Ghostunnel Versions Save

A simple SSL/TLS proxy with mutual authentication for securing non-TLS services.

v1.8.0-rc.1

1 week ago

New Features

Add support for systemd watchdog timer (@csstaub in https://github.com/ghostunnel/ghostunnel/pull/427). Ghostunnel can now be watched by systemd using the WatchdogSec option. If Ghostunnel fails to respond, systemd will automatically relaunch it. See docs/WATCHDOG.md for an example service file.
Implement landlock support to limit process privileges on Linux (@csstaub in https://github.com/ghostunnel/ghostunnel/pull/431). If started with the --use-landlock flag, Ghostunnel will call upon landlock on Linux to limit access to files and sockets. This is an experimental feature, please give it a try and let us know if you run into any issues.

Bug Fixes

Avoid use of deprecated SecTrustGetCertificateAtIndex (@csstaub in https://github.com/ghostunnel/ghostunnel/pull/426)
Fix nil ptr deref on Windows/Linux when keychain flags are used (@csstaub in https://github.com/ghostunnel/ghostunnel/pull/448)

Other Changes

Upgrade to Go 1.22 (@csstaub in https://github.com/ghostunnel/ghostunnel/pull/419)
Upgrade go-jose to v4.0.1 (@mcpherrinm in https://github.com/ghostunnel/ghostunnel/pull/423)
Upgrade go-spiffe (@mcpherrinm in https://github.com/ghostunnel/ghostunnel/pull/429)
Various other dependency updates via @dependabot

Full Changelog: https://github.com/ghostunnel/ghostunnel/compare/v1.7.3...v1.8.0-rc.1

v1.7.3

3 months ago

Changes

Fix bug in flag handling for disabling auth in server mode when using SPIFFE workload API (#418)
Bump dependency versions and minor fixes (#411, #409, #414, #413)

v1.7.2

5 months ago

Changes

Updated Go toolchain and bumped all dependencies to latest versions (#411)
Avoid setting GetCertificate for SPIFFE in client mode if auth is disabled (#407)

Plus some miscellaneous fixes & build changes (#405, #399, #401, #397, #395)

Full Changelog: https://github.com/ghostunnel/ghostunnel/compare/v1.7.1...v1.7.2

v1.7.1

1 year ago

Changes

Reload OPA policies during reload (#381)
Bump Go version in Docker container to 1.19 (#383)
Provide darwin-arm64/universal release binaries (#388)

v1.7.0

1 year ago

Changes

Update to Go 1.19 for release builds & bump dependencies
Fix a memory leak in HTTP status checking (#379, thanks @phamann)
Add support for OPA to allow auth based on Rego policies (#374, thanks @spacedub)
Update to latest go-spiffe for better Windows support (#371, thanks @MarcosDY)

v1.7.0-rc.1

1 year ago

Changes

Update to Go 1.19 for release builds & bump dependencies
Fix a memory leak in HTTP status checking (#379, thanks @phamann)
Add support for OPA to allow auth based on Rego policies (#374, thanks @spacedub)
Update to latest go-spiffe for better Windows support (#371, thanks @MarcosDY)

v1.6.1

1 year ago

Changes

Add support for HTTP status endpoints for targets (#365, thanks to @mccurdyc)
Support for filtering keychain identities by serial and/or issuer (#352)
Add initial ACME support in server mode (#348, thanks to @ryankoski)
Better connect proxy resolution handling (#357, #360)

v1.6.0

2 years ago

Changes

Add support for TLS 1.3 and fix bug that prevented the use of RSA-PSS when keychain identities were used on macOS/Win.
Add new experimental flag for macOS (--keychain-require-token) to fetch keychain identities backed by hardware tokens.
Changed the default log output to stdout, previously stderr, to avoid issues with Windows thinking the process crashed.

Other Migrated release build process to GitHub Actions to avoid the need for cross-compilation toolchains. Unfortunately this means that linux/arm64 and windows/386 release builds will not be available for the moment. We plan to add back release builds for those platforms for when feasible with GitHub Actions.

v1.6.0-rc.3

2 years ago

Added changes to make RSA-PSS (for TLS 1.3) work on Windows using platform certificate store keys (certstore).

v1.6.0-rc.2

2 years ago

Second release candidate for 1.6.0, fixes ordering of TLS 1.3 cipher suites.