Skip to content

Fluxheim 1.6.19

Choose a tag to compare

View all tags
@eldryoth eldryoth released this 20 Jun 08:07
· 162 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.6.19
This tag was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.
caa0ea8
This commit was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.

Fluxheim 1.6.19 Release Notes

Fluxheim 1.6.19 continues the Pingora-exit line by making the remaining
compatibility runtime explicit in Cargo features and proving a native TLS-only
web builds can stay Pingora-free.

Changed

  • Add a pingora-compat feature for the remaining root compatibility runtime.
    Current proxy profiles still select it, but the dependency boundary is now
    visible and easier to remove profile by profile.
  • Remove unconditional Pingora TLS feature forwarding from native TLS backend
    features. tls-rustls-backend now forwards pingora?/rustls, and
    tls-openssl now forwards pingora?/openssl, so native TLS-only builds do
    not pull Pingora just to use rustls or OpenSSL.
  • Extend scripts/validate-pingora-dependency-policy.sh with native web TLS
    profiles for rustls and OpenSSL. The gate now records and verifies that
    cargo tree --locked --no-default-features --features web,tls-rustls and
    cargo tree --locked --no-default-features --features web,tls-openssl have
    no Pingora crates.
  • Add scripts/validate-native-web-tls.sh and wire it into the stable release
    gate and CI so the same native web TLS proof profiles are compiled during
    release checks, not only inspected with cargo tree.
  • Extend runtime-baseline evidence with the native web TLS proof profiles so
    release artifacts record their Pingora dependency surface alongside the
    official compatibility profiles.
  • Move rustls downstream SNI certificate resolution into fluxheim-tls.
    Fluxheim now owns the reloadable certificate table, PEM certificate/private
    key loading, wildcard/exact SNI lookup, and TLS-ALPN challenge certificate
    adapter used by the compatibility listener.
  • Add a Fluxheim-owned native rustls downstream ServerConfig builder. It
    applies the configured cipher suites, curve groups, minimum protocol, ALPN,
    client-auth verifier, and FIPS reporting check with typed errors instead of
    Pingora listener build() panics.
  • Add a Fluxheim-owned native OpenSSL downstream SslAcceptor builder for the
    fallback-certificate listener path. It applies certificate/key loading,
    cipher, curve, minimum-protocol, ALPN, and client-auth CA policy with typed
    errors.
  • Move OpenSSL downstream SNI certificate storage, reload, pending-managed-cert
    handling, and certificate application into fluxheim-tls. The root runtime
    keeps only the temporary Pingora TlsAccept adapter.
  • Align rustls and OpenSSL managed-certificate pending detection. A
    half-present ACME-managed cert/key pair is now treated as pending by both TLS
    backends instead of making rustls listener startup or reload fail during the
    issuance window.
  • Add a native rustls HTTP/1 downstream listener preview in fluxheim-server.
    It wraps the existing native HTTP/1 parser/handler with tokio-rustls,
    shares the listener connection budget, and bounds the TLS handshake before
    request parsing starts.
  • Add the matching native OpenSSL HTTP/1 downstream listener preview for
    OpenSSL-only builds. It uses the same connection budget and handshake
    timeout as the rustls path, then hands the accepted stream to the same native
    HTTP/1 parser/handler.
  • Split the native HTTP/1 TLS handshake timeout from the HTTP request-head
    timeout. Preview TLS listeners now use a dedicated 5-second handshake window,
    so operator tuning of request-head parsing does not accidentally widen or
    shrink the TLS negotiation budget.
  • Add a native runtime cutover summary to ServerPlan. Fluxheim now logs the
    remaining native-runtime blockers at startup while still retaining the
    compatibility adapter for this release.
  • Add a root integration test proving the fluxheim-tls rustls downstream
    server-config builder can drive the native fluxheim-server HTTP/1 listener
    with a real TLS client handshake and request.
  • Add the matching OpenSSL integration test proving the fluxheim-tls
    acceptor builder can drive the native OpenSSL HTTP/1 listener.
  • Update the test-only rcgen dependency to 0.14.8.
  • Remove Fluxheim's direct rustls-pemfile dependency from fluxheim-tls by
    using the maintained rustls-pki-types PEM parser API.

Security

  • Tighten the release-gate proof around dependency ownership: native TLS-only
    builds cannot silently reintroduce Pingora through TLS feature forwarding.
  • Isolate the old vendored Pingora rustls listener panic surface to the
    temporary acceptor shim. Certificate selection and key parsing now return
    typed Fluxheim errors and can be reused directly by the native listener
    cutover.
  • Shrink the OpenSSL compatibility listener surface: SNI certificate material
    is now loaded, selected, reloaded, and applied by fluxheim-tls, leaving the
    Pingora layer as an adapter only.
  • Fix rustls/OpenSSL backend divergence for pending managed certificates so an
    ACME issuance race with only one file present does not fail rustls startup or
    reload.
  • Prepare the native downstream listener cutover with a no-panic rustls server
    config path that can replace the vendored Pingora rustls TlsSettings
    builder.
  • Bound native TLS handshakes with their own timeout instead of reusing the
    HTTP request-head timeout.
  • Add socket-level test coverage proving a real rustls client can complete a
    downstream TLS handshake and receive an HTTP/1 response through the native
    listener path.
  • Add socket-level OpenSSL client/server coverage for the OpenSSL downstream
    listener preview so the native cutover is not rustls-only.
  • Add server-plan coverage for native-runtime blocker reporting so the final
    Pingora removal slice has a tested checklist.
  • Add end-to-end native rustls listener cutover coverage across the
    fluxheim-tls and fluxheim-server crates.
  • Add end-to-end native OpenSSL listener cutover coverage across the same crate
    boundary.
  • Remove direct use of the unmaintained rustls-pemfile parser from
    Fluxheim-owned TLS code.

Compatibility Boundary

  • Root proxy, admin, metrics, stream, UDP, and process-supervisor paths still
    use the Pingora compatibility runtime in this release. The next
    Pingora-exit slice removes the runtime/listener/admin compatibility layer as
    a tested behavior change.
  • The native runtime cutover summary is diagnostic-only. It does not change
    which runtime adapter handles production traffic in 1.6.19.

Checksums And Signatures

  • Commit: caa0ea8116e75b22562c159ce06e7817a6ca2562
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • 97dd0961bb31b9a1bc2673c52df90a0aa4d79bd4e8449cf0f5a5f01c26819deb fluxheim-1.6.19.tar.gz
    • 09a0446ee9932979520f8739d4072703dd8f65084c88f741077d9db0824ac179 fluxheim-1.6.19.zip
  • Binary checksums:
    • x86_64:
      • 036c96ed80d391711306df539b93920f19b629c16c7addda032734e760eb6ddb fluxheim-1.6.19-full-x86_64-linux.tar.gz
      • a33289e9d471f4cdb74f4eef651cb746f1bd85b246415ec5799e5ae74b59f5fd fluxheim-1.6.19-cache-x86_64-linux.tar.gz
      • c2f46eededb97d7e947e5bac2c1d810bf1d9e3b7c7fd9a95eb34c0a5459d740e fluxheim-1.6.19-proxy-x86_64-linux.tar.gz
      • eb41c7634f08f327adea6a0e029c5e0bc4e4a291eb14fd75d5893e6010ab9c7f fluxheim-1.6.19-php-x86_64-linux.tar.gz
      • 51b3abdc612179840eafa07990af393b96e0ee760c38a5724e4637a06b0fe8f7 fluxheim-1.6.19-load-balancer-x86_64-linux.tar.gz
      • 3c899b7d7b450f88478da2687f0dea68929e6b6ea4c54a5f0f89d74a1e3d5524 fluxheim-1.6.19-config-tester-x86_64-linux.tar.gz
    • aarch64:
      • 6f06c107d3d422924a89e0f353e220b0ed19a5a5cfebbaa83c71b6a1ec6d3564 fluxheim-1.6.19-full-aarch64-linux.tar.gz
      • c16f8ad4ad62b953ebd4e1b32388c8c81c16c36d36a4f72d8f19883cbb0d8e2e fluxheim-1.6.19-cache-aarch64-linux.tar.gz
      • 2c5fa0b187234b0ad7f80759bab91be91122ec56d7701cefbd709fa19dd5de3f fluxheim-1.6.19-proxy-aarch64-linux.tar.gz
      • 6d435c8868eaf44a458482ef8a86965c68f6a4f10b7ec40072c54c1235ebc105 fluxheim-1.6.19-php-aarch64-linux.tar.gz
      • caeeb95e309286e22e77848f29108a684505e4edd26248a43534bb1d53049f5f fluxheim-1.6.19-load-balancer-aarch64-linux.tar.gz
      • cefb4d6a7ba710128a1af61b3cb2ba516f370ad300f0ffff4a88de5612195ff7 fluxheim-1.6.19-config-tester-aarch64-linux.tar.gz
    • macos:
      • dec66e651cade43eea96021c37227988ada8315a28ca717a6f410fee56eaf582 fluxheim-1.6.19-dev-aarch64-macos.tar.gz
  • SBOM checksums:
    • a0b0681d52d3a66c1ed402c1e9042a0b9692f05ec811e9d875ccb6af0591941c fluxheim.spdx.json
    • e4acd5fb6ed2539294ceb0edc08dfcafbc89da4cda702fde42538c017fa03c61 fluxheim.cyclonedx.json
  • Reproducible build:
    • 9f6a058dc739c2e1cec1946988e41ea71b41c0c1eb8098b0a928c03342674d04 x86_64
    • b5aa2e472e1bdab9036eec26c2aa3d8d5696f9511ed8fe1b17f815bf40521417 aarch64
    • fd3be666a537bf858d7ee5b3e48aa98dfb86c5f56e17aaeb53e5d9c634179140 macos
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:8a27a314ab0f2a19f8004010d5f7482fd6828271778acbdb83f7c8af9dfccf24
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0402e2f246d3f681a22ec3291f1d7a8546aed01ae21f2cbebadaecfecfe60aae
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:3d6233642cadd71e9058777ae04f96c64f72fb1d69e97393e4b8e3fde2853d09
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:15269557a5157ffad39c489b2e400aa3f6f612819ea61c4dad88cf517b91d687
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:0fa2e1a3c837f02691f827c1db97ad72d219a4cccc46fc725b736abf35716c10
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:10f11b4d3ca4963ca33dc81537ccff8b70ab9efcf1a81d3c3c5908bfd344d81d
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:51a834f95a81987525a99327a5f4852ce437d1d241f7e1c6b7d64b7ec409ce74
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:237d62d2d2addcaf37bc30dd4b1837a784f633daee4145fd96b6aab29588bc92
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:866765ec5f53f2749ba5ceeef484d69c9241a8e12b7d5ad8ab008c901283c4bc
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:1c3626fd50f41f5258c9fa416f15aec867a04655d3c6bc1ad58e6aa19f3c7777
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:4d08af0c3c2a8fffab6db31f32e9d8e01fbab1c313357a92f980ba76862249f9
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:18dccef04438c6320834f0dc347091aabb0cc49c0c5d7f792cefde4b3144546b
  • PHP Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:4be38555551f749f2066b60347835a47fd01a7dd88936ac9a74aaee67040335d
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:22825279bf2ad04c0ab21d521a52874556ed6db188998b397ddd6a6fa81de0ae
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:0d62b27023de061c6d1d7be2166fac9a65a628514e2f239094859108123b5870
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:683a0cb53917e9c0108f37731921a000861597c90e68e7426e13474b4934d92b
  • Load Balancer Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1ea1f0176f8b1681338297c14211c72de587cdf8b750e3e350a129797322e822
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:14da2332e3e14472ecba66a640d47a34bc0ada92f917ad5e5c833018304a5592
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:ca73a1d0c46e98e396b0d98d5472cf7c47858fcc71f884dd3c9efaedc99a7091
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:04465b2dae5fce5fdb38037fd573320d4b23e6ce833350f6c3fe2cc219a66930
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Assets 16
Loading
0 Join discussion