Workflow

Openziti

Latest version: v1.0.0

Safety actively analyzes 723350 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 2 of 3

1.1.7

What's New

* Release actions fixes
* Fix for a flaky acceptance test

1.1.6

What's New

* Trust Domain Configuration
* Controller HA Beta 2

Trust Domain Configuration

OpenZiti controllers from this release forward will now require a `trust domain` to be configured.
High Availability (HA) controllers already have this requirement. HA Controllers configure their trust domain via SPIFFE
ids that are embedded in x509 certificates.

For feature parity, non-HA controllers will now have this same requirement. However, as re-issuing certificates is not
always easily done. To help with the transition, non-HA controllers will have the ability to have their trust domain
sourced from the controller configuration file through the root configuration value `trustDomain`. The configuration
field which takes a string that must be URI hostname compatible (see: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md).
If this value is not defined, a trust domain will be generated from the root CA certificate of the controller.

For networks that will be deployed after this change, it is highly suggested that a SPIFFE id is added to certificates.
The `ziti pki create ...` tooling supports the `--spiffe-id` option to help handle this scenario.

Generated Trust Domain Log Messages

The following log messages are examples of warnings produced when a controller is using a generated trust domain:


WARNING this environment is using a default generated trust domain [spiffe://d561decf63d229d66b07de627dbbde9e93228925],
it is recommended that a trust domain is specified in configuration via URI SANs or the 'trustDomain' field

WARNING this environment is using a default generated trust domain [spiffe://d561decf63d229d66b07de627dbbde9e93228925],
it is recommended that if network components have enrolled that the generated trust domain be added to the
configuration field 'additionalTrustDomains'


Trust domain resolution:

- Non-HA controllers
- Prefers SPIFFE ids in x509 certificate URI SANs, looking at the leaf up the signing chain
- Regresses to `trustDomain` in the controller configuration file if not found
- Regress to generating a trust domain from the server certificates root CA, if the above do not resolve

- HA Controllers
- Requires x509 SPIFFE ids in x509 certificate URI SANs

Additional Trust Domains

When moving between trust domains (i.e. from the default generated to a new named one), the controller supports having
other trust domains. The trust domains do not replace certificate chain validation, which is still checked and enforced.

Additional trust domains are configured in the controller configuration file under the root field
`additionalTrustDomains`. This field is an array of hostname safe strings.

The most common use case for this is field is if a network has issued certificates using the generated trust domain and
now wants to transition to a explicitly defined one.

Controller HA Beta 2

This release can be run in HA mode. The code is still beta, as we're still finding and fixing bugs. Several bugs
have been fixed since Beta 1 and c-based SDKs and tunnelers now work in HA mode. The smoketest can now be run
with HA controllers and clients.

* Latest ZET release supporting HA control: https://github.com/openziti/ziti-tunnel-sdk-c/releases/tag/v2.0.0-alpha9
* Windows, Mac and Mobile clients are in the process of being updated

For more information:

* HA overview/getting started/migration: [HA Documentation](https://github.com/openziti/ziti/tree/release-next/doc/ha)
* Open Issues: [HA Project Board](https://github.com/orgs/openziti/projects/9/views/1)

Component Updates and Bug Fixes

* github.com/openziti/storage: [v0.2.45 -> v0.2.46](https://github.com/openziti/storage/compare/v0.2.45...v0.2.46)
* [Issue 76](https://github.com/openziti/storage/issues/76) - Add support for non-boltz symbols to the the boltz stores

* github.com/openziti/ziti: [v1.1.5 -> v1.1.6](https://github.com/openziti/ziti/compare/v1.1.5...v1.1.6)
* [Issue 2171](https://github.com/openziti/ziti/issues/2171) - Routers should consider control channels unresponsive if they are not connected
* [Issue 2219](https://github.com/openziti/ziti/issues/2219) - Add inspection for router connections
* [Issue 2195](https://github.com/openziti/ziti/issues/2195) - cached data model file set to
* [Issue 2222](https://github.com/openziti/ziti/issues/2222) - Add way to get read-only status from cluster nodes
* [Issue 2191](https://github.com/openziti/ziti/issues/2191) - Change raft list cluster members element name from values to data to match rest of REST api
* [Issue 785](https://github.com/openziti/ziti/issues/785) - ziti edge update service-policy to empty/no posture checks fails
* [Issue 2205](https://github.com/openziti/ziti/issues/2205) - Merge fabric and edge model code
* [Issue 2165](https://github.com/openziti/ziti/issues/2165) - Add network id

1.1.5

What's New

* Bug fixes

Component Updates and Bug Fixes

* github.com/openziti/channel/v2: [v2.0.133 -> v2.0.136](https://github.com/openziti/channel/compare/v2.0.133...v2.0.136)
* [Issue 132](https://github.com/openziti/channel/issues/132) - reconnecting dialer doesn't take local binding into account when reconnecting

* github.com/openziti/identity: [v1.0.80 -> v1.0.81](https://github.com/openziti/identity/compare/v1.0.80...v1.0.81)
* github.com/openziti/transport/v2: [v2.0.136 -> v2.0.138](https://github.com/openziti/transport/compare/v2.0.136...v2.0.138)
* [Issue 83](https://github.com/openziti/transport/issues/83) - tls.Dial should use proxy configuration if provided

* github.com/openziti/xweb/v2: [v2.1.0 -> v2.1.1](https://github.com/openziti/xweb/compare/v2.1.0...v2.1.1)
* github.com/openziti/ziti: [v1.1.4 -> v1.1.5](https://github.com/openziti/ziti/compare/v1.1.4...v1.1.5)
* [Issue 2173](https://github.com/openziti/ziti/issues/2173) - panic on HA peer connect
* [Issue 2171](https://github.com/openziti/ziti/issues/2171) - Routers should consider control channels unresponsive if they are not connected
* [Issue 2086](https://github.com/openziti/ziti/issues/2086) - Enable File Watching for Router/Controller Identities
* [Issue 2087](https://github.com/openziti/ziti/issues/2087) - Ext JWT not setting provider value in auth query

1.1.4

What's New

* Controller HA Beta 1
* Bug fixes

Controller HA Beta 1

This release can be run in HA mode. The code is still beta, as we're still finding and fixing bugs. Several bugs
have been fixed since Alpha 3 and c-based SDKs and tunnelers now work in HA mode. The smoketest can now be run
with HA controllers and clients.

* Initial ZET release support HA control: https://github.com/openziti/ziti-tunnel-sdk-c/releases/tag/v2.0.0-alpha1
* Windows, Mac and Mobile clients are in the process of being updated

For more information:

* HA overview/getting started/migration: [HA Documentation](https://github.com/openziti/ziti/tree/release-next/doc/ha)
* Open Issues: [HA Project Board](https://github.com/orgs/openziti/projects/9/views/1)

Component Updates and Bug Fixes

* github.com/openziti/channel/v2: [v2.0.130 -> v2.0.133](https://github.com/openziti/channel/compare/v2.0.130...v2.0.133)
* github.com/openziti/edge-api: [v0.26.19 -> v0.26.20](https://github.com/openziti/edge-api/compare/v0.26.19...v0.26.20)
* [Issue 113](https://github.com/openziti/edge-api/issues/113) - RecoveryCodesEnvelope is wrong

* github.com/openziti/foundation/v2: [v2.0.45 -> v2.0.47](https://github.com/openziti/foundation/compare/v2.0.45...v2.0.47)
* [Issue 407](https://github.com/openziti/foundation/issues/407) - Remove Branch from build info

* github.com/openziti/identity: [v1.0.77 -> v1.0.80](https://github.com/openziti/identity/compare/v1.0.77...v1.0.80)
* github.com/openziti/metrics: [v1.2.54 -> v1.2.56](https://github.com/openziti/metrics/compare/v1.2.54...v1.2.56)
* github.com/openziti/runzmd: [v1.0.47 -> v1.0.49](https://github.com/openziti/runzmd/compare/v1.0.47...v1.0.49)
* github.com/openziti/sdk-golang: [v0.23.37 -> v0.23.38](https://github.com/openziti/sdk-golang/compare/v0.23.37...v0.23.38)
* [Issue 573](https://github.com/openziti/sdk-golang/issues/573) - api session refresh spins in a tight loop if there is no current api session
* [Issue 562](https://github.com/openziti/sdk-golang/issues/562) - Support sticky dials

* github.com/openziti/secretstream: [v0.1.20 -> v0.1.21](https://github.com/openziti/secretstream/compare/v0.1.20...v0.1.21)
* github.com/openziti/storage: [v0.2.41 -> v0.2.45](https://github.com/openziti/storage/compare/v0.2.41...v0.2.45)
* [Issue 73](https://github.com/openziti/storage/issues/73) - db integrity checker doesn't take nullable flag into account when checking unique indices
* [Issue 71](https://github.com/openziti/storage/issues/71) - Add AddFkIndexCascadeDelete

* github.com/openziti/transport/v2: [v2.0.133 -> v2.0.136](https://github.com/openziti/transport/compare/v2.0.133...v2.0.136)
* github.com/openziti/ziti: [v1.1.3 -> v1.1.4](https://github.com/openziti/ziti/compare/v1.1.3...v1.1.4)
* [Issue 2084](https://github.com/openziti/ziti/issues/2084) - Bug: Router enrollment is missing its server chain
* [Issue 2124](https://github.com/openziti/ziti/issues/2124) - api session certs should be deleted when related api sessions are deleted

1.1.3

What's New

* Sticky Terminator Selection
* Linux and Docker deployments log formats no longer default to the simplified format option and now use logging library
defaults: `json` for non-interactive, `text` for interactive.

NOTE: This release is the first since 1.0.0 to be marked promoted from pre-release. Be sure to check the release notes
for the rest of the post-1.0.0 releases to get the full set of changes.

Stick Terminator Strategy

This release introduces a new terminator selection strategy `sticky`. On every dial it will return a token to the
dialer, which represents the terminator used in the dial. This token maybe passed in on subsequent dials. If no token
is passed in, the strategy will work the same as the `smartrouting` strategy. If a token is passed in, and the
terminator is still valid, the same terminator will be used for the dial. A terminator will be consideder valid if
it still exists and there are no terminators with a higher precedence.

This is currently only supported in the Go SDK.

Go SDK Example


ziti edge create service test --terminator-strategy sticky



conn := clientContext.Dial("test")
token := conn.Conn.GetStickinessToken()
_ = conn.Close()

dialOptions := &ziti.DialOptions{
ConnectTimeout: time.Second,
StickinessToken: token,
}
conn = clientContext.DialWithOptions("test", dialOptions))
nextToken := conn.Conn.GetStickinessToken()
_ = conn.Close()


Component Updates and Bug Fixes

* github.com/openziti/channel/v2: [v2.0.128 -> v2.0.130](https://github.com/openziti/channel/compare/v2.0.128...v2.0.130)
* github.com/openziti/edge-api: [v0.26.18 -> v0.26.19](https://github.com/openziti/edge-api/compare/v0.26.18...v0.26.19)
* github.com/openziti/foundation/v2: [v2.0.42 -> v2.0.45](https://github.com/openziti/foundation/compare/v2.0.42...v2.0.45)
* github.com/openziti/identity: [v1.0.75 -> v1.0.77](https://github.com/openziti/identity/compare/v1.0.75...v1.0.77)
* github.com/openziti/metrics: [v1.2.51 -> v1.2.54](https://github.com/openziti/metrics/compare/v1.2.51...v1.2.54)
* github.com/openziti/runzmd: [v1.0.43 -> v1.0.47](https://github.com/openziti/runzmd/compare/v1.0.43...v1.0.47)
* github.com/openziti/sdk-golang: [v0.23.35 -> v0.23.37](https://github.com/openziti/sdk-golang/compare/v0.23.35...v0.23.37)
* [Issue 562](https://github.com/openziti/sdk-golang/issues/562) - Support sticky dials

* github.com/openziti/secretstream: [v0.1.19 -> v0.1.20](https://github.com/openziti/secretstream/compare/v0.1.19...v0.1.20)
* github.com/openziti/storage: [v0.2.37 -> v0.2.41](https://github.com/openziti/storage/compare/v0.2.37...v0.2.41)
* github.com/openziti/transport/v2: [v2.0.131 -> v2.0.133](https://github.com/openziti/transport/compare/v2.0.131...v2.0.133)
* github.com/openziti/ziti: [v1.1.2 -> v1.1.3](https://github.com/openziti/ziti/compare/v1.1.2...v1.1.3)
* [Issue 2064](https://github.com/openziti/ziti/issues/2064) - Fix panic on link close
* [Issue 2062](https://github.com/openziti/ziti/issues/2062) - Link connection retry delays should contain some randomization
* [Issue 2055](https://github.com/openziti/ziti/issues/2055) - Controller panics on 'ziti agent cluster list'
* [Issue 2019](https://github.com/openziti/ziti/issues/2019) - Support mechanism for sticky dials

1.1.2

What's New

* Bug fixes and minor enhancements

Component Updates and Bug Fixes
* github.com/openziti/sdk-golang: [v0.23.32 -> v0.23.35](https://github.com/openziti/sdk-golang/compare/v0.23.32...v0.23.35)
* github.com/openziti/ziti: [v1.1.1 -> v1.1.2](https://github.com/openziti/ziti/compare/v1.1.1...v1.1.2)
* [Issue 2032](https://github.com/openziti/ziti/issues/2032) - Auto CA Enrollment Fails w/ 400 Bad Request
* [Issue 2026](https://github.com/openziti/ziti/issues/2026) - Root Version Endpoint Handling 404s
* [Issue 2002](https://github.com/openziti/ziti/issues/2002) - JWKS endpoints may not refresh on new KID
* [Issue 2007](https://github.com/openziti/ziti/issues/2007) - Identities for edge routers with tunneling enabled sometimes show hasEdgeRouterConnection=false even though everything is OK
* [Issue 1983](https://github.com/openziti/ziti/issues/1983) - delete of non-existent entity causes panic when run on follower controller

Page 2 of 3

Links

Releases

Has known vulnerabilities

Previous Next

© 2025 Safety CLI Cybersecurity Inc. All Rights Reserved.