Version 1.6.1

Changes

• Add support for HTTP status endpoints for targets (#365, thanks to @mccurdyc)
• Support for filtering keychain identities by serial and/or issuer (#352)
• Add initial ACME support in server mode (#348, thanks to @ryankoski)
• Better connect proxy resolution handling (#357, #360)

Version 1.6.0

Changes

• Add support for TLS 1.3 and fix bug that prevented the use of RSA-PSS when keychain identities were used on macOS/Win.
• Add new experimental flag for macOS (--keychain-require-token) to fetch keychain identities backed by hardware tokens.
• Changed the default log output to stdout, previously stderr, to avoid issues with Windows thinking the process crashed.

Other
Migrated release build process to GitHub Actions to avoid the need for cross-compilation toolchains. Unfortunately this means that linux/arm64 and windows/386 release builds will not be available for the moment. We plan to add back release builds for those platforms for when feasible with GitHub Actions.

Version 1.6.0-rc.3

Added changes to make RSA-PSS (for TLS 1.3) work on Windows using platform certificate store keys (certstore).

Version 1.6.0-rc.2

Second release candidate for 1.6.0, fixes ordering of TLS 1.3 cipher suites.

Version 1.6.0-rc.1

First release candidate for v1.6.0

Changes

• Add support for TLS 1.3 and fix bug that prevented the use of RSA-PSS when keychain identities were used on macOS.
• Add new experimental flag for macOS (--keychain-require-token) to fetch keychain identities backed by hardware tokens.
• Changed the default log output to stdout, previously stderr, to avoid issues with Windows thinking the process crashed.

Other

• Migrated release build process to GitHub Actions to avoid the need for cross-compilation toolchains. Unfortunately this means that {linux,darwin}/arm64 and windows/386 release builds will not be available for the moment. We plan to add back release builds for those platforms for when feasible with GitHub Actions.

Version 1.5.3

Updated Go to 1.15 and bumped dependencies to latest versions.

New Features
Allow serving /_status and /_metrics via HTTP by explicitly setting http:// prefix in status flag (#295)

Other
New Docker images are now available for arm64/armv7 via the ghostunnel/ghostunnel repo (#313)

Version 1.5.2

New Features

• Official release binaries are now built with Go 1.13+, making TLS 1.3 enabled by default.
• Expose keystore flags as env vars (#250) to make it possible to pass keystore flags via env.

Bugfixes & Other Changes

• Fixed issues with TLS 1.3/PKCS11 (#271) and ECC/PKCS11 (#257).
• Fixed a bug with status not being available in client mode with auth disabled (#268).
• Updated external dependencies, dropping the need for libtool/libltdl runtime dependency.

Version 1.5.1

This release is the same as v1.5.0, but compiled with Go 1.12.12 to address CVE-2019-16276.

Version 1.5.0

New Features

• Support for the SPIFFE workload API, so that certificates and private keys can be auto-reloaded via SPIRE (or others). Merged in #238, thanks to @azdagron. See SPIFFE-WORKLOAD-API.md in the docs folder for more information.
• Support for socket activation Linux (systemd) and macOS (launchd). Merged in #225, #226. See SOCKET-ACTIVATION.md in the docs folder for more information.

Bug fixes & more

• Set proper Content-Type header for JSON status responses.
• Reload root certificates where possible on certificate reload.
• Added a nopkcs11 build tag to disable PKCS#11 support on build.
• Plus a host of other, smaller fixes.

Version 1.5.0-rc.2

Contains fixes a couple of bugs found in the previous release candidate, namely (1) a bug where running in client mode w/o a cert could panic if a cert was requested by the server and (2) a bug in the cipher suite flag validation logic.