Fluxheim 1.6.19

[eldryoth]

Fluxheim 1.6.19 Release Notes

Fluxheim 1.6.19 continues the Pingora-exit line by making the remaining
compatibility runtime explicit in Cargo features and proving a native TLS-only
web builds can stay Pingora-free.

Changed

• Add a pingora-compat feature for the remaining root compatibility runtime.
  Current proxy profiles still select it, but the dependency boundary is now
  visible and easier to remove profile by profile.
• Remove unconditional Pingora TLS feature forwarding from native TLS backend
  features. tls-rustls-backend now forwards pingora?/rustls, and
  tls-openssl now forwards pingora?/openssl, so native TLS-only builds do
  not pull Pingora just to use rustls or OpenSSL.
• Extend scripts/validate-pingora-dependency-policy.sh with native web TLS
  profiles for rustls and OpenSSL. The gate now records and verifies that
  cargo tree --locked --no-default-features --features web,tls-rustls and
  cargo tree --locked --no-default-features --features web,tls-openssl have
  no Pingora crates.
• Add scripts/validate-native-web-tls.sh and wire it into the stable release
  gate and CI so the same native web TLS proof profiles are compiled during
  release checks, not only inspected with cargo tree.
• Extend runtime-baseline evidence with the native web TLS proof profiles so
  release artifacts record their Pingora dependency surface alongside the
  official compatibility profiles.
• Move rustls downstream SNI certificate resolution into fluxheim-tls.
  Fluxheim now owns the reloadable certificate table, PEM certificate/private
  key loading, wildcard/exact SNI lookup, and TLS-ALPN challenge certificate
  adapter used by the compatibility listener.
• Add a Fluxheim-owned native rustls downstream ServerConfig builder. It
  applies the configured cipher suites, curve groups, minimum protocol, ALPN,
  client-auth verifier, and FIPS reporting check with typed errors instead of
  Pingora listener build() panics.
• Add a Fluxheim-owned native OpenSSL downstream SslAcceptor builder for the
  fallback-certificate listener path. It applies certificate/key loading,
  cipher, curve, minimum-protocol, ALPN, and client-auth CA policy with typed
  errors.
• Move OpenSSL downstream SNI certificate storage, reload, pending-managed-cert
  handling, and certificate application into fluxheim-tls. The root runtime
  keeps only the temporary Pingora TlsAccept adapter.
• Align rustls and OpenSSL managed-certificate pending detection. A
  half-present ACME-managed cert/key pair is now treated as pending by both TLS
  backends instead of making rustls listener startup or reload fail during the
  issuance window.
• Add a native rustls HTTP/1 downstream listener preview in fluxheim-server.
  It wraps the existing native HTTP/1 parser/handler with tokio-rustls,
  shares the listener connection budget, and bounds the TLS handshake before
  request parsing starts.
• Add the matching native OpenSSL HTTP/1 downstream listener preview for
  OpenSSL-only builds. It uses the same connection budget and handshake
  timeout as the rustls path, then hands the accepted stream to the same native
  HTTP/1 parser/handler.
• Split the native HTTP/1 TLS handshake timeout from the HTTP request-head
  timeout. Preview TLS listeners now use a dedicated 5-second handshake window,
  so operator tuning of request-head parsing does not accidentally widen or
  shrink the TLS negotiation budget.
• Add a native runtime cutover summary to ServerPlan. Fluxheim now logs the
  remaining native-runtime blockers at startup while still retaining the
  compatibility adapter for this release.
• Add a root integration test proving the fluxheim-tls rustls downstream
  server-config builder can drive the native fluxheim-server HTTP/1 listener
  with a real TLS client handshake and request.
• Add the matching OpenSSL integration test proving the fluxheim-tls
  acceptor builder can drive the native OpenSSL HTTP/1 listener.
• Update the test-only rcgen dependency to 0.14.8.
• Remove Fluxheim's direct rustls-pemfile dependency from fluxheim-tls by
  using the maintained rustls-pki-types PEM parser API.

Security

• Tighten the release-gate proof around dependency ownership: native TLS-only
  builds cannot silently reintroduce Pingora through TLS feature forwarding.
• Isolate the old vendored Pingora rustls listener panic surface to the
  temporary acceptor shim. Certificate selection and key parsing now return
  typed Fluxheim errors and can be reused directly by the native listener
  cutover.
• Shrink the OpenSSL compatibility listener surface: SNI certificate material
  is now loaded, selected, reloaded, and applied by fluxheim-tls, leaving the
  Pingora layer as an adapter only.
• Fix rustls/OpenSSL backend divergence for pending managed certificates so an
  ACME issuance race with only one file present does not fail rustls startup or
  reload.
• Prepare the native downstream listener cutover with a no-panic rustls server
  config path that can replace the vendored Pingora rustls TlsSettings
  builder.
• Bound native TLS handshakes with their own timeout instead of reusing the
  HTTP request-head timeout.
• Add socket-level test coverage proving a real rustls client can complete a
  downstream TLS handshake and receive an HTTP/1 response through the native
  listener path.
• Add socket-level OpenSSL client/server coverage for the OpenSSL downstream
  listener preview so the native cutover is not rustls-only.
• Add server-plan coverage for native-runtime blocker reporting so the final
  Pingora removal slice has a tested checklist.
• Add end-to-end native rustls listener cutover coverage across the
  fluxheim-tls and fluxheim-server crates.
• Add end-to-end native OpenSSL listener cutover coverage across the same crate
  boundary.
• Remove direct use of the unmaintained rustls-pemfile parser from
  Fluxheim-owned TLS code.

Compatibility Boundary

• Root proxy, admin, metrics, stream, UDP, and process-supervisor paths still
  use the Pingora compatibility runtime in this release. The next
  Pingora-exit slice removes the runtime/listener/admin compatibility layer as
  a tested behavior change.
• The native runtime cutover summary is diagnostic-only. It does not change
  which runtime adapter handles production traffic in 1.6.19.

Checksums And Signatures

• Commit: caa0ea8116e75b22562c159ce06e7817a6ca2562
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • 97dd0961bb31b9a1bc2673c52df90a0aa4d79bd4e8449cf0f5a5f01c26819deb fluxheim-1.6.19.tar.gz
  • 09a0446ee9932979520f8739d4072703dd8f65084c88f741077d9db0824ac179 fluxheim-1.6.19.zip
• Binary checksums:
  • x86_64:
    • 036c96ed80d391711306df539b93920f19b629c16c7addda032734e760eb6ddb fluxheim-1.6.19-full-x86_64-linux.tar.gz
    • a33289e9d471f4cdb74f4eef651cb746f1bd85b246415ec5799e5ae74b59f5fd fluxheim-1.6.19-cache-x86_64-linux.tar.gz
    • c2f46eededb97d7e947e5bac2c1d810bf1d9e3b7c7fd9a95eb34c0a5459d740e fluxheim-1.6.19-proxy-x86_64-linux.tar.gz
    • eb41c7634f08f327adea6a0e029c5e0bc4e4a291eb14fd75d5893e6010ab9c7f fluxheim-1.6.19-php-x86_64-linux.tar.gz
    • 51b3abdc612179840eafa07990af393b96e0ee760c38a5724e4637a06b0fe8f7 fluxheim-1.6.19-load-balancer-x86_64-linux.tar.gz
    • 3c899b7d7b450f88478da2687f0dea68929e6b6ea4c54a5f0f89d74a1e3d5524 fluxheim-1.6.19-config-tester-x86_64-linux.tar.gz
  • aarch64:
    • 6f06c107d3d422924a89e0f353e220b0ed19a5a5cfebbaa83c71b6a1ec6d3564 fluxheim-1.6.19-full-aarch64-linux.tar.gz
    • c16f8ad4ad62b953ebd4e1b32388c8c81c16c36d36a4f72d8f19883cbb0d8e2e fluxheim-1.6.19-cache-aarch64-linux.tar.gz
    • 2c5fa0b187234b0ad7f80759bab91be91122ec56d7701cefbd709fa19dd5de3f fluxheim-1.6.19-proxy-aarch64-linux.tar.gz
    • 6d435c8868eaf44a458482ef8a86965c68f6a4f10b7ec40072c54c1235ebc105 fluxheim-1.6.19-php-aarch64-linux.tar.gz
    • caeeb95e309286e22e77848f29108a684505e4edd26248a43534bb1d53049f5f fluxheim-1.6.19-load-balancer-aarch64-linux.tar.gz
    • cefb4d6a7ba710128a1af61b3cb2ba516f370ad300f0ffff4a88de5612195ff7 fluxheim-1.6.19-config-tester-aarch64-linux.tar.gz
  • macos:
    • dec66e651cade43eea96021c37227988ada8315a28ca717a6f410fee56eaf582 fluxheim-1.6.19-dev-aarch64-macos.tar.gz
• SBOM checksums:
  • a0b0681d52d3a66c1ed402c1e9042a0b9692f05ec811e9d875ccb6af0591941c fluxheim.spdx.json
  • e4acd5fb6ed2539294ceb0edc08dfcafbc89da4cda702fde42538c017fa03c61 fluxheim.cyclonedx.json
• Reproducible build:
  • 9f6a058dc739c2e1cec1946988e41ea71b41c0c1eb8098b0a928c03342674d04 x86_64
  • b5aa2e472e1bdab9036eec26c2aa3d8d5696f9511ed8fe1b17f815bf40521417 aarch64
  • fd3be666a537bf858d7ee5b3e48aa98dfb86c5f56e17aaeb53e5d9c634179140 macos
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:8a27a314ab0f2a19f8004010d5f7482fd6828271778acbdb83f7c8af9dfccf24
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0402e2f246d3f681a22ec3291f1d7a8546aed01ae21f2cbebadaecfecfe60aae
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:3d6233642cadd71e9058777ae04f96c64f72fb1d69e97393e4b8e3fde2853d09
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:15269557a5157ffad39c489b2e400aa3f6f612819ea61c4dad88cf517b91d687
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:0fa2e1a3c837f02691f827c1db97ad72d219a4cccc46fc725b736abf35716c10
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:10f11b4d3ca4963ca33dc81537ccff8b70ab9efcf1a81d3c3c5908bfd344d81d
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:51a834f95a81987525a99327a5f4852ce437d1d241f7e1c6b7d64b7ec409ce74
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:237d62d2d2addcaf37bc30dd4b1837a784f633daee4145fd96b6aab29588bc92
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:866765ec5f53f2749ba5ceeef484d69c9241a8e12b7d5ad8ab008c901283c4bc
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:1c3626fd50f41f5258c9fa416f15aec867a04655d3c6bc1ad58e6aa19f3c7777
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:4d08af0c3c2a8fffab6db31f32e9d8e01fbab1c313357a92f980ba76862249f9
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:18dccef04438c6320834f0dc347091aabb0cc49c0c5d7f792cefde4b3144546b
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:4be38555551f749f2066b60347835a47fd01a7dd88936ac9a74aaee67040335d
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:22825279bf2ad04c0ab21d521a52874556ed6db188998b397ddd6a6fa81de0ae
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:0d62b27023de061c6d1d7be2166fac9a65a628514e2f239094859108123b5870
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:683a0cb53917e9c0108f37731921a000861597c90e68e7426e13474b4934d92b
• Load Balancer Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1ea1f0176f8b1681338297c14211c72de587cdf8b750e3e350a129797322e822
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:14da2332e3e14472ecba66a640d47a34bc0ada92f917ad5e5c833018304a5592
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:ca73a1d0c46e98e396b0d98d5472cf7c47858fcc71f884dd3c9efaedc99a7091
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:04465b2dae5fce5fdb38037fd573320d4b23e6ce833350f6c3fe2cc219a66930
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4

---

This discussion was created from the release Fluxheim 1.6.19.