0.160.0

Release Highlights

This release includes a fix to a security vulnerability. We recommend all deployments upgrade to this release asap.

Mutual TLS and X-Forwarded-Client-Cert (XFCC)

• Gorouter now uses certificate authorities installed using BOSH Trusted Certs to validate certificates provided by clients in mTLS handshakes details
• Operators may now configure Gorouter with a configurable list of certificate authorities used to validate certificates provided by clients in mutual TLS handshakes details
• Operators may now configure Gorouter to overwrite the XFCC header with the client certificate received in mTLS handshakes details
• Operators may now configure Gorouter to forward the XFCC header only when the client connection is mTLS details

Mutual Certificates / SNI

• Operators may now configure Gorouter with multiple certificate chains. Gorouter will use SNI, when supported by the client, to serve the appropriate certificate details

Misc

• Route services authors may now modify context path and query parameters as long as the route matching new URI is not bound to a route service details
• Operators may now configure Gorouter with a limit for concurrent connections per backend details
• Operators may now configure the minimum TLS version Gorouter will support details
• Routing-API will now reclaim its Locket lock if it unexpectedly crashes without releasing the lock details
• Operators may now configure Gorouter cipher suites using either RFC or OpenSSL names details
• Gorouter will now close idle frontend TCP connections with clients after 5 seconds details

Manifest Property Changes

gorouter

0.159.0	0.160.0	Default Value
did not exist	router.min_tls_version	TLSv1.2
router.ssl_cert	removed in favor of tls_pem
router.ssl_key	removed in favor of tls_pem
did not exist	router.tls_pem	Required when enable_ssl: true
did not exist	router.ca_certs
did not exist	router.forwarded_client_cert	always_forward
did not exist	router.backends.max_conns	0