Internal Release

New features:

• Deprecate CentOS 7 builds. Rocky 8/RHEL8 is now the minimum system version.
• Add a warning on the HTTP usage in OAuth authentication flows
• Set LOCAL_APPLICATION as a default for the client_id and client_secret for the OAuth Authorization code flow.
• Update Curl to 8.16.0.
• Remove the WIF autodetection mechanism.
• Allow override of application path in CLIENT_ENVIRONMENT.

Bug fixes:

• Fix the expired file lock on Linux for the Secure Storage.
• Remove the username requirement for the WIF authentication.

Internal Release

New features:

• Implemented OAuth 2.0 authentication (authorization code and client credentials).
• Implemented DECFLOAT support.

Bug fixes:

• Fix logging to stderr.

Internal Release

Features:

• Introduced the token_file_path parameter within the TOML config to specify the path of the file containing the token.
• Introduce SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION. If set to true, the permission check of the file is omitted.
• Added support for specifying Azure client_id via MANAGED_IDENTITY_CLIENT_ID environment variable.
• Enable handling of the 307 & 308 HTTP redirect codes.
• Added initial support of WIF impersonation for GCP and AWS.

Bugfixes

• Fixed vs2019 build error.
• Fixed the default CRL cache path creation on Windows.
• Fixed session token leakage within the logs.
• Fixed CMake linking for macOS.

Internal Release

New features:

• Support cross-signed chains during OCSP check.
• Implemented a new CRL (Certificate Revocation List) checking mechanism.
  Enabling CRLs improves security by checking for revoked certificates during the TLS handshake process. For more information, see the Replacing OCSP with CRL as the method of certificate revocation checking Knowledge Base article.
  This feature is disabled by default. For information on enabling this feature, see the attributes below. We recommend you test this feature in advisory mode before enabling it in production.
  • Added new connection attributes:
    • SF_CON_CRL_CHECK (boolean; default: false). If enabled, the CRL checking for the Snowflake connection will be performed and will fail if the server's certificate is revoked or there is another revocation check issue (e.g., downloading or parsing) by default.
    • SF_CON_CRL_ADVISORY (boolean; default: false). Modifies the CRL connection checking to fail only when the certificate is revoked explicitly. When any other problem (e.g., parsing errors, download errors) is present, the connection is allowed.
    • SF_CON_CRL_ALLOW_NO_CRL (boolean; default: false). Allows opening the connection when the CRL distribution point URL is absent.
    • SF_CON_CRL_DISK_CACHING (boolean; default: true). This option enables the caching of the CRL files on disk to reduce the time spent redownloading the certificate distribution lists.
    • SF_CON_CRL_MEMORY_CACHING (boolean; default: true). This option enables the caching of the CRL within the application memory.
    • SF_CON_CRL_DOWNLOAD_TIMEOUT (integer; default: 120). Sets the CRL download timeout in seconds.
  • Added new environment variables:
    • SF_CRL_RESPONSE_CACHE_DIR (string). Overrides the default CRL cache directory with the one specified within the environment variable.

Bugfixes:

• Removed trailing null termination character from the JWT header and payload.

Internal Release

Features

• Added APPLICATION_PATH to the CLIENT_ENVIRONMENT during login request.

Bugfixes

• Fix NO_PROXY env variable character limit. Changed it from 1024 to 32767.

Internal Release

Features

• Added support for SSO Token caching.
• Implemented TOML config permission check and added environment variable SF_SKIP_WARNING_FOR_READ_PERMISSIONS_ON_CONFIG_FILE to skip the warning.
• Updated awssdk to v.1.11.500.
• Updated cJSON to v.1.7.18.
• Deprecated region parameter.

Bugfixes

• Fixed a bug where the value bindings could exceed the CLIENT_STAGE_ARRAY_BINDING_THRESHOLD.
• Fixed a permission denied error for the configuration file.

Internal Release

Features

• Add support for sovereign clouds + remove obsolete issuer checks for WIF

Bug fixes

• Fixed buffer overflow

Internal Release

Features

• Added support virtual-style domains

Bug fixes

• Fixed the leak with the AWS SDK, allowed re-initialization
• Fixed WIF attestation

Internal Release

• Fix hanging issue due to improper AWS SDK Shutdown

Internal Release

Features

• Added token caching to MFA authentication
• Added support for query cancellation

Bug fixes

• Fixed out of memory issue when running OCSP checks
• Fixed retries of malformed requests resulting in a hanging application until SF_CON_MAX_RETRY was reached. For more information see CVE-2025-46330.
• Fixed the logging on the debug level where the client-side encryption master key of the target stage during the execution of GET/PUT commands was logged locally. The key by itself does not grant access to any sensitive data. For more information, see CVE-2025-46329.