🩹 0.23.2

Highlights:

• Fixed an issue introduced in the previous release that would cause a crash when sending packets.

Full changelog at https://github.com/cloudflare/quiche/compare/0.23.1..0.23.2

🗓️ 0.23.0 / 0.23.1

⚠️ The 0.23.0 release has been yanked due to a broken dependency on the qlog crate and should not be used.

Breaking Changes:

• The has_body field of the Headers event variant has been renamed to more_frames. It is also no longer possible to call send_response() (and related methods) multiple times, the new send_additional_headers() method should be used instead (see below).

Highlights:

• Added proper support for sending additional headers after the initial request/response headers, via the new send_additional_headers(). Various HTTP/3 state transitions have also been tightened to ensure correct behaviour.
• Added support for configuring the idle timeout per connection (rather than "globally" at the Config level) via the new Connection::set_max_idle_timeout() method.
• Added dgram_recv and dgram_sent fields to the Stats structure tracking the number of received and sent DATAGRAM frames.
• Added support for tracking and exposing "unknown" transport parameters received. This can optionally be enabled using the Config::enable_track_unknown_transport_parameters() option.
• Many more bug fixes and performance improvements.

Full changelog at 0.22.0...0.23.1

🔧 0.22.0

Breaking Changes:

• The quiche_conn_stream_recv() and quiche_conn_stream_send() FFI functions now take an additional parameter out_error_code used to return more specific error information to the caller (similarly to what the Rust API already does).

Highlights:

• Added number of acked bytes to the Stats structure.
• The libquiche.so library, that exposes FFI bindings for C, will now have SONAME information.
• Added configuration option to change the anti-amplification limit factor (default will still be "3", per RFC 9000).
• Many more bug fixes and performance improvements.

Full changelog at 0.21.0...0.22.0

🛰️ 0.21.0

Highlights:

• Added initial implementation of path MTU discovery. Note that this feature is experimental and might have bugs.
• Added support to build against the "quictls" OpenSSL fork. Note that some features (e.g. 0-RTT) do not work yet in this mode.
• Many more bug fixes and performance improvements.

Full changelog at 0.20.0...0.21.0

🔒 0.20.1

⚠️ Security:

• Added a limit to how many connection IDs are locally queued for retirement. Without the limit an attacker could cause a server to queue an unbounded number of retired connection IDs, leading to a slow but steady increase in memory usage (CVE-2024-1410).
• Added a limit to the maximum CRYPTO frame data offset that can be buffered. Without the limit an attacker could cause a server to queue an unbounded number of bytes, leading to a slow but steady increase in memory usage (CVE-2024-1765).

Full changelog at 0.20.0...0.20.1

🦦 0.19.2

⚠️ Security:

• Added a limit to how many connection IDs are locally queued for retirement. Without the limit an attacker could cause a server to queue an unbounded number of retired connection IDs, leading to a slow but steady increase in memory usage (CVE-2024-1410).
• Added a limit to the maximum CRYPTO frame data offset that can be buffered. Without the limit an attacker could cause a server to queue an unbounded number of bytes, leading to a slow but steady increase in memory usage (CVE-2024-1765).

Full changelog at 0.19.1...0.19.2

🔐 0.20.0

⚠️ Security:

• Added a limit to how many PATH_CHALLENGE frames are queued. Without the limit an attacker could cause a server to queue an unbounded number of frames, leading to a slow but steady increase in memory usage (CVE-2023-6193).

Breaking Changes:

• Some methods related to connection IDs have been renamed to be more consistent. These are:
  • Connection::new_source_cid() -> Connection::new_scid()
  • Connection::active_source_cids() -> Connection::active_scids()
  • Connection::source_cids_left() -> Connection::scids_left()
  • Connection::retire_destination_cid() -> Connection::retire_dcid().

Highlights:

• Many new methods are now exposed via the FFI API that can be used by non-Rust code.
• Many more bug fixes and performance improvements.

Full changelog at 0.19.0...0.20.0

🛡️ 0.19.1

⚠️ Security:

• Added a limit to how many PATH_CHALLENGE frames are queued. Without the limit an attacker could cause a server to queue an unbounded number of frames, leading to a slow but steady increase in memory usage (CVE-2023-6193).

Full changelog at 0.19.0...0.19.1

🛩️ 0.19.0

Breaking Changes:

• Removed several fields from Stats (specifically fields representing transport parameters that were moved to Connection::peer_transport_params()).

Highlights:

• Added experimental support for the BBRv2 congestion control algorithm. ⚠️ Note that more work is needed on this (particularly implementing changes to update to the newer BBRv3), so it's not quite production-ready yet, and will later be merged with the existing BBRv1 implementation.
• Added Connection::peer_transport_params() which returns TransportParams representing the connection's peer's transport parameters.
• Many more bug fixes and performance improvements.

Full changelog at 0.18.0...0.19.0

🔀 0.18.0

Breaking Changes:

• Removed pre-RFC QUIC and HTTP/3 support (specifically for drafts 27, 28 and 29). Now only the final QUIC and HTTP/3 versions are supported.
• Removed the HTTP/3 DATAGRAM API (specifically the h3::Event::Datagram enum variant and h3::Connection::dgram_send() / h3::Connection::dgram_recv() / h3::Connection::dgram_max_writable_len() methods). Applications should use the transport-level APIs Connection::dgram_send() and Connection::dgram_recv() (see this change for example).
• Replaced Config::with_boring_ssl_ctx() with Config::with_boring_ssl_ctx_builder() which takes a SslContextBuilder rather than SslContext directly, for safety reasons.

Highlights:

• Massively improved the stream prioritization implementation, which is now much more accurate and reliable (this is largely transparent to applications, as the API hasn't changed).
• Added support for the final specification of DATAGRAMs (RFC 9297). Currently both draft and final versions are supported, but the draft support will be removed in a future release.
• Added some APIs to make working with migration and multiple CIDs easier. Specifically Connection::source_ids() which returns all active source IDs, and Connection::retired_scids() which returns the number of retired source IDs that haven't been returned to the application yet.
• Added Config::set_initial_congestion_window_packets() to configure the initial congestion window size.
• Many more bug fixes and performance improvements.

Full changelog at 0.17.2...0.18.0