v2.6.3

Author: tobyxdd

docs/docs/Changelog.md

@@ -4,6 +4,15 @@ hide:
   - navigation
 ---
 
+## 2.6.3
+
+- Added mTLS support for client certificate authentication
+- Fixed a memory leak issue in tun mode
+- Fixed an issue where DNS resolution failed in tun mode on Linux systems using systemd-resolved
+- Fixed a bug in the ACL cache that caused rules with different ports or protocols to be applied to irrelevant connections
+- Removed the license-conflicted DoH library and replaced it with an in-house implementation
+- Fixed a race condition in UDP session handling
+
 ## 2.6.2
 
 - Updated quic-go to v0.52.0

docs/docs/Changelog.zh.md

@@ -4,6 +4,15 @@ hide:
   - navigation
 ---
 
+## 2.6.3
+
+- 新增 mTLS 客户端证书验证
+- 修复 tun 模式下一个内存泄漏问题
+- 修复使用 systemd-resolved 的 Linux 设备上 tun 模式 DNS 解析失败的问题
+- 修复一个 ACL 中协议/端口不匹配的规则被错误应用到其他连接的 bug
+- 移除许可协议不兼容的 DoH 库，改为自行实现
+- 修复一个 UDP session 处理的线程安全问题
+
 ## 2.6.2
 
 - quic-go 更新到 v0.52.0

docs/docs/advanced/Full-Client-Config.md

@@ -51,12 +51,16 @@ tls:
   insecure: false # (2)!
   pinSHA256: BA:88:45:17:A1... # (3)!
   ca: custom_ca.crt # (4)!
+  clientCertificate: client.crt # (5)!
+  clientKey: client.key # (6)!
 ```
 
 1. Server name to use for TLS verification. If omitted, the server name will be extracted from the `server` field.
 2. Disable TLS verification.
 3. Verify the server's certificate fingerprint. You can obtain the fingerprint of your certificate using openssl: `openssl x509 -noout -fingerprint -sha256 -in your_cert.crt`
 4. Use a custom CA certificate for TLS verification.
+5. Use a client certificate for mTLS verification.
+6. Use a client key for mTLS verification.
 
 ## Transport
 

docs/docs/advanced/Full-Client-Config.zh.md

@@ -51,12 +51,16 @@ tls:
   insecure: false # (2)!
   pinSHA256: BA:88:45:17:A1... # (3)!
   ca: custom_ca.crt # (4)!
+  clientCertificate: client.crt # (5)!
+  clientKey: client.key # (6)!
 ```
 
 1. 用于 TLS 验证的服务器名称。如果省略，服务器名称将从 `server` 字段中提取。
 2. 禁用 TLS 验证。
 3. 验证服务器的证书指纹。可以通过 openssl 获取证书指纹：`openssl x509 -noout -fingerprint -sha256 -in your_cert.crt`
 4. 使用自定义 CA。
+5. 使用客户端证书进行 mTLS 验证。
+6. 使用客户端密钥进行 mTLS 验证。
 
 ## 传输 (Transport)
 

docs/docs/advanced/Full-Server-Config.md

@@ -38,13 +38,15 @@ You can have either `tls` or `acme`, but not both.
       cert: some.crt
       key: some.key
       sniGuard: strict | disable | dns-san # (2)!
+      clientCA: client.crt # (3)!
     ```
 
     1. Certificates are read on every TLS handshake. This means you can update the files without restarting the server.
     2. Verify the SNI provided by the client. Accept the connection only when it matches what's in the certificate. Terminate the TLS handshake otherwise. <br>
        Set to `strict` to enforce this behavior. <br>
        Set to `disable` to disable this entirely. <br>
        The default is `dns-san`, which enables this feature only when the certificate contains the "Subject Alternative Name" extension with a domain name in it.
+    3. Use a client CA for mTLS verification.
 
 === "ACME"
 

docs/docs/advanced/Full-Server-Config.zh.md

@@ -38,13 +38,15 @@ listen: :443 # (1)!
       cert: some.crt
       key: some.key
       sniGuard: strict | disable | dns-san # (2)!
+      clientCA: client.crt # (3)!
     ```
 
     1. 每次 TLS 握手时都会读取证书。可以原地更新证书文件而无需重启服务端。
     2. 验证客户端发送的 SNI。 与证书信息匹配时才建立连接， 否则终止 TLS 握手。<br>
        设置为 `strict` 以启用该功能。<br>
        设置为 `disable` 以禁用该功能。<br>
        默认为 `dns-san`， 仅当证书中包含「证书主题背景的备用名称」扩展且该扩展中包含域名时才启用该功能。
+    3. 使用客户端 CA 进行 mTLS 验证。
 
 === "ACME"
 

docs/docs/getting-started/Server-Installation-Script.md

@@ -48,7 +48,7 @@ bash <(curl -fsSL https://get.hy2.sh/)
 Install or upgrade to a specified version.
 
 ```sh
-bash <(curl -fsSL https://get.hy2.sh/) --version v2.6.2
+bash <(curl -fsSL https://get.hy2.sh/) --version v2.6.3
 ```
 
 ### Uninstall

docs/docs/getting-started/Server-Installation-Script.zh.md

@@ -48,7 +48,7 @@ bash <(curl -fsSL https://get.hy2.sh/)
 安装或升级为指定版本，不进行版本检查。
 
 ```sh
-bash <(curl -fsSL https://get.hy2.sh/) --version v2.6.2
+bash <(curl -fsSL https://get.hy2.sh/) --version v2.6.3
 ```
 
 ### 卸载