v1.8.0

For fingerprinting, this update adds Chrome 133 spec, fixes an issue with the Edge 106 spec, and makes the randomized spec more up to date. It also includes numerous bug fixes and other improvements to the library. Thank you to everyone who contributed!

What's Changed

• Implement Chrome 133+ support by @BRUHItsABunny in #333
• fix: malformed cookie payload by @BRUHItsABunny in #346
• [Cleaner Version] Support for Certificate Compression Algorithm extension in Certificate Request Message by @Juktong in #348
• Update u_parrots.go by @yuhan6665 in #353
• Expose serverHello earlier in clientHandshake() by @RPRX in #357
• Export Mlkem and MlkemEcdhe in struct KeySharePrivateKeys by @RPRX in #358
• Add entropy in generateRandomizedSpec() by @nihiloid in #354
• Remove dependency on cloudflare circl by @mingyech in #352

New Contributors

• @Juktong made their first contribution in #348
• @yuhan6665 made their first contribution in #353
• @nihiloid made their first contribution in #354

Full Changelog: v1.7.3...v1.8.0

v1.7.3 Fix PQ fingerprint

What's Changed

• feat: generate different ecdhe key for pq key by @mingyech in #343

Full Changelog: v1.7.2...v1.7.3

v1.7.2 ECH bugfix

What's Changed

• fix: prevent copying outer server name in inner by @mingyech in #341

Full Changelog: v1.7.1...v1.7.2

v1.7.1

What's Changed

• fix: use go 1.24 instead of 1.24.0 by @mingyech in #338

Full Changelog: v1.7.0...v1.7.1

v1.7.0

What's Changed

• Fix Config.InsecureSkipTimeVerify not being respected by @adotkhan in #303
• Fixes session ticket / PSK not set by @adotkhan in #302
• fix: generate ClientHelloSpec only once by @adotkhan in #306
• fix: extMasterSecret mismatch with extended_master_secret extension by @adotkhan in #307
• Merge changes from go 1.23.4 by @mingyech in #323
• build(deps): bump golang.org/x/net from 0.23.0 to 0.33.0 by @dependabot in #326
• Merge changes from go 1.24.0 by @mingyech in #329
• Add Chrome 131 parrot and ML-KEM support by @BRUHItsABunny in #322
• feat: add support for ECH when using custom clienthello specs by @mingyech in #331
• Fix check for TLS downgrade canary by @mingyech in #337
• build(deps): bump golang.org/x/net from 0.33.0 to 0.38.0 by @dependabot in #336

New Contributors

• @mingyech made their first contribution in #323
• @BRUHItsABunny made their first contribution in #322

Full Changelog: v1.6.7...v1.7.0

v1.6.7 Allow inspecting Client Hello before locking Session/PSK

What's Changed

• Allow BuildHandshakeState to inspect ClientHello before setting SessionTicket/PSK by @adotkhan in #301

Full Changelog: v1.6.6...v1.6.7

v1.6.6 Hotfix: QUIC must not send non-empty session ID by RFC

What's Changed

• quic: always use empty session ID by @gaukas in #297

Full Changelog: v1.6.5...v1.6.6

v1.6.5 Popular Firefox 120 parrot and deps update

What's Changed

• build(deps): bump golang.org/x/net from 0.20.0 to 0.23.0 by @dependabot in #293
• Update Firefox 120 parrot to a more popular version by @adotkhan in #296

New Contributors

• @adotkhan made their first contribution in #296

Full Changelog: v1.6.4...v1.6.5

v1.6.4 bugfix: UConn incorrectly inherits Conn methods

What's Changed

• build(deps): bump github.com/quic-go/quic-go from 0.40.1 to 0.42.0 by @dependabot in #289
• fix: (*UConn).Read() and Secure Renegotiation by @gaukas in #292

Full Changelog: v1.6.3...v1.6.4

v1.6.3 Cryptographically Secured Shuffle

Don't panic! This does not cause any significant security concern, since modern platforms are doing fine with limited randomness from math/rand. This patch is for some much restrictive platforms such as WebAssembly -- on which math/rand may generate deterministic output (e.g., same random number series from each cold start).

What's Changed

• security: crypto/rand ShuffleChromeTLSExtensions by @gaukas in #286

Full Changelog: v1.6.2...v1.6.3