v1.6.7 Allow inspecting Client Hello before locking Session/PSK

What's Changed

• Allow BuildHandshakeState to inspect ClientHello before setting SessionTicket/PSK by @adotkhan in #301

Full Changelog: v1.6.6...v1.6.7

v1.6.6 Hotfix: QUIC must not send non-empty session ID by RFC

What's Changed

• quic: always use empty session ID by @gaukas in #297

Full Changelog: v1.6.5...v1.6.6

v1.6.5 Popular Firefox 120 parrot and deps update

What's Changed

• build(deps): bump golang.org/x/net from 0.20.0 to 0.23.0 by @dependabot in #293
• Update Firefox 120 parrot to a more popular version by @adotkhan in #296

New Contributors

• @adotkhan made their first contribution in #296

Full Changelog: v1.6.4...v1.6.5

v1.6.4 bugfix: UConn incorrectly inherits Conn methods

What's Changed

• build(deps): bump github.com/quic-go/quic-go from 0.40.1 to 0.42.0 by @dependabot in #289
• fix: (*UConn).Read() and Secure Renegotiation by @gaukas in #292

Full Changelog: v1.6.3...v1.6.4

v1.6.3 Cryptographically Secured Shuffle

Don't panic! This does not cause any significant security concern, since modern platforms are doing fine with limited randomness from math/rand. This patch is for some much restrictive platforms such as WebAssembly -- on which math/rand may generate deterministic output (e.g., same random number series from each cold start).

What's Changed

• security: crypto/rand ShuffleChromeTLSExtensions by @gaukas in #286

Full Changelog: v1.6.2...v1.6.3

v1.6.2 Dependency and Upstream Update

What's Changed

• deps: bump all deps to latest by @gaukas in #279
• ⬆️ sync: merge changes from golang/go@1.22 release branch by @gaukas in #280

Full Changelog: v1.6.1...v1.6.2

v1.6.1 Hotfix: kyberslash2

Security Warning

This is a security update fixing kyberslash2, a timing side-channel attack against CIRCL library used by uTLS.

What's Changed

• build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 by @dependabot in #273
• feat: parse GREASE ECH from raw by @gaukas in #276
• build(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 by @dependabot in #277

Full Changelog: v1.6.0...v1.6.1

v1.6.0 One step closer to ECH

What's New

• We now have GREASE ECH parrots (Chrome 120, Firefox 120) available!

What's Changed

• improvement: cleanup by @VeNoMouS in #253
• build(deps): bump golang.org/x/net from 0.14.0 to 0.17.0 by @dependabot in #254
• Deprecate usage of OmitEmptyPsk field in PreSharedKeyExtension (closes #255) by @sleeyax in #256
• sync: go 1.21.4 by @gaukas in #261
• fix: no padding if raw clienthello is too short by @gaukas in #263
• new: vendor godicttls package by @gaukas in #265
• feat: add GREASEEncryptedClientHelloExtension by @gaukas in #266
• feat: chrome 120 non-pq client hello by @hax0r31337 in #268
• bump: firefox and chrome auto parrot to latest by @gaukas in #269
• fix: grease ech parrot for chrome 120 by @hax0r31337 in #271
• fix: incorrect firefox nss parrot ECH params by @gaukas in #272

New Contributors

• @sleeyax made their first contribution in #256
• @hax0r31337 made their first contribution in #268

Full Changelog: v1.5.4...v1.6.0

v1.5.4 Maintenance: bugfix and undo breaking API

What's Changed

• fix link to issues by @acheong08 in #244
• fix: sanity check status request v2 extension data (#246) by @VeNoMouS in #247
• feat: add an option to skip resumption on nil ext & update examples by @3andne in #239
• fix: Reuse existing PreSharedKeyExtension bug (#248) by @VeNoMouS in #251
• improvement: maintenance+cleanup+fix by @gaukas in #252

New Contributors

• @acheong08 made their first contribution in #244
• @VeNoMouS made their first contribution in #247

Full Changelog: v1.5.3...v1.5.4

v1.5.3 Hotfix: secondary key share

What's Changed

• fix: secondary keyshares may be lost after overriding keySharesParams by @gaukas in #238

Full Changelog: v1.5.2...v1.5.3