Releases: c2FmZQ/tlsproxy
Releases · c2FmZQ/tlsproxy
v0.15.0-rc4
v0.15.0-rc4
This tag was signed with the committer’s verified signature.
rthellend
Robin Thellend
v0.15.0-rc4
🌟 New feature
- Add support for Encrypted Client Hello. This feature improves privacy by allowing the clients to encrypt the Server Name to which they are connecting. Without ECH, this information is actually transmitted in plaintext. When
ech:is set inconfig.yaml, tlsproxy handles ECH as a Client-Facing Server with a Split Mode Topology as specified in https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni/. See ECH
🔧 Bug fixes
- Handle quic.ErrTransportClosed correctly.
🔧 Misc
- Use os.Root for static file isolation
- Allow customized permission denied messages.
- Update go: 1.24rc3
- Update go dependencies:
- upgraded github.com/quic-go/quic-go v0.48.2 => v0.49.0
- upgraded github.com/beevik/etree v1.4.1 => v1.5.0
- upgraded github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad => v0.0.0-20250202011525-fc3143867406
- upgraded golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 => v0.0.0-20250128182459-e0ece0dbea4c
- upgraded golang.org/x/mod v0.22.0 => v0.23.0
- upgraded golang.org/x/sync v0.10.0 => v0.11.0
- upgraded golang.org/x/sys v0.29.0 => v0.30.0
- upgraded golang.org/x/text v0.21.0 => v0.22.0
- upgraded golang.org/x/time v0.9.0 => v0.10.0
v0.15.0-rc3
v0.15.0-rc3
This tag was signed with the committer’s verified signature.
rthellend
Robin Thellend
v0.15.0-rc3
🌟 New feature
- Add support for Encrypted Client Hello. This feature improves privacy by allowing the clients to encrypt the Server Name to which they are connecting. Without ECH, this information is actually transmitted in plaintext. When
ech:is set inconfig.yaml, tlsproxy handles ECH as a Client-Facing Server with a Split Mode Topology as specified in https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni/. See ECH
🔧 Bug fixes
- Handle quic.ErrTransportClosed correctly.
🔧 Misc
- Use os.Root for static file isolation
- Allow customized permission denied messages.
- Update go: 1.24rc2
- Update go dependencies:
- upgraded github.com/quic-go/quic-go v0.48.2 => v0.49.0
- upgraded github.com/beevik/etree v1.4.1 => v1.5.0
- upgraded github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad => v0.0.0-20250128161936-077ca0a936bf
- upgraded golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 => v0.0.0-20250128182459-e0ece0dbea4c
v0.15.0-rc2
v0.15.0-rc2
This tag was signed with the committer’s verified signature.
rthellend
Robin Thellend
v0.15.0-rc2
🌟 New feature
- Add support for Encrypted Client Hello. This feature improves privacy by allowing the clients to encrypt the Server Name to which they are connecting. Without ECH, this information is actually transmitted in plaintext. When
ech:is set inconfig.yaml, tlsproxy handles ECH as a Client-Facing Server with a Split Mode Topology as specified in https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni/. See ECH
🔧 Bug fixes
- Handle quic.ErrTransportClosed correctly.
🔧 Misc
- Use os.Root for static file isolation
- Allow customized permission denied messages.
- Update go: 1.24rc2
- Update go dependencies:
- upgraded github.com/quic-go/quic-go v0.48.2 => v0.49.0
- upgraded github.com/beevik/etree v1.4.1 => v1.5.0
- upgraded github.com/c2FmZQ/ech v0.1.8 => v0.1.10
- upgraded github.com/c2FmZQ/ech/quic v0.1.8 => v0.1.9
- upgraded github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad => v0.0.0-20250128161936-077ca0a936bf
- upgraded golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 => v0.0.0-20250128182459-e0ece0dbea4c
v0.15.0-rc1
v0.15.0-rc1
This tag was signed with the committer’s verified signature.
rthellend
Robin Thellend
v0.15.0-rc1
🌟 New feature
- Add support for Encrypted Client Hello. This feature improves privacy by allowing the clients to encrypt the Server Name to which they are connecting. Without ECH, this information is actually transmitted in plaintext. When
ech:is set inconfig.yaml, tlsproxy handles ECH as a Client-Facing Server with a Split Mode Topology as specified in https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni/. See ECH
🔧 Misc
- Use os.Root for static file isolation
- Update go: 1.24rc2
- Update go dependencies:
- upgraded github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad => v0.0.0-20250121033306-997b0b79cac0
- upgraded github.com/quic-go/quic-go v0.48.2 => v0.49.0
v0.14.2
v0.14.2
🔧 Misc
- Update go dependencies:
- upgraded github.com/c2FmZQ/storage v0.2.3 => v0.2.4
- upgraded github.com/c2FmZQ/tpm v0.3.1 => v0.4.0
- upgraded github.com/google/go-tpm v0.9.1 => v0.9.3
- upgraded github.com/jonboulle/clockwork v0.4.0 => v0.5.0
- upgraded github.com/onsi/ginkgo/v2 v2.22.0 => v2.22.2
- upgraded golang.org/x/crypto v0.31.0 => v0.32.0
- upgraded golang.org/x/exp v0.0.0-20241210194714-1829a127f884 => v0.0.0-20250106191152-7588d65b2ba8
- upgraded golang.org/x/net v0.32.0 => v0.34.0
- upgraded golang.org/x/sys v0.28.0 => v0.29.0
- upgraded golang.org/x/time v0.8.0 => v0.9.0
- upgraded golang.org/x/tools v0.28.0 => v0.29.0
v0.14.1
v0.14.1
🔧 Misc
- Simplify the PKI client-side code and remove the service worker.
v0.14.0
v0.14.0
🌟 New feature
- Add a built-in certificate authority for SSH. It is enabled with the top-level
sshCertificateAuthoritiesfield in the config file.- This CA issues SSH user certificates with the current user's email address as both
Key IDandPrincipal. It only works when SSO is enabled. - User authorization is done by adding a line like this to the user's
.ssh/authorized_keysfile:
- This CA issues SSH user certificates with the current user's email address as both
cert-authority,principals="<email>" <CA's public key>
⭐ Feature improvement
- Add an option to exclude some path prefixes from SSO enforcement.
🔧 Misc
- Update go dependencies:
- upgraded github.com/google/pprof v0.0.0-20241203143554-1e3fdc7de467 => v0.0.0-20241210010833-40e02aabc2ad
- upgraded golang.org/x/crypto v0.29.0 => v0.31.0
- upgraded golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f => v0.0.0-20241210194714-1829a127f884
- upgraded golang.org/x/net v0.31.0 => v0.32.0
- upgraded golang.org/x/sync v0.9.0 => v0.10.0
- upgraded golang.org/x/sys v0.27.0 => v0.28.0
- upgraded golang.org/x/text v0.20.0 => v0.21.0
- upgraded golang.org/x/tools v0.27.0 => v0.28.0
v0.13.2
v0.13.2
🔧 Misc
- Update go: 1.23.4
- Update go dependencies:
- upgraded github.com/google/pprof v0.0.0-20241101162523-b92577c0c142 => v0.0.0-20241203143554-1e3fdc7de467
- upgraded github.com/onsi/ginkgo/v2 v2.21.0 => v2.22.0
- upgraded github.com/quic-go/quic-go v0.48.1 => v0.48.2
v0.13.1
v0.13.0
v0.13.0
🌟 New feature
- Add support for forwarding WebSocket requests to arbitrary TCP servers. WebSockets were already forwarded transparently to backends before, and that is not changing. The new feature lets tlsproxy itself handle the WebSocket request and forward them to any TCP servers. The content of BinaryMessages is streamed to the remote server, and data received from the server is sent back to the client also as BinaryMessages.
- This is used by SSH Term.