Ghostunnel Versions Save

Second release candidate for 1.6.0, fixes ordering of TLS 1.3 cipher suites.

First release candidate for v1.6.0

Changes

• Add support for TLS 1.3 and fix bug that prevented the use of RSA-PSS when keychain identities were used on macOS.
• Add new experimental flag for macOS (--keychain-require-token) to fetch keychain identities backed by hardware tokens.
• Changed the default log output to stdout, previously stderr, to avoid issues with Windows thinking the process crashed.

Other

• Migrated release build process to GitHub Actions to avoid the need for cross-compilation toolchains. Unfortunately this means that {linux,darwin}/arm64 and windows/386 release builds will not be available for the moment. We plan to add back release builds for those platforms for when feasible with GitHub Actions.

Updated Go to 1.15 and bumped dependencies to latest versions.

New Features Allow serving /_status and /_metrics via HTTP by explicitly setting http:// prefix in status flag (#295)

Other New Docker images are now available for arm64/armv7 via the ghostunnel/ghostunnel repo (#313)

New Features

• Official release binaries are now built with Go 1.13+, making TLS 1.3 enabled by default.
• Expose keystore flags as env vars (#250) to make it possible to pass keystore flags via env.

Bugfixes & Other Changes

• Fixed issues with TLS 1.3/PKCS11 (#271) and ECC/PKCS11 (#257).
• Fixed a bug with status not being available in client mode with auth disabled (#268).
• Updated external dependencies, dropping the need for libtool/libltdl runtime dependency.

This release is the same as v1.5.0, but compiled with Go 1.12.12 to address CVE-2019-16276.

New Features

• Support for the SPIFFE workload API, so that certificates and private keys can be auto-reloaded via SPIRE (or others). Merged in #238, thanks to @azdagron. See SPIFFE-WORKLOAD-API.md in the docs folder for more information.
• Support for socket activation Linux (systemd) and macOS (launchd). Merged in #225, #226. See SOCKET-ACTIVATION.md in the docs folder for more information.

Bug fixes & more

• Set proper Content-Type header for JSON status responses.
• Reload root certificates where possible on certificate reload.
• Added a nopkcs11 build tag to disable PKCS#11 support on build.
• Plus a host of other, smaller fixes.

Contains fixes a couple of bugs found in the previous release candidate, namely (1) a bug where running in client mode w/o a cert could panic if a cert was requested by the server and (2) a bug in the cipher suite flag validation logic.

Release candidate for 1.5.0, featuring support for the SPIFFE workload API, socket activation for systemd (Linux) and launchd (macOS), and a host of smaller changes.

Fixes a bug (#221) with the --disable-authentication flag in server mode, wherein a client that would send a client certificate despite authentication being disabled would get rejected (fixed in #222). We also added some examples to the man page in this release.

New features

• Support signalling of transport connection information to the backend using the PROXY protocol (v2), just pass the --proxy-protocol flag on startup. Note that the backend must also support the PROXY protocol and must be configured to use it when setting this option.
• Support silencing of specific types of log messages using the --quiet flag, such as --quiet=conns or --quiet=handshake-errs. You can pass this flag repeatedly if you want to silence multiple different kinds of log messages. In particular --quiet=handshake-errs is useful if you want to silence handshake errors caused by TCP health checks when running in Kubernetes.

Other

• Added new flags --cert/--key to load certificate chain/private key from separate files.
• Bumped build to Go 1.12, updated our dependencies, and added various new integration tests.