From 408bd7205eaa2cf335f5f31b1af9a2aac38b4c15 Mon Sep 17 00:00:00 2001
From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com>
Date: Wed, 18 Dec 2024 21:27:45 +0000
Subject: [PATCH 1/4] backport of commit
e097cda8698c3ac25168d50d4387314f19ca214e
---
.../content/docs/release-notes/v0_18_0.mdx | 31 +++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/website/content/docs/release-notes/v0_18_0.mdx b/website/content/docs/release-notes/v0_18_0.mdx
index 4c1735ce57..1e49b5cf3e 100644
--- a/website/content/docs/release-notes/v0_18_0.mdx
+++ b/website/content/docs/release-notes/v0_18_0.mdx
@@ -41,6 +41,18 @@ description: >-
Learn more: Known issues and breaking changes
+
+
+ |
+ Go version 1.23.3 x509 key pair behavior changes
+ |
+
+ Boundary version 0.18.2 uses Go version 1.23.3, which introduced a new x509 key pair behavior. Some VPN implementations struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.2 controllers or workers being unable to establish SSH connections. As a workaround, you can revert back to the previous key pair behavior.
+
+ Learn more: Known issues and breaking changes
+ |
+
+
@@ -228,5 +240,24 @@ description: >-
+
+ |
+ 0.18.2
+ |
+
+ Boundary version 0.18.2 controllers or workers are unable to establish SSH connections using the boundary connect ssh command
+ |
+
+ Boundary version 0.18.2 uses Go version 1.23.3, which introduced a new x509 key pair behavior. Some VPN implementations struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.2 controllers or workers being unable to establish SSH connections.
+
+ As a workaround, you can revert back to the previous key pair behavior by adding the tlskyber=0 and x509keypairleaf=0 parameters to the GODEBUG environment variable before the boundary connect ssh command. For example:
+
+ GODEBUG=tlskyber=0,x509keypairleaf=0 boundary connect ssh -target-id<ID>
+
+ Learn more: Go 1.23 Release Notes
+
+ |
+
+
\ No newline at end of file
From 8e0463599960c3ab3d8a910f2e10228b777d1b8a Mon Sep 17 00:00:00 2001
From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com>
Date: Wed, 18 Dec 2024 22:30:10 +0000
Subject: [PATCH 2/4] backport of commit
e9e84fe402364de51bc7e5cdc701133c9461cb76
---
website/content/docs/release-notes/v0_18_0.mdx | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/website/content/docs/release-notes/v0_18_0.mdx b/website/content/docs/release-notes/v0_18_0.mdx
index 1e49b5cf3e..645c36f062 100644
--- a/website/content/docs/release-notes/v0_18_0.mdx
+++ b/website/content/docs/release-notes/v0_18_0.mdx
@@ -44,10 +44,10 @@ description: >-
|
- Go version 1.23.3 x509 key pair behavior changes
+ Go version 1.23 x509 key pair behavior changes
|
- Boundary version 0.18.2 uses Go version 1.23.3, which introduced a new x509 key pair behavior. Some VPN implementations struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.2 controllers or workers being unable to establish SSH connections. As a workaround, you can revert back to the previous key pair behavior.
+ Boundary version 0.18.x uses Go version 1.23, which introduced a new x509 key pair behavior. Some VPN implementations struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x controllers or workers being unable to establish SSH connections. As a workaround, you can revert back to the previous key pair behavior.
Learn more: Known issues and breaking changes
|
@@ -242,13 +242,13 @@ description: >-
|
- 0.18.2
+ 0.18.x
|
- Boundary version 0.18.2 controllers or workers are unable to establish SSH connections using the boundary connect ssh command
+ Boundary version 0.18.x controllers or workers are unable to establish SSH connections using the boundary connect ssh command
|
- Boundary version 0.18.2 uses Go version 1.23.3, which introduced a new x509 key pair behavior. Some VPN implementations struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.2 controllers or workers being unable to establish SSH connections.
+ Boundary version 0.18.x uses Go version 1.23, which introduced a new x509 key pair behavior. Some VPN implementations struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x controllers or workers being unable to establish SSH connections.
As a workaround, you can revert back to the previous key pair behavior by adding the tlskyber=0 and x509keypairleaf=0 parameters to the GODEBUG environment variable before the boundary connect ssh command. For example:
From 9f5730b5bb5d8d4c10a5bd68a5e2bbe02aed6172 Mon Sep 17 00:00:00 2001
From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com>
Date: Thu, 19 Dec 2024 15:47:39 +0000
Subject: [PATCH 3/4] backport of commit
dca6243028484ec410f6ca88b3ffceb4508f79b0
---
website/content/docs/release-notes/v0_18_0.mdx | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/website/content/docs/release-notes/v0_18_0.mdx b/website/content/docs/release-notes/v0_18_0.mdx
index 645c36f062..29c3753805 100644
--- a/website/content/docs/release-notes/v0_18_0.mdx
+++ b/website/content/docs/release-notes/v0_18_0.mdx
@@ -47,7 +47,7 @@ description: >-
Go version 1.23 x509 key pair behavior changes
|
- Boundary version 0.18.x uses Go version 1.23, which introduced a new x509 key pair behavior. Some VPN implementations struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x controllers or workers being unable to establish SSH connections. As a workaround, you can revert back to the previous key pair behavior.
+ Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x controllers, workers or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior.
Learn more: Known issues and breaking changes
|
@@ -245,14 +245,14 @@ description: >-
0.18.x
- Boundary version 0.18.x controllers or workers are unable to establish SSH connections using the boundary connect ssh command
+ Boundary version 0.18.x CLI is unable to establish connections using the boundary connect command.
|
- Boundary version 0.18.x uses Go version 1.23, which introduced a new x509 key pair behavior. Some VPN implementations struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x controllers or workers being unable to establish SSH connections.
+ Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x controllers, workers or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior.
- As a workaround, you can revert back to the previous key pair behavior by adding the tlskyber=0 and x509keypairleaf=0 parameters to the GODEBUG environment variable before the boundary connect ssh command. For example:
+ As a workaround, you can revert back to the previous TLS handshake behavior by adding the tlskyber=0 parameters to the GODEBUG environment variable before the boundary connect command. For example:
- GODEBUG=tlskyber=0,x509keypairleaf=0 boundary connect ssh -target-id<ID>
+ GODEBUG=tlskyber=0 boundary connect ssh -target-id <ID>
Learn more: Go 1.23 Release Notes
From 2f75397f16316d98df1005f6733e9fea0b3dfb3d Mon Sep 17 00:00:00 2001
From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com>
Date: Thu, 19 Dec 2024 15:58:41 +0000
Subject: [PATCH 4/4] backport of commit
0e743571916ff3f352c437d5a9b590fc0cc19fce
---
website/content/docs/release-notes/v0_18_0.mdx | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/website/content/docs/release-notes/v0_18_0.mdx b/website/content/docs/release-notes/v0_18_0.mdx
index 29c3753805..8b4d0c5de3 100644
--- a/website/content/docs/release-notes/v0_18_0.mdx
+++ b/website/content/docs/release-notes/v0_18_0.mdx
@@ -44,10 +44,10 @@ description: >-
|
|
- Go version 1.23 x509 key pair behavior changes
+ Go version 1.23 TLS handshake behavior changes
|
- Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x controllers, workers or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior.
+ Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x controllers, workers, or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior.
Learn more: Known issues and breaking changes
|
@@ -245,16 +245,16 @@ description: >-
0.18.x
- Boundary version 0.18.x CLI is unable to establish connections using the boundary connect command.
+ Boundary version 0.18.x CLI is unable to establish connections using the boundary connect command
|
- Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x controllers, workers or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior.
+ Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x controllers, workers, or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior.
- As a workaround, you can revert back to the previous TLS handshake behavior by adding the tlskyber=0 parameters to the GODEBUG environment variable before the boundary connect command. For example:
+ To revert back to the previous TLS handshake behavior, add the tlskyber=0 parameters to the GODEBUG environment variable before the boundary connect command. For example:
GODEBUG=tlskyber=0 boundary connect ssh -target-id <ID>
- Learn more: Go 1.23 Release Notes
+ Learn more: Go issue #70047 and Go 1.23 Release Notes
|