Releases: jawah/utls
Releases · jawah/utls
Release list
Version 2026.7.8
2026.7.8
- Added
chrome:150profile and movedchrome:stableto it. Chrome 150 is the first stable major to advertise post-quantum ML-DSA (FIPS 204) signature algorithms (mldsa44/mldsa65/mldsa87) in thesignature_algorithmsextension; this changes the TLS layer and the JA4 versus the 142/146/148 line. signature_algorithmsare now emitted by raw codepoint viaSSL_set_verify_algorithm_prefsinstead of name-mapped throughSSL_set1_sigalgs_list. The old path silently dropped any scheme BoringSSL had no string name for (e.g. ML-DSA), which would have put a JA4 on the wire that disagreed with the computed one.- Pinned
boring-systo acloudflare/boringmaster revision (post PR #509, BoringSSLe2a57cfb4) so the vendored BoringSSL understands the ML-DSA signature codepoints. crates.ioboring-sys5.1.0 predates ML-DSA.
Version 2026.5.30
2026.5.30
- Fixed
set_fingerprint("chrome:*")causing handshake failure against servers that honor cert compression. - Fixed
set_alpn_protocols(...)called afterset_fingerprint(...)being silently ignored; the fingerprint's per-connectionSSL_set_alpn_protosdismissed the user override. - Fixed RSS climbing to the lifetime peak of buffered ciphertext.
Version 2026.5.29
2026.5.29
- Fixed stop wrapping socket-level
OSError(notablysocket.timeout) asSSLError; matches stdlib and unbreaks HTTP-client retry logic. - Fixed assign
ctx.minimum_version = ssl.TLSVersion.TLSv1_2that raisesValueError: 769 is not a valid TLSVersion. - Fixed inverted version sentinels (e.g.
ctx.minimum_version = MAXIMUM_SUPPORTED) to the library default at the bound they apply to instead of raisingmin > max. - Fixed option checks like
utls.OP_NO_TLSv1_3 in ctx.options. PROTOCOL_TLS_CLIENT/PROTOCOL_TLS_SERVERnow equal stdlib's wire values (16/17);utls.SSLContext(ssl.PROTOCOL_TLS_CLIENT)no longer raises.- Fixed missing protocol aliases:
PROTOCOL_SSLv23,PROTOCOL_TLSv1,PROTOCOL_TLSv1_1,PROTOCOL_TLSv1_2for urllib3-future integration. - Fixed
hostname_checks_common_nameto raiseAttributeErroron get/set; BoringSSL never falls back to CN, so the inherited stdlib toggle was misleading. - Fixed
SSLSocketto define_io_refs/_decref_socketioswith stdlib's deferred-close semantics;f = sock.makefile(); sock.close(); f.close()no longer raisesAttributeError. - Fixed
SSLSocket.shutdown(how)is now exposed as a TCP-level pass-through to the underlying socket. - Fixed
SSLObject.read(len, buffer)buffer-fill overload, used byasyncio.sslproto._do_read__bufferedon Python 3.11+. - Fixed handshake errors no longer get dressed up as
SSLCertVerificationErrorwhenverify_mode=CERT_NONE; BoringSSL's diagnostic (e.g.WRONG_VERSION_NUMBER) is now surfaced verbatim so callers like urllib3-future can detect HTTP-served-as-HTTPS proxies. - Fixed sdist to now include
LICENSEandNOTICE.