now, there does not seem to exists another tool that provides such a generic,
flexible, simple and almost comprehensive (UNIX) byte stream connector.


packages
--------

before bothering with compilers, dependencies and include files, you might
try to get a binary distribution that matches your platform. Have a look at 
the projects home page for actual information regarding socat binary 
distributions.


platforms
---------

socat 1.7.0 was compiled and more or less successfully tested under the
following operating systems:

Debian lenny/sid on x86, kernel 2.6.24
FreeBSD 6.1 on x86
NetBSD 4.0  on x86
OpenBSD 4.3 on x86
OpenSolaris 10 on x86 with gcc
Mac OS X 10.5.5 on iMac G5, with libreadline
HP-UX 11.23
AIX 5.3 on 64bit Power4 with gcc
Cygwin 1.5.25 on i686

tests on Tru64 can no longer be performed because HP testdrive has taken down
these hosts.

Some versions of socat have been reported to successfully compile under older
Linux versions back to RedHat 2.1 (kernel 1.2.13, gcc 2.7.0), under AIX 4.1 and
4.3, SunOS 5.7-5.8, FreeBSD 4.2 - 4.9, MacOS X 10.1, Cygwin, Solaris 8 on x86, 
OSR 5.0.6, NetBSD 1.6.1 and 2.0.2, OpenBSD 3.4 and 3.8, Tru64 5.1B, Mac OS X
10.1-10.2, and HP-UX 11

It might well compile and run under other UNIX like operating systems.


install
-------

Get the tarball and extract it:
        tar xzf socat.tar.gz
        cd socat-1.7.3.0
        ./configure
        make
        su
        make install    # installs socat, filan, and procan in /usr/local/bin

For compiling socat, gcc (or egc) is recommended.
If gcc is not available, the configure script will fail to determine
some features; then you'd better begin with one of the Makefiles and config.h's
from the Config directory.

If you have problems with the OpenSSL library, you can apply the option
"--disable-openssl" to configure.

If you have problems with the readline library or (n)curses, you can apply the
option "--disable-readline" to configure.

If you have problems with the tcp wrappers library, you can apply the option
"--disable-libwrap" to configure.

If you still get errors or a tremendous amount of warnings you can exclude 
the features for system call tracing and file descriptor analyzing by
applying the options "--disable-sycls --disable-filan" to configure.

You still need the functions vsnprintf and snprintf that are in the GNU libc,
but might not be available with some proprietary libc's.

The configure script looks for headers and libraries of openssl, readline, and
tcp wrappers in the OS'es standard places and in the subdirectories include/
and lib/ of the following places: 
   /sw/
   /usr/local/
   /opt/freeware/
   /usr/sfw/
and for openssl also in:
   /usr/local/ssl/
In case of unexpected behaviour it is important to understand that configure
first searches for the appropriate include file and then expects to find the
library in the associated lib directory. That means, when e.g. a OpenSSL
installation resides under /usr/local and there is a symbolic link from
/usr/include/ssl/ssl.h to /usr/local/ssl/include/ssl/ssl.h, configure will find
the /usr/include/... header and will therefore expect libssl in /usr/lib
instead of /usr/local/...

If configure does not find a header file or library but you know where it is,
you can specify additional search locations, e.g.:
   export LIBS="-L$HOME/lib"
   export CPPFLAGS="-I$HOME/include"
before running configure and make.

For other operating systems, if socat does not compile without errors, refer to
the file PORTING.


platform specifics - redhat
---------------------------

Install the following packages before building socat:
  tcp_wrappers-devel
  readline-devel
  openssl-devel

On RedHat Linux 9.0, including openssl/ssl.h might fail due to problems with
the krb5-devel package. configure reacts with disabling openssl integration. 
To solve this issue, help cpp to find the krb5.h include file:
CPPFLAGS="-I/usr/kerberos/include" ./configure


platform specifics - aix
------------------------

The flock() prototype is not available but the function is. Thus, to enable the
socat flock options, run configure and then change in config.h the line 
/* #undef HAVE_FLOCK */
to
#define HAVE_FLOCK 1
and continue the build process.

When using the OpenSSL rpm provided by IBM, configure might need the 
environment variable setting:
LIBS="-L/opt/freeware/lib"

When using the OpenSSL bundle provided by IBM, egd needs to be installed too
to get enough entropy.

socat compiles not only with gcc, but also with xlc. Just adapt the Makefile:
replace gcc by /usr/vac/bin/xlc and remove gcc specific options 
"-Wall -Wno-parentheses".

When linking with the OpenSSL library provided by IBM, errors may occur:
ld: 0711-317 ERROR: Undefined symbol: .__umoddi3
In this case, you need to link with libgcc or compile libcrypt yourself using
xlc, or disable SSL (in config.h, undefine WITH_OPENSSL and recompile)

The score of test.sh can be improved by uncommenting MISCDELAY=1 in this
script.


platform specifics - solaris
----------------------------

If libreadline or libssl are in a directory not searched by the loader per
default, e.g. /opt/sfw/lib, you must add this directory to $LD_LIBRARY_PATH,
for running both configure and the socat executables, e.g.:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/sfw/lib

For some shell scripts, it is preferable to have /usr/xpg4/bin at a prominent
position in $PATH.

With the default compiler define _GNU_SOURCE, the CMSG_* macros are not
available, and therefore ancillary messages cannot be used. To enable these try
the following:
After running ./configure, edit Makefile and replace "-D_GNU_SOURCE" with
"-D_XPG4_2 -D__EXTENSIONS__" and run make


platform specifics - hp-ux
--------------------------

Ancillary messages cannot be compiled in with socat: both struct msghdr and
struct cmsghdr are required. Compiling with -D_XOPEN_SOURCE_EXTENDED provides
struct msghdr but disables struct cmsghdr while -D_OPEN_SOURCE disables struct
msghdr but disables struct cmsghdr. Please contact socat development if you
know a solution.

Shutting down the write channel of a UNIX domain socket does not seem to
trigger an EOF on the peer socket. This makes problems with the exec and
system addresses.

This OS provides the type "long long", but not the strtoll() function to read
data into a long long variable.

UNIX domain sockets are only supported with SOCK_STREAM, not with datagrams
(see man 7 unix).

With UDP sockets it seems to happen that the select() call reports available
data (or EOF) but a subsequent read() call hangs.


platform specifics - tru64
--------------------------

When the use of the readline address fails with an error like:
socat: /sbin/loader: Fatal Error: Reference to unresolvable symbol "tgetent" in ".../libreadline.so.4"
and you still want to use shared libraries, try the following workaround: 
$ make distclean; LIBS="-static" ./configure
remove the "-static" occurrence in Makefile
$ make


documentation
-------------

These files reside in the doc subdirectory:

socat.1 is the man page, socat.html is the HTML based man page. It is actual,
but describes only the more useful options.

xio.help is an older, but more exact description in text form; with socat
version 1.6.0 it is outdated.

doc/socat-openssltunnel.html is a simple tutorial for a private SSL connection.
doc/socat-multicast.html is a short tutorial for multicast and broadcast
communications.
doc/socat-tun shows how to build a virtual network between two hosts.

socat.1 and socat.html can be generated from socat.yo (which is released with
socat 1.6.0.1 and later) using the yodl document language package. Maintenance
of yodl had been discontinued by its author
(http://www.xs4all.nl/~jantien/yodl/) (there seems to be a revival at
http://yodl.sourceforge.net/ though). For socat, the old version 1.31 is used;
an rpm is still distributed with recent OpenSuSE versions (confirmed for
OpenSuSE 10.1 in suse/i586/yodl-1.31.18-1142.i586.rpm). It appears to install
smoothly also under RedHat Linux. After yodl 1.31 installation, the following
correction must be performed in /usr/share/yodl/shared.yo in two places:
< whenhtml(htmlcommand(<!)ARG1+htmlcommand(>)))
> whenhtml(htmlcommand(<!--)ARG1+htmlcommand(-->)))


license
-------

socat is distributed under the terms of the GNU GPLv2;
except for install-sh, which is copyright MIT, with its own license;

In addition, as a special exception, the copyright holder
gives permission to link the code of this program with
any version of the OpenSSL library which is distributed
under a license identical to that listed in the included
COPYING.OpenSSL file, and distribute linked combinations
including the two. You must obey the GNU General Public
License in all respects for all of the code used other
than OpenSSL. If you modify this file, you may extend this
exception to your version of the file, but you are not
obligated to do so. If you do not wish to do so, delete
this exception statement from your version.


    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, version 2 of the License

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.


contact
-------

For questions, bug reports, ideas, contributions etc. please contact
socat@dest-unreach.org

For socat source distribution, bug fixes, and latest news see
        http://www.dest-unreach.org/socat/

www.socat.org is an alternate site providing the same contents.

public git repository:
        git://repo.or.cz/socat.git
        http://repo.or.cz/r/socat.git