Releases: flashbots/attested-tls-proxy
Release list
v1.1.3
What's Changed
There are some notable changes from the attestation crate which is now provided by the attested-tls repo. But this release does NOT switch to the attested-tls protocol provided by that repo (nested TLS). It still uses post-handshake session binding.
Relevant changes from the attested-tls repo:
- flashbots/attested-tls#49
- flashbots/attested-tls#41
- flashbots/attested-tls#39
- flashbots/attested-tls#29
- flashbots/attested-tls#22
- flashbots/attested-tls#17
Changes from this repo:
- Use attestation crate from new
attested-tlsrepo by @ameba23 in #150 - fix: proper HTTP status codes and error handling by @steph-rs in #155
- Bump rustls-webpki from 0.103.8 to 0.103.13 by @dependabot[bot] in #158
- Bump quinn-proto from 0.11.13 to 0.11.14 by @dependabot[bot] in #161
- chore: remove attestation-provider-server crate by @steph-rs in #157
- Bump rand from 0.8.5 to 0.8.6 by @dependabot[bot] in #165
- Bump attestation crate by @ameba23 in #166
- Attested-get - Allow URL path to be passed as part of the target address by @ameba23 in #167
New Contributors
Full Changelog: v1.1.2...v1.1.3
v2.0.0-rc.2
This is a pre-release for 2.0.0 which switches the protocol to the newer nested-tls approach in https://github.com/flashbots/attested-tls
Full Changelog: v2.0.0-rc.1...v2.0.0-rc.2
v2.0.0-rc.1
This is a pre-release for 2.0.0 which switches the protocol to the newer nested-tls approach in https://github.com/flashbots/attested-tls
What's Changed
- Proxy server should offer both nested TLS and inner-TLS only on different ports by @ameba23 in #153
- Use attestation crate from new
attested-tlsrepo by @ameba23 in #150 - fix: proper HTTP status codes and error handling by @steph-rs in #155
- Bump rustls-webpki from 0.103.8 to 0.103.13 by @dependabot[bot] in #158
- Restore measurement header injection by @ameba23 in #154
- Add inner TLS session only support to proxy client by @ameba23 in #159
- Bump quinn-proto from 0.11.13 to 0.11.14 by @dependabot[bot] in #161
- chore: remove attestation-provider-server crate by @steph-rs in #157
New Contributors
Full Changelog: v1.1.2...v2.0.0-rc.1
v1.1.2
What's Changed
- Add option to get-tls-cert and attested-get commands to allow self signed certificates by @ameba23 in #134
- Use updated TCB override fix for DCAP qvl by @ameba23 in #133
- attested-tls-proxy
--versionshould report git revision rather than crate version number by @ameba23 in #132 - Cap attestation payload size at 64kb by @ameba23 in #135
- Remove unneeded dependencies by @ameba23 in #136
- Fix normalization bug when handling quote provider urls by @ameba23 in #137
- Fix input data checks for azure attestation by @ameba23 in #138
- Add additional logging of remote measurements at the point of connecting or accepting connection by @ameba23 in #139
- Run
cargo fmtafter fixing editor settings by @ameba23 in #140 - Fix dcap-qvl feature flag name to match convention by @ameba23 in #141
- Add json measurement output option and generic TDX attestation type to make CLI similar to
cvm-reverse-proxyby @ameba23 in #142 - Bump time from 0.3.44 to 0.3.47 by @dependabot[bot] in #146
- Refactor attestation generation, verification and measurement logic to separate crate by @ameba23 in #148
- Default to http2 for proxy-client to proxy-server connections by @ameba23 in #151
New Contributors
- @dependabot[bot] made their first contribution in #146
Full Changelog: v1.1.1...v1.1.2
v1.1.1
What's Changed
- Only download needed arifacts in release workflow by @ameba23 in #131
- attested-tls-proxy should not use default features of attested-tls by @ameba23 in #129
Full Changelog: v1.1.0...v1.1.1
v1.0.2
v1.0.1
What's Changed
- Support attestation provider servers which do not wrap messages in an
AttestationExchangeMessageby @ameba23 in #120 - Pin dcap-qvl to 0.3.10 by @ameba23 in #122
- CI: on release, push docker image by @metachris in #123
New Contributors
- @metachris made their first contribution in #123
Full Changelog: v1.0.0...v1.0.1
v1.0.0
What's Changed
- Add attested RPC client by @ameba23 in #88
- Add basic support for using self-signed TLS certificates by @ameba23 in #97
- Add
acceptmethod toAttestedTlsServerto provide similar API totokio_rustls::TlsAcceptorby @ameba23 in #104 - Remove the dependency on OpenSSL by @ameba23 in #105
- Remove ring feature of tokio_rustls to be CryptoProvider agnostic by @ameba23 in #108
- [Breaking] HTTPS proxy - support http1.1 and do HTTP version protocol negotiation. by @ameba23 in #106
- Add test demonstrating nested TLS by @ameba23 in #103
- Bump bytes to 1.11.1 due to vulnerability in previously used version by @ameba23 in #113
- Small change to #110 for simplicity by @ameba23 in #112
- Allow multiple measurements per register with expected_any by @bakhtin in #110
- Only allow TLS 1.3 by @ameba23 in #114
- Replace dummy attestation with attestation-provider by @ameba23 in #111
- Bump major version following breaking change in #106 by @ameba23 in #115
New Contributors
Full Changelog: v0.0.2...v1.0.0
v0.0.2
v0.0.1
What's Changed
- Add simple CI to run cargo test by @ameba23 in #3
- Add support for client attestation by @ameba23 in #2
- Add error handling by @ameba23 in #6
- Add get-tls-cert command by @ameba23 in #7
- Improve handling of hostnames by @ameba23 in #9
- Add quote generation / verification by @ameba23 in #10
- Include measurements in HTTP headers by @ameba23 in #17
- Add missing CLI arguments from
cvm-reverse-proxyby @ameba23 in #22 - Allow the client to pass in accepted remote TLS roots by @ameba23 in #24
- Add MIT license by @ameba23 in #29
- Re-use proxy-client to proxy-server connections, and use HTTP2 for proxy-client to proxy-server by @ameba23 in #25
- Rm uneeded field from Cargo.toml file by @ameba23 in #31
- Use SCALE rather than JSON for encoding attestation payloads by @ameba23 in #32
- Add logging - trying to give similar logging behaviour / options as
cvm-reverse-proxyby @ameba23 in #28 - Add ALPN protocol negotiation by @ameba23 in #36
- Add additional tests and fix attesation verification by @ameba23 in #40
- Allow PCCS url to be passed as a command line argument by @ameba23 in #39
- Accept various CLI options as environment variables by @ameba23 in #41
- Add protocol specification to README by @ameba23 in #37
- Verify azure attestation locally - not using MAA API by @ameba23 in #42
- Add helper script for generating mock certificate chain when testing by @ameba23 in #46
- Optionally log quotes to file when verifying by @ameba23 in #45
- Measurement policy allowing particular attestation types to be allowed or rejected by @ameba23 in #47
- Azure attestation test without vtmp by @ameba23 in #50
- Add section to README with CLI differences to cvm-reverse-proxy by @ameba23 in #49
- Add dummy attestation server/client by @ameba23 in #44
- Refactor DCAP code into a module and update dummy server by @ameba23 in #52
- For azure, measurments should be PCRs, not registers from TDX quote by @ameba23 in #56
- The option
--log-debugshould only enable debug logging for this crate by @ameba23 in #48 - Add simple static file server and attested-get to access it by @ameba23 in #53
- Add support for Microsoft Azure Attestation (MAA) by @ameba23 in #19
- Improve logic for test DCAP verification by @ameba23 in #61
- Fix get-tls-cert to accept custom CA and gracefully close connection by @ameba23 in #70
- Add demonstration instructions to readme by @ameba23 in #67
- Add health check server for proxy server and client by @ameba23 in #58
- Add attestation type detection by @ameba23 in #57
- Add test which verifies DCAP attestation by @ameba23 in #71
- feat: add docker support by @igladun in #74
- Improve reconnection / backoff logic by @ameba23 in #73
- Allow client attestation without client authentication by @ameba23 in #66
- Bump tdx_quote to 0.0.5 to remove dependency on rsa and num-bigint-dig by @ameba23 in #78
- Allow giving measurement file as url, and improve measurement checking logic by @ameba23 in #77
- Refactor to expose the attested TLS functionality separately from the HTTPS proxy functionality by @ameba23 in #81
- Make attested-TLS server/client transport agnostic by @ameba23 in #83
- Add simple attested websocket server/client by @ameba23 in #84
- Improve doccomments for publishing as library by @ameba23 in #85
- Remove unwraps in file server and health check server by @ameba23 in #87
- Accept hostnames as target server for proxy server by @ameba23 in #90
- Normalize non-PKCS8 private keys by @ameba23 in #89
- Add github release workflow for reproducibly-built debian package by @ameba23 in #76
- Azure attestation tdx-quote must be based on td_report with input data by @ameba23 in #91
- Proxy server: Set http request headers appropriately when proxying requests by @ameba23 in #93
New Contributors
Full Changelog: https://github.com/flashbots/attested-tls-proxy/commits/v0.0.1