Releases

Release candidate for v1.10.0.

New Features

• PROXY protocol v2 TLS metadata. New --proxy-protocol-mode flag for PROXY protocol v2 with optional TLS metadata TLVs (#705). Modes: conn (connection info only, same as the existing --proxy-protocol flag), tls (adds TLS version/ALPN/SNI), and tls-full (adds TLS metadata and client certificate).

Code Quality Changes

• Native code correctness fixes. Landed a number of fixes in the macOS keychain and Windows certificate store code, identified through GitHub code scanning (CodeQL, Copilot Autofix) and local AI development tools. These include CFObject memory leaks in macOS CertificateChain, data races in macOS keychain lazy initialization, a C string leak in launchdSocket, a C array leak in getProviderParam on Windows, and incorrect certificate store search order on Windows (#656, #694, #699, #704).
• Certloader safety improvements. Replaced unsafe.Pointer with atomic.Pointer[T] in certloader (#677), extracted shared baseCertificate struct to reduce duplication (#679), and improved error context in PKCS#11 code paths (#690).
• Dependency cleanup. Removed the certigo dependency, switched to smallstep/pkcs7 (#664), and replaced github.com/pkg/errors with stdlib errors and fmt (#684). Various dependency upgrades via Dependabot.

Testing Improvements

• Windows integration testing. The integration test suite can now run on Windows (#695), and we added a number of new unit and integration tests for better coverage of features like platform keychain identities.
• Faster & better integration test suite. Parallelized integration tests with dynamic port allocation and improved timeout handling, significantly reducing test suite runtime (#662, #703). Skipped tests now report SKIP status with a reason (#696).
• New unit and integration tests. Added unit and integration tests for keychain handling, certstore reload paths, and edge cases across multiple packages (#697, #700, #702).

Other

• Website. Launched project website on ghostunnel.dev and made comprehensive documentation improvements (#657, #659, #704, #707).

Bug fix release.

Changes

• Allow 5 retries for ACME production certs (#646). This makes fetching ACME certificates on startup more reliable by doing a limited number of retries, with exponential backoff, when initial requests are timing out. Note that this can make Ghostunnel a bit slower to fail on startup in some circumstances.
• Fix --cacert being ignored in ACME mode (#649). This fixes #647, a bug where Ghostunnel would not honor the --cacert setting if it was otherwise getting certs from ACME.

Minor Changes

• General housekeeping, such as bumping dependencies and fixing typos (#632, #636, #640, #644), adding a new mage go:lint target for easier linting in development (#638), additional unit/integration testing (#641, #642, #643), and upgrading to Go 1.26 for builds (#637).

Housekeeping release.

Changes

• Fixed a few lints/very minor bugs.
• Made improvements to the documentation (typos, inconsistent wording).
• Moved the build system from make to mage to streamline workflows/release.
• Updated workflows so that macOS release binaries are now signed & notarized.

This is the first time our official release binaries are signed & notarized, please let us know if you encounter issues with Gatekeeper on macOS preventing these from running!

Highlights

• Enabled Landlock sandboxing by default in best-effort mode (Linux). Use the new --disable-landlock flag to disable. Note that Landlock is not compatible with PKCS#11 and is disabled automatically if any of the PKCS#11 options are used.
• Upgraded to OPA v1.0+ and added support for loading OPA bundles (not just policies) via the --allow-policy flag. It’s recommended to use bundles instead of policies so you can set which version of Rego to use.
• Improved proxy memory usage through shared buffers and added various new flags to control proxy behavior (--close-timeout, --max-conn-lifetime, and --max-concurrent-conns).
• Go version upgraded from Go 1.22 to Go 1.24+.

Major Changes

• Improve proxy performance and connection handling.
  • Shared buffer pools for reduced memory allocations.
  • Better connection lifetime tracking and logging.
  • Bytes sent/received now logged for each connection.
• Add maximum concurrent connections feature.
  • New --max-concurrent-conns flag to limit simultaneous proxy connections.
• Use context for cancellation and modernize proxy handling.
  • Refactored to use Go’s context package for timeout and cancellation handling.
  • Improved timeout error detection.
• Enable Landlock by default (Linux, best-effort mode).
  • Automatically enabled on Linux systems that support it.
  • Gracefully degrades on systems without Landlock support.

Minor Changes

• Improved proxy logging.
  • Use “forwarded/returned” instead of “sent/recv” for clearer logs.
  • Log bytes sent/received in connection close messages.
• Show more information in status line/endpoint.
  • Display listen/forward address in status output (endpoint and systemd).
• Fix compatibility for OPA upgrade from v0 to v1.
  • Handle backwards compatibility for v0 Rego files.
  • Updated tests to use OPA bundles instead of naked Rego files.
• Hide the --cipher-suites flag.
  • Flag is now hidden; modern TLS defaults are used.
• Add new flag for setting max TLS version.
  • New --max-tls-version flag (TLS1.2, TLS1.3).
• Add new flag to skip DNS resolution on startup.
  • New --skip-resolve flag, useful when starting Ghostunnel before network is ready.

New Flags

Deprecations

• --connect-proxy flag is now deprecated (hidden), use --proxy instead.
• --cipher-suites flag is now hidden.

Release candidate for v1.9.0.

Highlights

• Enabled Landlock sandboxing by default in best-effort mode (Linux). Use the new --disable-landlock flag to disable.
• Upgraded to OPA v1.0+ and added support for loading OPA bundles via the --allow-policy flag.
• Improved proxy memory usage through shared buffers and added various new flags to control proxy behavior (--close-timeout, --max-conn-lifetime, and --max-concurrent-conns).

Major Changes

• Proxy performance and connection handling improvements.
• Maximum concurrent connections feature.
• Context-based cancellation and modernized proxy handling.
• Landlock sandboxing enabled by default (Linux, best-effort).

Minor Changes

• Enhanced proxy logging.
• Expanded status line/endpoint information.
• OPA v0 to v1 compatibility fixes.
• Cipher suites flag deprecated.
• New TLS maximum version flag.
• DNS resolution skip option on startup.

Build and compatibility improvements.

Changes

• Build the release binaries on Ubuntu 22.04 to provide better compatibility with older versions of GLIBC.
• Provide Debian-based Docker images alongside Alpine-based ones.
• Set read header timeout for the status HTTP server.
• Updated dependency versions.

Bug fix release.

Bug Fixes

• Fix broken landlock TCP rules generation (#519).

Other Changes

• Dependency updates and vendor directory synchronization (#516).
• Fix integration tests for Python 3.12 (#517).
• GitHub Actions workflow corrections (#506, #514, #520, #521, #522).

Housekeeping release.

Changes

• Upgrade Go to 1.23, upgrade dependency versions, and fix some lints (#505, #486, #484, #483).

New Features

• Add optional /_shutdown endpoint on status port for terminating via HTTP POST. Can be enabled via the --enable-shutdown flag (#466).
• On Windows, add support for using LOCAL_MACHINE and CURRENT_SERVICE key stores. Was previously limited to the CURRENT_USER key store (#476).

Bug Fixes

• Better landlock rule processing to handle flags that can be both host:port or URLs correctly (#475).

New Features

• Add support for systemd watchdog timer. Ghostunnel can now be watched by systemd using the WatchdogSec option for automatic relaunch on failure. See WATCHDOG.md for more information.
• Implement landlock support to limit process privileges on Linux. This is an experimental feature activated with the --use-landlock flag to restrict file and socket access.

Bug Fixes

• Avoid use of deprecated SecTrustGetCertificateAtIndex.
• Fix nil pointer dereference on Windows/Linux when keychain flags are used.
• Close files properly and remove references to deprecated io/ioutil.
• Fix RSA-PSS for Windows platform keys.

Other Changes

• Upgrade to Go 1.22.
• Upgrade go-jose to v4.0.1.
• Upgrade go-spiffe.
• Various dependency updates.

Second release candidate for v1.8.0.

Bug Fixes

• Close files properly (#453).
• Remove references to deprecated io/ioutil (#454).
• Fix RSA-PSS for Windows platform keys (#459).

First release candidate for v1.8.0.

New Features

• Add support for systemd watchdog timer, enabling automatic relaunch via systemd’s WatchdogSec option.
• Implement landlock support to limit process privileges on Linux (experimental, activated with the --use-landlock flag).

Bug Fixes

• Avoid use of deprecated SecTrustGetCertificateAtIndex.
• Fix nil pointer dereference on Windows/Linux when keychain flags are used.

Other Changes

• Upgrade to Go 1.22.
• Upgrade go-jose to v4.0.1.
• Upgrade go-spiffe.
• Various dependency updates.

Changes

• Fix bug in flag handling for disabling auth in server mode when using SPIFFE workload API (#418).
• Bump dependency versions and minor fixes (#411, #409, #414, #413).

Changes

• Updated Go toolchain and bumped all dependencies to latest versions (#411).
• Avoid setting GetCertificate for SPIFFE in client mode if auth is disabled (#407).
• Miscellaneous fixes and build changes (#405, #399, #401, #397, #395).

Changes

• Reload OPA policies during reload operation (#381).
• Bump Go version in Docker container to 1.19 (#383).
• Provide darwin-arm64 and universal release binaries (#388).

Changes

• Update to Go 1.19 for release builds and bump dependencies.
• Fix a memory leak in HTTP status checking (#379).
• Add support for OPA to allow auth based on Rego policies (#374).
• Update to latest go-spiffe for better Windows support (#371).

Release candidate for v1.7.0.

Changes

• Update to Go 1.19 for release builds and bump dependencies.
• Fix a memory leak in HTTP status checking (#379).
• Add support for OPA to allow auth based on Rego policies (#374).
• Update to latest go-spiffe for better Windows support (#371).

Changes

• Add support for HTTP status endpoints for targets (#365).
• Support for filtering keychain identities by serial and/or issuer (#352).
• Add initial ACME support in server mode (#348).
• Better connect proxy resolution handling (#357, #360).

Changes

• Add support for TLS 1.3 and fix bug that prevented the use of RSA-PSS when keychain identities were used on macOS/Windows.
• Add new experimental flag for macOS (--keychain-require-token) to fetch keychain identities backed by hardware tokens.
• Changed the default log output to stdout, previously stderr, to avoid issues with Windows thinking the process crashed.

Other

• Migrated release build process to GitHub Actions to avoid the need for cross-compilation toolchains. Unfortunately this means that {linux,darwin}/arm64 and windows/386 release builds will not be available for the moment. We plan to add back release builds for those platforms when feasible with GitHub Actions.

Third release candidate for v1.6.0.

Added changes to make RSA-PSS (for TLS 1.3) work on Windows using platform certificate store keys (certstore).

Second release candidate for v1.6.0. Fixes ordering of TLS 1.3 cipher suites.

First release candidate for v1.6.0.

Changes

• Add support for TLS 1.3 and fix bug that prevented the use of RSA-PSS when keychain identities were used on macOS.
• Add new experimental flag for macOS (--keychain-require-token) to fetch keychain identities backed by hardware tokens.
• Changed the default log output to stdout, previously stderr, to avoid issues with Windows thinking the process crashed.

Other

• Migrated release build process to GitHub Actions to avoid the need for cross-compilation toolchains. Unfortunately this means that {linux,darwin}/arm64 and windows/386 release builds will not be available for the moment. We plan to add back release builds for those platforms when feasible with GitHub Actions.

Updated Go to 1.15 and bumped dependencies to latest versions.

New Features

• Allow serving /_status and /_metrics via HTTP by explicitly setting http:// prefix in status flag (#295).

Other

• New Docker images available for arm64/armv7 via the ghostunnel/ghostunnel Docker Hub repository (#313).

New Features

• Official release binaries now built with Go 1.13+, enabling TLS 1.3 by default.
• Keystore flags exposed as environment variables (#250).

Bug Fixes

• Fixed TLS 1.3/PKCS11 issues (#271).
• Fixed ECC/PKCS11 compatibility (#257).
• Resolved client mode status availability bug with auth disabled (#268).
• Updated external dependencies, eliminating libtool/libltdl runtime requirement.

This release is the same as v1.5.0, but compiled with Go 1.12.12 to address CVE-2019-16276.

New Features

• Support for the SPIFFE workload API, so that certificates and private keys can be auto-reloaded via SPIRE or others (#238). See SPIFFE-WORKLOAD-API.md for more information.
• Support for socket activation on Linux (systemd) and macOS (launchd) (#225, #226). See SOCKET-ACTIVATION.md for more information.

Bug Fixes

• Set proper Content-Type header for JSON status responses.
• Reload root certificates where possible on certificate reload.
• Added a nopkcs11 build tag to disable PKCS#11 support on build.
• Plus a host of other, smaller fixes.

Second release candidate for v1.5.0.

Fixes a couple of bugs found in the previous release candidate, namely (1) a bug where running in client mode without a cert could panic if a cert was requested by the server, and (2) a bug in the cipher suite flag validation logic.

Release candidate for v1.5.0, featuring support for the SPIFFE workload API, socket activation for systemd (Linux) and launchd (macOS), and a host of smaller changes.

Bug Fixes

• Fix bug where clients sending certificates despite --disable-authentication being set were incorrectly rejected (#221, #222).

Other

• Added examples to the man page.

New Features

• Support signalling of transport connection information to the backend using the PROXY protocol (v2), just pass the --proxy-protocol flag. Note that the backend must also support the PROXY protocol and must be configured to use it when setting this option.
• Support silencing of specific types of log messages using the --quiet flag, such as --quiet=conns or --quiet=handshake-errs.

Other Changes

• New --cert/--key flags for loading certificate chain and private key from separate files.
• Build upgraded to Go 1.12 with updated dependencies.
• Added new integration tests.

Updates build to Go 1.11.4 and pulls in the latest version of kavu/go_reuseport to fix #200.

Notable Changes

• Added support for wildcards in the --allow-uri and --verify-uri access control flags. See ACCESS-FLAGS.md for details.
• Cleaned up naming of access control flags.

Other

• Added a docs folder with more detailed documentation explaining how to use features like access control and metrics better.
• Migrated to Go modules for dependency management.
• Vendor folder remains in git, with potential future removal once modules become standard.

Note: Binaries were rebuilt with Go 1.11.4 on December 14, 2018.

Notable Changes

• Added experimental support for the macOS keychain via certstore (requires build tag, disabled by default).
• Docker image updated with multistage builds to reduce size, removing Go toolchain from the image.
• Added support for the Prometheus metrics format in the /_metrics endpoint, alongside JSON.

Other

• Code modularization and cleanup improvements.
• Documentation enhancements.

Minor bug fixes and improvements. Added some extra tests (#156) and defaulted to long help and improved some error messages (#157, #158). Due to an updated dependency, this release now requires Go 1.10+ to compile (was Go 1.9+ previously).

Notable Changes

• Added support for Windows. Supports most major features as on UNIX platforms, with the exception of various UNIX-specific features like SO_REUSEPORT or logging to syslog (#136, #139).
• Added new access control flags. The --allow-uri-san and --verify-uri-san flags can be used to verify peer certificates against a given URI SAN, e.g. for use with SPIFFE SVIDs (#128).
• A new --disable-authentication flag can be used to disable client certificates in both client and server modes. Note that this disables all authentication and access controls (#150).
• Parameters for loading private keys from a PKCS#11 module can now be specified via environment variables instead of flags if desired (PKCS11_MODULE, PKCS11_LABEL and PKCS11_PIN).

Bug Fixes and Other

• Added a new metric to time handshakes, can be used to gather stats about average handshake latency through the status/metrics endpoint (#126).
• Cleaned up internal flag handling, updated vendored dependencies, and added a new Makefile.dist to build cross-compiled release binaries for darwin/amd64, linux/amd64 and windows/{386,amd64}.

Second release candidate for v1.2.0.

Added --disable-authentication flag, which disables client certificate authentication (#150).

Release candidate for v1.2.0, which includes Windows support.

Notable Changes

• Improved startup logging, print some extra messages to make log output more useful (#123).
• Updated vendored dependencies and added release builds for Linux and macOS (#124, #125).
• Require Go 1.9 for building ghostunnel from source (due to updated certigo/lib dependency).

New Features

• Added server certificate assertions for client mode (#119).
• Support for loading private keys from PKCS#11 modules (#114, needs CGO_ENABLED=1).

New Features

• Add optional support for HTTP CONNECT proxies, allows traversing web proxies (#104).
• Support ChaCha cipher suites, add flag for selecting between AES-GCM/ChaCha (#102).

Bug Fixes

• Don’t cache DNS lookup results in process, rely on OS-level caching instead.

Other Changes

• Rename --graphite to --metrics-graphite to match other metrics flags.
• Rename --timeout to --connect-timeout to distinguish from shutdown timeout.
• Removed support for wrapping other commands (recommends dumb-init instead).
• Requires Go 1.8 minimum to compile.

Update TLS settings to specify curve preferences (#101).

Notable Changes

• Don’t rm target UNIX socket on shutdown, we don’t own that (#98).
• Support reading certificate/private key from a PEM file (#100).
• Enhanced error logging for debugging purposes (#94, #95).

Notable Changes

• Better child termination logic. Ensure we terminate child if shutdown times out (#92).
• Make --cacert flag optional, use system roots by default if flag is not specified (#93).

Due to the change in #93, Ghostunnel now requires Go 1.7 for building.

Notable Changes

• Allow status port to be a UNIX socket.
• Configurable metrics publishing interval.
• Add vendor subdirectory to repo.

Notable Changes

• Better logging for rejected connections.
• Simplified certificate reloading logic.

Notable Changes

• Fix behavior of SIGTERM in client mode.
• Initial support for chain-execution.

Initial release (minimum feature complete).