﻿
####################### V 1.8.0.0

Security:
	Socats OpenSSL addresses do not (and never did) check certificate
	revocation lists (CRLs). Socat now prints a warning about this.

Features:
	Added the --experimental option that enables use of features that might
	change in the future.

	Now warning messages are printed by default. If you want to see only
	errors and fatals as in previous versions, use option -d0;
	option -d4 is equivalent to -dddd and to -d -d -d -d
	The number of warnings has been reduced, e.g.removing a non existing
	file does in most cases no longer log a warning.

	Added address type internal SOCKETPAIR. This is similar to the unnamed
	PIPE address (only for internal echoing) but it provides datagram mode
	(the default) and thus keeps packet boundaries.
	Tests: SOCKETPAIR_STREAM SOCKETPAIR_DATAGRAM SOCKETPAIR_SEQPACKET
	SOCKETPAIR_BOUNDARIES

	New option -S <mask> controls catching and logging of signals that are
	not internally used by Socat.
	Tests: SIGTERM_NOLOG SIG31_LOG

	Added option ipv6-join-source-group.
	Thanks to Martin Buck and David Schweizer for sending patches.

	Added option http-version to PROXY-CONNECT address to support servers
	that are not able to handle HTTP version 1.0
	Test: PROXY_HTTPVERSION
	Feature inspired by Robin Palotai.

	New options openssl-maxfraglen and openssl-maxsendfrag for
	functions/macros SSL_CTX_set_tlsext_max_fragment_length() and
	SSL_CTX_set_max_send_fragment().
	Thanks to James Tavares for his contribution.

	Added Info log of resulting OpenSSL max fragment length.

	Implemented options rcvtimeo and sndtimeo, the first of which may be
	useful to prevent endlessly hanging DTLS connection etablishment.
	Test: RCVTIMEO_DTLS
	Feature proposed by Vladimir Nikishkin.

	The file names with -r and -R now may contain environment variable
	references.
	Test: VARS_IN_SNIFFPATH

	Socat option --statistics logs final byte and packet counter values
	before exit. Signal USR1 logs actual values.
	Tests: OPTION_STATISTICS SIGUSR1_STATISTICS

	Added option sitout-eio to specify a timerange in which EIO on the pty
	of a sub process is tolerated.
	Red Hat issue 1853102 related.
	Thanks to Jonathan Casiot for sending an initial patch.

	Socat now installs as socat1 and is referenced by symbolic link socat,
	same with man page (socat1.1 by socat.1)

	New option children-shutup[=1|2...] decreases severity of log
	messages in LISTEN and CONNECT type sub processes.
	Test: CHILDREN_SHUTUP

	New option retrieve-vlan for supporting VLANs in INTERFACE addresses:
	Linux normally keeps VLAN tags in outgoing raw packets, but appears to
	strip them from incoming packets and makes them available in
	PACKET_AUXDATA ancillary messages only.
	Up do version 1.7.4.5 Socat did not handle this situation, so the VLAN
	tags where effectively stripped off incoming packets.
	With this option Socat restores the VLAN tag.
	Feature inspired by Zhao Dong.

	Socket option SO_REUSEADDR is now automatically applied to TCP LISTEN
	addresses. reuseaddr= restores the old behaviour.
	Tests: TCP4_REUSEADDR OPENSSL_6_REUSEADDR REUSEADDR_NULL

	TCP based client addresses now try all results of name resolution until
	a connection attempt succeeded.
	Tests: TRY_ADDRS_4 TRY_ADDRS_4_6
	Feature recommended by Anand Buddhdev.

	configure option --enable-default-ipv allows to specify at build time if
	IPv4, IPv6, or none of these is the preferred default; this is related
	to environment variables SOCAT_PREFERRED_RESOLVE_IP and
	SOCAT_DEFAULT_LISTEN_IP, and to Socat option -4, -6.
	Furthermore, mechanism of IPv4 vs.IPv6 selection has been reworked.
	When no IP version is preferred by these mechanism, passive Socat
	addresses (LISTEN, RECV, RECVFROM) default to IPv6 because it might
	support both versions (but checkout option ipv6-v6only).
	For client addresses, when one of these mechanisms applies and name
	resolution gives addresses of both IP versions, the addresses of the
	preferred versions are tried first.

	New option ai-addrconfig sets or unsets the AI_ADDRCONFIG flag of the
	resolver to prevent name resolution to address families that are not
	available in the network configuration. Default value is 1 in case the
	resolver does not get an address family hint.

	Flag AI_PASSIVE is now automatically applied for LISTEN, RECV, and
	RECVFROM type addresses, and with bind option. In addition to its
	application to the getaddrinfo() function, when this flag is set while
	no IP version is preferred by build, environment, option, or address
	type, Socat chooses IPv6 because this might activate both versions (but
	check option ipv6-v6only).
	Added option ai-passive to control this flag explicitely.

	New option ai-v4mapped (v4mapped) sets or unsets the AI_V4MAPPED flag
	of the resolver. For Socat addresses requiring IPv6 addresses, this
	resolves IPv4 addresses to the approriate IPv6 address [::ffff:*:*].

	DNS resolver Options (res-*) are now set for the complete open phase of
	the address, not per getaddrinfo() invocation.

	Added the netns option that tries to open an address in the given
	network namespace.
	Tests: NETNS NETNS_EXEC

	New address ACCEPT-FD (ACCEPT) expects a listening file descriptor
	passed from parent, and accepts one or more connections for data
	transfer. This can be used with "inetd mode" of systemd.
	Test: ACCEPT_FD

	Added experimental socks5 TCP client support (connect,bind); syntax:
	SOCKS5-CONNECT:<socks-server>:<socks-port>:<target-host>:<target-port>
	SOCKS5-LISTEN:<socks-server>:<socks-port>:<listen-host>:<listen-port>
	Thanks to Charlie Svensson and others for contributions.

	New address types POSIXMQ-RECEIVE, POSIXMQ-READ, POSIXMQ-SEND, and
	POSIXMQ-BIDIRECTIONAL (Linux only, experimental), and option
	posixmq-priority
	Tests: LINUX_POSIXMQ_READ_PRIO LINUX_POSIXMQ_RECV_FORK
	LINUX_POSIXMQ_RECV_MAXCHILDREN LINUX_POSIXMQ_SEND_MAXCHILDREN

	New address SHELL invokes a shell but without the overhead of SYSTEM

	Added options res-retrans and res-retry that make use of undocumented
	resolver variables to set the retransmission time interval resp.the
	number of times to retransmit.
	Disable them and the old res-* opts with: ./configure --disable-resolve

	Added option res-nsaddr that overrides /etc/resolv.conf nameserver
	address based on an undocumented resolver feature.

	New option chdir changes the working directory of the address to the
	given path, only during the open stage.
	Tests: CHDIR_ON_CREATE CHDIR_ON_SYSTEM

	Option umask now applies only during opening of its very address, not
	for the lifetime of the process; the original umask is restored
	afterwards.
	Tests: UMASK_ON_CREATE UMASK_ON_SYSTEM

	Added option unix-bind-tempname (bind-tempname) to allow UNIX (and
	ABSTRACT) client addresses to bind to unique addresses even when
	invoked	in forked off sub processes.
	Tests: UNIX_LISTEN_CONNECT_BIND_TEMPNAME UNIX_LISTEN_CLIENT_BIND_TEMPNAME
	UNIX_RECVFROM_CLIENT_BIND_TEMPNAME UNIX_RECVFROM_SENDTO_BIND_TEMPNAME
	ABSTRACT_LISTEN_CONNECT_BIND_TEMPNAME ABSTRACT_LISTEN_CLIENT_BIND_TEMPNAME
	ABSTRACT_RECVFROM_CLIENT_BIND_TEMPNAME ABSTRACT_RECVFROM_SENDTO_BIND_TEMPNAME
	Thanks to Kai Lüke for sending an initial patch.

	New option f-setpipe-sz (pipesz) sets the pipe size on systems that
	provide ioctl F_SETIPE_SZ.
	Filan prints the current value.
	Tests: STDIN_F_SETPIPE_SZ EXEC_F_SETPIPE_SZ

	Bidirectional PIPE addresses may block on writing a data chunk larger
	than pipe buffer. Socat now tries to detect if transfer block size is
	large enough and issues a warning.

	Added direct support of DCCP protocol, new addresses:
	DCCP-CONNECT (DCCP)
	DCCP-LISTEN (DCCP-L)
	DCCP4-CONNECT (DCCP4)
	DCCP4-LISTEN (DCCP4-L)
	DCCP6-CONNECT (DCCP6)
	DCCP6-LISTEN (DCCP6-L)
	New option: dccp-set-ccid (ccid)

	Support for UDP-Lite protocol, new addresses:
	UDPLITE-CONNECT
	UDPLITE-LISTEN
	UDPLITE-DATAGRAM
	UDPLITE-RECV
	UDPLITE-RECVFROM
	UDPLITE-SENDTO
	All these are also available in UDPLITE4-* and UDPLITE6-* form;
	options udplite-recv-cscov and udplite-send-cscov.

	Procan now prints info about CC and __STDC_VERSION__, about FD_SETSIZE,
	value of SO_PROTOCOL/SO_PROTOTYPE and some other defines, definitions
	of many C types, and the actual umask.

	Procan tries to find the name of the controlling terminal, on Linux it
	reads info from /proc/self/stat and searches for a device with matching
	major and minor numbers.

	Added socat-chain.sh that makes it possible to stack protocols, e.g. to
	drive socks through TLS, or to use TLS over a serial line.
	Tests: SOCAT_CHAIN_SOCKS4 SOCAT_CHAIN_SSL_PTY

	Added script socat-mux.sh that performs n-to-1 / 1-to-n communications
	using two Socat instances with multicasting.
	Tests: SOCAT_MUX

Corrections:
	When a sub process (EXEC, SYSTEM) terminated with exit code other than
	0, its last sent data might have been lost depending on timing of read/
	write and SIGCHLD in Socat.
	Now the SIGCHLD handler does not simply terminate Socat in this case,
	but remembers the failure and allows further processing.
	Thanks to Luke Jones for reporting this issue.

	Now catching the case of empty SNI host to prevent OpenSSL error.
	This is related to Red Hat issue 2081414.

	Better formatted help output; address keywords in help output are now
	printed in uppercase.

	In previous Socat versions errors EPIPE and ECONNRESET on read() were
	handled at warning level, thus not automatically leading to termination
	with exit code 1. Beginning with this release these conditions are
	handled as errors with termination and exit code 1 to not pretend
	success on possible data loss.
	Problem reported by Scott Burkett.

	In previous Socat versions errors on shutdown() were ignored (info
	level).
	Now Socat handles EPIPE and ECONNRESET as errors to indicate possible
	failure of data transfer.

	INTERFACE addresses did not accept options of INTERFACE group (for
	historical reasons they were only available with TUN addresses).

	Opening addresses did not check if they support all directions expected
	by Socat. Now an error is printed when, e.g,, a read-only type address
	is opened for writing.

	A lot of minor corrections, e.g., catch readline() errors in filan,
	detect byte order in procan
	Test: EXEC_SIGINT

	OpenSSL cipherlist option did not override global openssl.cnf settings.
	Now SSL_CTX_set_cipher_list() is called before
	SSL_CTX_use_certificate_chain_file().
	Thanks to Hiroshi Sakurai for reporting the problem and suggesting this
	solution.

	Fixed option sourceport with UDP6-DATAGRAM.

	Some client addresses (e.g. TCP-CONNECT) take the fork option for
	automatically spawning new connections, however the max-children option
	was not applied.

	Fixed the end-close option, it just did not work.

	In configure.ac was a direct call to gcc instead of $CC which broke
	cross compiling.
	Thanks to Fergus Dall for sending a patch.

Coding:
	Introduced groups_t instead of uint32_t, for more flexibility.

	Rearranged option group bits to only require 32 bits on older systems.

	Make gcc happy, replace strncat with "manual" copying

	On addresses like UDP-RECVFROM with fork option every packet causes a
	new child process which then reads the packet. The parent process must
	wait until the packet has been read before checking again. The former
	synchronization mechanism using SIGUSR1 is now replaced by a
	socketpair. SIGUSR1 is no longer used for internal synchronization.
	Tests: UDP4_FORK UDP6_FORK UNIX_FORK

	Renamed xioopts_t to xioparms_t to avoid confusion with xioopts module.

	Moved multicast related code from xioopts.c to xio-ip.c and xio-ip6.c

	Pointers of type struct single are now always called sfd.

Porting:
	Removed Config/ because its contents have not been maintained for many
	years.

	Try to not receive outgoing packets on raw (PF_PACKET) sockets - use
	PACKET_IGNORE_OUTGOING socket options when available.
	Test: INTERFACE_IGNOREOUTGOING

	Renewed port to OpenBSD:
	Guard OPENSSL_INIT_SETTINGS; and minor changes.

	Thanks to Paul Hunt for sending a fix of the configure
	--enable-openssl-base processing.

	Enable direct largefile support on "smaller" systems per
	_FILE_OFFSET_BITS and _LARGE_FILES.
	Thanks to Fergus Dall for sending a patch.

	Some corrections for better 32bit systems support.

Testing:
	Removed obselete parts from test.sh

	test.sh: Introduced function checkcond

	Renamed test.sh option -foreign to -internet

Documentation:
	Removed obselete file doc/xio.help

	Added doc for option ipv6-join-group (ipv6-add-membership)
	Thanks to Martin Buck for sending the patch.

	Renamed xiogetpacketsrc() to xiogetancillary()

	On bad parameter number now print syntax.

####################### V 1.7.4.5 (not released):

Corrections:
	On connect() failure and in some other situations Socat tries to get
	detailled information about the error with recvmsg(). Error return of
	this function is now logged as Info instead of Warn.

	Tests of the correction of the "IP_ADD_SOURCE_MEMBERSHIP but not struct
	ip_mreq_source" issue left an #undef in xiosysincludes.h that disabled
	the ip-add-source-membership option.
	Thanks to Benjamin Poirier for sending a patch.

	Fixed a bug in dalan module that caused SIGSEGV in, e.g.,
	SOCKET-LISTEN:1:1:'"/tmp/sock"'
	Test: DALAN_NO_SIGSEGV

	The retry option with some address types (TCP) did not close() the
	sockets after failed attempts, resulting in an FD leak.

	Filan: Corrected some syntax error messages

	Filan: Fixed a bug introduced in 1.7.4.4 that broke displaying
	TCP/UDP on options -s, -S
	Test: FILAN_SHORT_TCP

	Filan: If IP protocol type cannot be retrieved, display at least the
	socket type

	Filan: Fixed diag_set() call in filan_main.c, bug popped up with C23.
	Thanks to Cristian Rodríguez from openSUSE for reporting this issue.

	Querying the vsock Context Identifier (CID) requires an FD from opening
	/dev/vsock.
	Thanks to Volker Simonis for sending a patch.

	Fixed an internal FD leak in the EXEC,SYSTEM addresses.

	The FDs of the socketpair that queues messages from signal handlers
	lacked FD_CLOEXEC and thus leaked into EXEC and SYSTEM child processes.

	Option stderr on addresses EXEC and SYSTEM uses a temporary FD. It
	lacked the FD_CLOEXEC setting and thus leakt into child processes.

	Restoring of STDIO tty settings failed on Solaris type operating
	systems.
	Thanks to Gordon W.Ross for reporting and fixing this issue.
	Test: RESTORE_TTY

	The OpenSSL client SNI parameter, when not explicitely specified, is
	derived from option commonname or rom target server name. This is not
	useful with IP addresses, which Socat now checks and avoids.

	Socat options -L and -W create lock files using mkstemp(), so they had
	permissions 600. There does not seem to be a good reason for this
	restrictive mode. Furthermore Silla Rizzoli experienced that Minicom
	ignores lock files with mode 600, so it is set to 644 now.

	Procan tries to find out VSOCK CID only when running as root

	The mechanism for deferring logs from signal handlers had an issue that
	caused lots of unwanted recvfrom() calls.

	Do not try to remove abstract UNIX socket entries after use.

Features:
	VSOCK, VSOCK-L support options pf, socktype, prototype (currently
	useless)

Coding:
	New Environment variable SOCAT_TRANSFER_WAIT that Socat sleep before
	starting the data transfer loop. Useful, e.g., to accumulate multiple
	packets in a receiving datagram socket before starting to process them.

	"//" comments were used for disabling experimental code. These lines
	have now been removed or disabled in other ways to make Socat compile
	with C89/C90 standard again.

	fcntl() trace prints flags now in hexadecimal.

	Stream dump options -r and -R now open their pathes with CLOEXEC to
	prevent leaking into sub processes.
	Test: EXEC_SNIFF

	Stream dump write now warn on write errors and partial writes (but
	still do not recover).

	Removed trailing white space from *.h and *.c files.

Porting:
	Small correction in configure.ac makes Socat C99 able.
	Thanks to Florian Weimer from Red Hat for providing a patch.

Documentation:
	Syntax and semantics of some options (esp.unlink-close) were not clear.
	Thanks to Anthony Chavez for reporting this and making suggestions.

	socat-tun.html described TCP as tunnel medium but this does not keep
	packet boundaries. Changed to UDP.

	Added examples for DCCP client and server.

	Complex Socat examples are now displayed in two or three lines for
	better overview.
	dest-unreach.css stylesheet has been improved to support this.

Testing:
	Idea: EXEC,SYSTEM addresses can keep packet boundaries when option
	socktype=<val-of-SOCK_DGRAM>
	Tests: EXECSOCKETPAIRPACKETS SYSTEMSOCKETPAIRPACKETS
	
	Cosmetic corrections of EXEC,SYSTEM tests.

	test.sh: Added option --expect-fail to specify comma separated list of
	test numbers whose failure shall not cause a failure of the whole
	script.

	test.sh: Added help text

	Speeded up wait loops; more addresses in upper case; more tests with
	command printing ($VERBOSE)

	test.sh: Check if ports are free before using them for tests

	Test EXEC_FDS checks with Filan if EXEC address only passes stdio FDs.

	Improved template; prepared namesFAIL, -d (DEBUG)

####################### V 1.7.4.4:

Corrections:
	In error.c msg2() there was a stack overflow on long messages: The
	terminating \0 Byte was written behind the last position.
	Thanks to Martin Liška for sending the address sanitizer report.

	UDP-RECVFROM with fork sometimes terminated when multiple packets
	arrived. This issue was introduced with a bug fix in version 1.7.4.0.
	Reason was not handling EAGAIN on recvmsg().
	Thanks to Jamie McQuillan for reporting this issue.

	Address TCP with options connect-timeout and retry terminated
	immediately when a connection attempt failed on network error or
	connection refused.
	Test: TCP_TIMEOUT_RETRY
	Thanks to Kamil Holubicki for reporting this issue.

	There were a couple of weaknesses and errors when accessing invalid or
	incompatible file system entries with UNIX domain, file, and generic
	addresses.
	For example, UNIX-CONNECT, when using a non matching socktype, failed
	with -1 and did not print an error message, instead of printing an
	error message and exiting with rc=1.
	Thanks to Paul Wise for reporting and analyzing the case of accessing
	a left over socket entry with GOPEN.

	The rawer option failed because it tried to clear CREAD.
	Test: RAWER

	UDP-SEND and UPD-SENDTO with option lowport always bound to port 1
	instead of a free port in range 640..1023
	Test: UDP_LOWPORT

	Fixed bad parser error message on "socat /tmp/x\"x/x -"

	Tightened syntax checks to detect numerical arguments that are missing
	or have trailing garbage.
	Test: INTEGER_GARBAGE

	ctype(3) functions need there arguments to be unsigned char.
	Thanks to Taylor R Campbell for sending a patch.

	Filan library uses Socats diag/error message system and therefore had
	always the signal handler messages socket pair open. This fix avoids
	this socketpair in standalone Filan.

	Corrected printf format for type socklen_t in two places.

Porting:
	OpenSSL, at least 1.1 on Ubuntu, crashed with SIGSEGV under certain
	conditions: client connection to server with certificate with empty
	subject, and pressing ^C after successful connect.
	This crash is now prevented by setting OPENSSL_INIT_NO_ATEXIT.
	Thanks to Martin Dorey for reporting and analyzing this issue, and for
	providing an environment for reproduction.

	Socat failed to compile on platforms that have
	IP_ADD_SOURCE_MEMBERSHIP but not struct ip_mreq_source
	Thanks to Justin Yackoski for sending a patch.

	configure.ac's detection of getprotobynumber_r() variant did not
	recognize if this function does not exist, e.g. on Musl libc.
	Thanks to Alexander Kanavin and Baruch Siach for sending patches.

	Corrected message format when no strftime() is available; improved
	handling of very long host or program names

	Solaris requires that termios options are always applied to the slave
	side of PTY.

	Fixed ancillary messages on Solaris.

	Filan: Solaris has the open file path infos in /proc/<pid>/path/
	Thanks to Andy Fiddaman to directing me to the patch.

	Filan now recognizes and prints Solaris doors and event ports.

	Solaris derivatives no longer need librt for clock_gettime()
	Thanks to Andy Fiddaman to directing me to the patch.

	LibreSSL does not have OPENSSL_INIT_new(). This function is now
	guarded. Socat might build with LibreSSL.
	Thanks to Orbea for reporting and helping.

Building:
	Failure during building documentation, e.g. due to missing Yodl
	packages, now does not let the build process fail.
	Feature requested by Seyhun.

Features:
	Filan prints target of symlink when appropriate
	Test: FILANSYMLINK

	VSOCK-LISTEN now generates environment variables SOCAT_PEERADDR,
	SOCAT_PEERPORT, SOCAT_SOCKADDR, SOCAT_SOCKPORT
	New address aliases VSOCK, VSOCK-L

Documentation:
	Fixed typo in doc/socat-tun.html and link in README.
	Thanks to William Suthers for reporting.

	Fixed hard coded path in docu examples.
	Thanks to Jakub Wilk for sending a patch.

	Updated doc/socat-openssltunnel.html: 2048 bits, commonname

Testing:
	Unset SOCAT_MAIN_WAIT on informational Socat calls

	SOCAT=socat used ./socat instead of the version derived by $PATH

	Do not try VSOCK_ECHO test when feature is not compiled in.

	Fixed logging of test 220 TUNINTERFACE

	Musl libc refuses to execve() shell scripts, 2 tests needed to be
	adapted.

	Musl libc has FOPEN_MAX=1000 which made bash dumping core on test
	EXCEED_FOPEN_MAX.

	Added tests for failures of UNIX socket and GOPEN accesses to non
	matching file system entries.
	Tests:
	CONNECT_TO_MISSING CONNECT_TO_DENIED CONNECT_TO_DIRECTORY
	CONNECT_TO_ORPHANED CONNECT_TO_FILE CONNECT_TO_DGRAM
	CONNECT_TO_SEQPACKET SEND_TO_MISSING SEND_TO_DENIED SEND_TO_DIRECTORY
	SEND_TO_ORPHANED SEND_TO_FILE SEND_TO_STREAM SEND_TO_SEQPACKET
	SENDTO_TO_MISSING SENDTO_TO_DENIED SENDTO_TO_DIRECTORY
	SENDTO_TO_ORPHANED SENDTO_TO_FILE SENDTO_TO_STREAM SENDTO_TO_SEQPACKET
	SEQPACKET_TO_MISSING SEQPACKET_TO_DENIED SEQPACKET_TO_DIRECTORY
	SEQPACKET_TO_ORPHANED SEQPACKET_TO_FILE SEQPACKET_TO_STREAM
	SEQPACKET_TO_DGRAM UNIX_TO_MISSING UNIX_TO_DENIED UNIX_TO_DIRECTORY
	UNIX_TO_FILE UNIX_TO_ORPHANED GOPEN_TO_DENIED GOPEN_TO_DIRECTORY
	GOPEN_TO_ORPHANED 

	On RHEL-9 SCTP support requires installation of package
	kernel-modules-extra. test.sh now detects when SCTP is missing in
	kernel and reacts with warnings instead of errors.

	VSOCK loopback still does not seem to work even in kernel 5.13, so just
	issue warning on "No such device".

####################### V 1.7.4.3:

Corrections:
	Socat crashed with SIGSEGV when peer presented a certificate without
	(or empty?) subject.
	Thanks to Martin Dorey for reporting this issue and sending a patch.

	Socat 1.7.4.2 did not compile on OmniOS (and probably other OpenSolaris
	distributions)
	Thanks to Andy Fiddaman for sending a patch.

	Socat since 1.7.4.0 did not compile on Solaris and its derivatives
	because the getprotobynumber_r() function prototype differ from the
	Linux version.
	configure now checks for the variant.
	Thanks to Robert Zybeck for reporting this issue.

	The variable for the no-sni option was not initialized and could thus
	break OpenSSL certificate verification. E.g., test OPENSSL_SNI on some
	platform succeeded with -g but failed with -O compiler option.
	Thanks to valgrind for quickly finding the cause.

Porting:
	Again porting Socat to AIX (7.1) - Fixed configure and compile issues:
	Adapted include requirements for IPv6
	Guarded MSG_DONTWAIT

	Continued porting Socat to AIX-7.1 - Fixed some runtime errors:
	UNIX domain sockets of type SEQPACKET are not available.
	Connecting to UNIX datagram socket fails with EPROTONOSUPPORT (vs.
	EPROTOTYPE on most other OSes).
	Streams: Must not push ldterm when it is already active (hangs).

Building:
	Socats build date and time may now be set externally with environment
	variable SOURCE_DATE_EPOCH.
	Thanks to Viktor Kleinik for sending a patch.

	Building Socat in a sub directory failed.
	Now the following works even for the docu parts:
	mkdir -p myos; cd myos; ../configure && make; cd ..
	Thanks to Jon Ringle for sending a patch.

Testing:
	test.sh: many corrections for AIX's older shell utilities, e.g.sleep(1)
	does not allow fractions of seconds, grep does not understand '\<';
	OpenIndiana/SunOS netstat format;
	many more functional and cosmetic code corrections.

Documentation:
	The socktype option was documented unspecifically as type option.
	Thanks to Jonas Metzger for the hint.

####################### V 1.7.4.2:

Corrections:
	The per address parameters for OpenSSL overlapped in memory with socket
	parameters. Magically this did not seem to cause problems except on
	MacOS Catalina that reported errors like:
	socat[3458] E Select(7, &0x80, NULL, NULL, {140392884396544.000000}):
	Invalid argument
	Test: OPENSSL_PARA_OVERLAP
	Thanks to Ryo Ota for reporting this bug.

	Fixed a few minor coding issues

	A VSOCK warning message was generated with all listening addresses
	instead of only with VSOCK-LISTEN

	When an OPENSSL-CONNECT client presented a certificate with IPv6
	subject alternate name and the OPENSSL-LISTEN server had no commonname
	option, the server crashed with SIGSEGV in xioip6_pton().
	Test: OPENSSL_CLIENT_IP6_CN
	Red Hat bug 1981308
	Thanks to Vlad Slepukhin for reporting this issue and providing a patch

	Corrected a typo in configure.ac that broke option --enable-openssl-base
	Thanks to john1doe for reporting this issue.

	Socat looped endlessly, not responding to SIGTERM, when a service name
	(for port) could not be resolved.
	Test: BAD_SERVICE

	Using options of NAMED group, e.g.chown, with abstract UNIX domain
	sockets, produced errors because the function was applied with a normal
	file system related call, e.g.chown(), using file "" (empty name). Instead of
	chown(), Socat now uses fchown() on the file descriptor. However, such
	a call usually has no real effect.	
	Test: ABSTRACT_USER
	Thanks to Andreas Fink for reporting this issue.

	Option -R did not only dump ("sniff") right-to-left, but also
	left-to-right traffic to the given file.
	Test: SNIFF_RIGHT_TO_LEFT
	Thanks to 1314 gsf for reporting this bug and sending a patch.

	Options -r and -R, when opening a named pipe that has no actual reader,
	failed with "No such device or address". To solve this problem, Socat
	now opens the pipe in rw-Mode.
	Thanks to Cody J.Soultz for sending a patch.

	The call "socat -r - PIPE" traced to file ./- instead of issuing a
	syntax error.

	Print a message when readbytes option causes EOF

	The ip-recverr option had no effect. Corrected and improved its
	handling of ancilliary messages, so it is able to analyze ICMP error
	packets (Linux only?)

	Setgui(), Setuid() calls in xio-progcall.c were useless.

Testing:
	Prevent the TIMESTAMP tests from sporadically failing due do seconds
	overflow

	Fixed in test.sh a few issues reported by shellcheck

Documentation:
	Added missing docu of OpenSSL options min-proto-version,
	max-proto-version.

	Added missing closing parenthesis in socat.yo.
	Thanks to Emanuele Torre for reporting this issue.

	Corrected more typos and added missing bug info to CHANGES, performed
	some non functional corrections.

Porting:
	Corrected building when clock_gettime() not available, with or without
	gettimeofday().

####################### V 1.7.4.1:

Corrections:
	Socat 1.7.4.0 failed to compile especially on 32 bit systems.
	Thanks to Wang Mingyu and others for sending a patch or reporting this
	issue.

	Under certain conditions OpenSSL stream connections, in particular bulk
	data transfer in unidirectional mode, failed during transfer or near
	its with Connection reset by peer on receiver side.
	This happened with Socat versions 1.7.3.3 to 1.7.4.0. Reasons were
	lazy SSL shutdown handling on the sender side in combination with
	SSL_MODE_AUTO_RETRY turned off.
	Fix: After SSH_shutdown but before socket shutdown call SSL_read()
	Test: OPENSSL_STREAM_TO_SERVER
	Fixes Red Hat issue 1870279.

####################### V 1.7.4.0:

Security:
	Buffer size option (-b) is internally doubled for CR-CRLF conversion,
	but not	checked for integer overflow. This could lead to heap based
	buffer overflow, assuming the attacker could provide this parameter.
	Test: BLKSIZE_INT_OVERFL
	Thanks to Lê Hiếu Bùi for reporting this issue and sending an
	example exploit.

Corrections:
	Socats address parser read over end of string when there were unbalanced
	quotes
	Test: UNBALANCED_QUOTE

	Removed unused usleep() call from sycls.c

	Unsetenv() was conditional in sysutils.c but not in xio-openssl.c thus
	building failed on Solaris 9.
	Thanks to Greg Earle for reporting this issue and providing a patch.

	Mitigated race condition of quickly terminating SYSTEM or EXEC child
	processes.

	Option o-direct might require alignment of read/write buffer to, e.g.,
	512 bytes, Socat now takes care of this when allocating the buffer.
	With this fix read() succeeds, however, write() still might fail when
	not writing complete pages.
	Test: O_DIRECT

	There was a race condition in the way Socat UDP-RECVFROM and similar
	addresses with option fork prevents one packet from triggering
	multiple processes. The symptom was that Socat master process seemed to
	hang and did not process further packets. The fix makes use of
	pselect() system call.
	Thanks to Fulvio Scapin for reporting this issue.

	UNIX domain client addresses applied file system entry options (group
	NAMED) to the server socket instead of the client (bind) socket entry.
	Tests: UNIX_SENDTO_UNLINK UNIX_CONNECT_UNLINK
	Thanks to Nico Williams for reporting this major issue.

	Length of single address options was limited to 511 bytes. This value
	is now increased to 2047 bytes.
	Change suggested by Mario Camou.

	Addresses of type RECVFROM with option fork looped with an error
	message in case that the second address failed before consuming the
	packet. The fix makes RECVFROM drop the packet when the second address
	failed before reading it. Use retry or forever option with the second
	address if you want to avoid data loss.
	Fixes Red Hat bug 1907718
	Thanks to Chunmei Xu for reporting this issue and proving the patch.

	Socats DTLS implementation has been reworked and appears to work now
	reasonably over UDP.
	New addresses: OPENSSL-DTLS-SERVER (DTLS-L),
		OPENSSL-DTLS-CLIENT (DTLS)
	Tests: OPENSSL_DTLS_CLIENT OPENSSL_DTLS_SERVER
		OPENSSL_METHOD_DTLS1 OPENSSL_METHOD_DTLS1.2
	Thanks to Brandon Carpenter, Qing Wan, and Pavel Nakonechnyi for
	sending patches.

	filan did not output the socket protocol.
	filan -s assumed each stream socket to be TCP and each datagram socket
	to be UDP. Now it uses SO_PROTOCOL and getprotoent() for correct output.

	Help text showed two parameters for UDP4-RECVFROM address, but only
	<port> is allowed.
	Thanks to John the Scott for reporting this issue.

	Error messages from SSL_read() and SSL_write() sometimes stated
	SSL_connect instead of originating function name.

	Fixed some more non functional minor issues.

Porting:
	In gcc version 10 the default changed from -fcommon to -fno-common.
	Consequently, linking filan and procan failed with error
	"multiple definition of `deny_severity'" and `allow_severity'
	Fixed by removing definitions in filan.c and procan.c
	Debian issue 957823
	Thanks to László Böszörményi and others for reporting this issue.

	Solaris 9 does not provide strndup(); added substitute code.
	Thanks to Greg Earle for providing a patch.

	Added configure option --enable-openssl-base to specify the location of
	a non-OS OpenSSL installation

	There are systems whose kernel understands SCTP but getaddrinfo does
	not. As workaround after EIA_SOCKTYPE on name and service resolution
	fall back to ai_socktype=0; if it fails with EAI_SERVICE, set
	ai_protocol=0 and try again
	Test: SCTP_SERVICENAME

	Per file filesystem options were still named ext2-* and depended on
	<linux/ext2_fs.h>. Now they are called fs-* and depend on <linux/fs.h>.
	These fs-* options are also available on old systems with ext2_fs.h

	New options openssl-min-proto-version (min-version) and
	openssl-max-proto-version (max-version) give access to the related
	OpenSSL set-macros and substitute deprecated version-specific methods.
	Test: OPENSSL_MIN_VERSION

	With OpenSSL use OPENSSL_init_SSL when available, instead of deprecated
	SSL_library_init.

	With OPENSSL_API_COMPAT=0x10000000L the files openssl/dh.h, openssl/bn.h
	must explicitely be included.
	Thanks to Rosen Penev for reporting and sending a patch.

Testing:
	test.sh now produces a list of tests that could not be performed for
	any reason. This helps to analyse these cases.

	OpenSSL s_server appearently started to neglect TCPs half close feature.
	Test OPENSSL_TCP4 has been changed to tolerate this.

	OpenSSL changed its behaviour when connection is rejected. Tests
	OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and
	OPENSSL_CN_SERVER_SECURITY now tolerate this.

	OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the
	appropriate tests failed.
	Fix: use TLSv1.2 for renegotiation tests
	Tests: OPENSSLRENEG1 OPENSSLRENEG2

	Ubuntu 20.04 requires 2048 bit certificates with OpenSSL

	Archlinux 2020 has not which command; its ip,ss commands have modified
	version strings

	More testing issues solved:
	* ss to pipe might omit column separator
	* UDP6MULTICAST_UNIDIR fails on newer Linux kernels
	* do not use sort -V
	* renamed testaddrs() to testfeats(), and introduced new testaddrs()

New features:
	GOPEN and UNIX-CLIENT addresses now support sockets of type SEQPACKET.
	Test: GOPENUNIXSEQPACKET
	Feature suggested by vi0oss.

	The generic setsockopt-int and related options are, in case of
	listening/accepting addresses, applied to the connected socket(s). To enable
	setting options on the listening socket, a new option setsockopt-listen
	has been implemented. See the documentation for info on data types.
	Tests: SETSOCKOPT SETSOCKOPT_LISTEN
	Thanks to Steven Danna and Korian Edeline for reporting this issue.

	Filan option -S gives short description like -s but with improved
	format

	Socat OpenSSL client, when server was specified using IP address, did
	not verify connection on certificates SubjectAltName IP entries.
	Tests: OPENSSL_SERVERALTAUTH OPENSSL_SERVERALTIP4AUTH OPENSSL_SERVERALTIP6AUTH
	Fixes Red Hat bug 1805132

	Added options -r and -R for raw dump of transferred data to files.
	Test: OPTION_RAW_DUMP

	Added option ip-transparent (socket option IP_TRANSPARENT)
	Thanks to Wang Shanker for sending a patch.

	OPENSSL-CONNECT now automatically uses the SNI feature, option
	openssl-no-sni turns it off. Option openssl-snihost overrides the value
	of option openssl-commonname or the server name.
	Tests: OPENSSL_SNI OPENSSL_NO_SNI
	Thanks to Travis Burtrum for providing the initial patch

	New option accept-timeout (listen-timeout)
	Test: ACCEPTTIMEOUT
	Proposed by Roland

	New option ip-add-source-membership
	Feature inspired by Brian (b f31415)

	INCOMPATIBLE CHANGE: Address UDP-DATAGRAM now does not check peerport
	of replies, as it did up to version 1.7.3.4. Use option sourceport when
	you need the old behaviour.
	Test: UDP_DATAGRAM_SOURCEPORT
	Feature inspired by Hans Bueckler for SSDP inquiry (for UPnP)

	New option proxy-authorization-file reads PROXY-CONNECT credentials
	from file and makes it possible to hide this data from the process
	table.
	Test: PROXYAUTHFILE
	Thanks to Charles Stephens for sending an initial patch.

	Added AF_VSOCK support with VSOCK-CONNECT and VSOCK-LISTEN addresses.
	Developed by Stefano Garzarella.

Coding:
	Added printf formats for uint16_t etc.

Documentation:
	Address UDP-RECV does not support option fork.
	Thanks to Fulvio Scapin for reporting that mistake in docu.

	TUN address documentation showed TCP for backend which may merge
	consecutive packets which causes data loss.
	Thanks to Tomasz Lakota for reporting this issue.

####################### V 1.7.3.4:

Corrections:
	Header of xiotermios_speed() declared parameter unsigned int instead of
	speed_t, thus compiling failed on MacOS
	Thanks to Joe Strout and others for reporting this bug.
	Thanks to Andrew Childs and others for sending a patch.

	Under certain circumstances, termios options of the first address were
	applied to the second address, resulting in error
	"Inappropriate ioctl for device" 
	This affected version 1.7.3.3 only.
	Test: TERMIOS_PH_ALL
	Thanks to Ivan J. for reporting this issue.

	Socat failed to compile when no poll() system call was found by
	configure.
	Thanks to Jason White for sending a patch.

	Due to use of SSL_CTX_clear_mode() Socat failed to compile on old
	systems with, e.g., OpenSSL-0.9.8. Thanks to Simon Matter and Moritz B.
	for reporting this problem and sending initial patches.

	getaddrinfo() in IP4-SENDTO and IP6-SENDTO addresses failed with
	"ai_socktype not supported" when protocol 6 was addressed.
	The fix removes the possibility to use service names with SCTP.
	Test: IP_SENDTO_6
	Thanks to Sören for sending an initial patch.

	Under certain circumstances, Socat printed the "socket ... is at EOF"
	multiple times.
	Test: MULTIPLE_EOF

	Newer parts of test.sh used substitutions ${x,,*} or ${x^^*} that are
	not implemented in older bash versions.

####################### V 1.7.3.3:

Corrections:
	Makefile.in did not specify dependencies of filan on vsnprintf_r.o
	and snprinterr.o
	Added definition of FILAN_OBJS
	Thanks to Craig Leres, Clayton Shotwell, and Chris Packham for
	providing patches.

	configure option --enable-msglevel did not work with numbers

	The autoconf mechanism for determining SHIFT_OFFSET did not work when
	cross compiling.
	Thanks to Max Freisinger from Gentoo for sending a patch.

	Socat still depended on obsolete gethostbyname() function, thus
	compiling with MUSL libc failed.
	Problem reported by Kennedy33.

