This release contains important fixes and we strongly encourage everyone to upgrade.
- Security fix & behavior change:
tls.pinSHA256now matches only the fingerprint of the leaf certificate, instead of any certificate in the chain. This change mitigates MITM risks in cases whereinsecure=trueby preventing 1) user accidentally pinning a CA certificate, which would allow any certificate issued by that CA to be accepted, and 2) attacker constructing a forged certificate chain by combining their own leaf certificate with the user server's certificate. - Fix tun mode UDP packet AF corruption
- Updated quic-go to v0.54.0
此版本包含重要修复,强烈建议更新
- 安全修复与行为变更:
tls.pinSHA256现在只会匹配叶子证书的指纹,而不是整条链中任意证书。此改动在insecure=true的情况下避免了中间人攻击风险,特别是以下两种情况: 1) 用户错误地 pin 了 CA 证书,从而导致该 CA 签发的任何证书都能被接受;2) 攻击者伪造证书链,将自己的叶子证书与用户服务器的证书拼接使用。 - 修复 tun 模式下 UDP 包 AF 字段损坏问题
- quic-go 更新到 v0.54.0