github.com/slackhq/nebula@v1.9.0/CHANGELOG.md (about)

     1  # Changelog
     2  
     3  All notable changes to this project will be documented in this file.
     4  
     5  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
     6  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
     7  
     8  ## [Unreleased]
     9  
    10  ## [1.9.0] - 2024-05-07
    11  
    12  ### Deprecated
    13  
    14  - This release adds a new setting `default_local_cidr_any` that defaults to
    15    true to match previous behavior, but will default to false in the next
    16    release (1.10). When set to false, `local_cidr` is matched correctly for
    17    firewall rules on hosts acting as unsafe routers, and should be set for any
    18    firewall rules you want to allow unsafe route hosts to access. See the issue
    19    and example config for more details. (#1071, #1099)
    20  
    21  ### Added
    22  
    23  - Nebula now has an official Docker image `nebulaoss/nebula` that is
    24    distroless and contains just the `nebula` and `nebula-cert` binaries. You
    25    can find it here: https://hub.docker.com/r/nebulaoss/nebula (#1037)
    26  
    27  - Experimental binaries for `loong64` are now provided. (#1003)
    28  
    29  - Added example service script for OpenRC. (#711)
    30  
    31  - The SSH daemon now supports inlined host keys. (#1054)
    32  
    33  - The SSH daemon now supports certificates with `sshd.trusted_cas`. (#1098)
    34  
    35  ### Changed
    36  
    37  - Config setting `tun.unsafe_routes` is now reloadable. (#1083)
    38  
    39  - Small documentation and internal improvements. (#1065, #1067, #1069, #1108,
    40    #1109, #1111, #1135)
    41  
    42  - Various dependency updates. (#1139, #1138, #1134, #1133, #1126, #1123, #1110,
    43    #1094, #1092, #1087, #1086, #1085, #1072, #1063, #1059, #1055, #1053, #1047,
    44    #1046, #1034, #1022)
    45  
    46  ### Removed
    47  
    48  - Support for the deprecated `local_range` option has been removed. Please
    49    change to `preferred_ranges` (which is also now reloadable). (#1043)
    50  
    51  - We are now building with go1.22, which means that for Windows you need at
    52    least Windows 10 or Windows Server 2016. This is because support for earlier
    53    versions was removed in Go 1.21. See https://go.dev/doc/go1.21#windows (#981)
    54  
    55  - Removed vagrant example, as it was unmaintained. (#1129)
    56  
    57  - Removed Fedora and Arch nebula.service files, as they are maintained in the
    58    upstream repos. (#1128, #1132)
    59  
    60  - Remove the TCP round trip tracking metrics, as they never had correct data
    61    and were an experiment to begin with. (#1114)
    62  
    63  ### Fixed
    64  
    65  - Fixed a potential deadlock introduced in 1.8.1. (#1112)
    66  
    67  - Fixed support for Linux when IPv6 has been disabled at the OS level. (#787)
    68  
    69  - DNS will return NXDOMAIN now when there are no results. (#845)
    70  
    71  - Allow `::` in `lighthouse.dns.host`. (#1115)
    72  
    73  - Capitalization of `NotAfter` fixed in DNS TXT response. (#1127)
    74  
    75  - Don't log invalid certificates. It is untrusted data and can cause a large
    76    volume of logs. (#1116)
    77  
    78  ## [1.8.2] - 2024-01-08
    79  
    80  ### Fixed
    81  
    82  - Fix multiple routines when listen.port is zero. This was a regression
    83    introduced in v1.6.0. (#1057)
    84  
    85  ### Changed
    86  
    87  - Small dependency update for Noise. (#1038)
    88  
    89  ## [1.8.1] - 2023-12-19
    90  
    91  ### Security
    92  
    93  - Update `golang.org/x/crypto`, which includes a fix for CVE-2023-48795. (#1048)
    94  
    95  ### Fixed
    96  
    97  - Fix a deadlock introduced in v1.8.0 that could occur during handshakes. (#1044)
    98  
    99  - Fix mobile builds. (#1035)
   100  
   101  ## [1.8.0] - 2023-12-06
   102  
   103  ### Deprecated
   104  
   105  - The next minor release of Nebula, 1.9.0, will require at least Windows 10 or
   106    Windows Server 2016. This is because support for earlier versions was removed
   107    in Go 1.21. See https://go.dev/doc/go1.21#windows
   108  
   109  ### Added
   110  
   111  - Linux: Notify systemd of service readiness. This should resolve timing issues
   112    with services that depend on Nebula being active. For an example of how to
   113    enable this, see: `examples/service_scripts/nebula.service`. (#929)
   114  
   115  - Windows: Use Registered IO (RIO) when possible. Testing on a Windows 11
   116    machine shows ~50x improvement in throughput. (#905)
   117  
   118  - NetBSD, OpenBSD: Added rudimentary support. (#916, #812)
   119  
   120  - FreeBSD: Add support for naming tun devices. (#903)
   121  
   122  ### Changed
   123  
   124  - `pki.disconnect_invalid` will now default to true. This means that once a
   125    certificate expires, the tunnel will be disconnected. If you use SIGHUP to
   126    reload certificates without restarting Nebula, you should ensure all of your
   127    clients are on 1.7.0 or newer before you enable this feature. (#859)
   128  
   129  - Limit how often a busy tunnel can requery the lighthouse. The new config
   130    option `timers.requery_wait_duration` defaults to `60s`. (#940)
   131  
   132  - The internal structures for hostmaps were refactored to reduce memory usage
   133    and the potential for subtle bugs. (#843, #938, #953, #954, #955)
   134  
   135  - Lots of dependency updates.
   136  
   137  ### Fixed
   138  
   139  - Windows: Retry wintun device creation if it fails the first time. (#985)
   140  
   141  - Fix issues with firewall reject packets that could cause panics. (#957)
   142  
   143  - Fix relay migration during re-handshakes. (#964)
   144  
   145  - Various other refactors and fixes. (#935, #952, #972, #961, #996, #1002,
   146    #987, #1004, #1030, #1032, ...)
   147  
   148  ## [1.7.2] - 2023-06-01
   149  
   150  ### Fixed
   151  
   152  - Fix a freeze during config reload if the `static_host_map` config was changed. (#886)
   153  
   154  ## [1.7.1] - 2023-05-18
   155  
   156  ### Fixed
   157  
   158  - Fix IPv4 addresses returned by `static_host_map` DNS lookup queries being
   159    treated as IPv6 addresses. (#877)
   160  
   161  ## [1.7.0] - 2023-05-17
   162  
   163  ### Added
   164  
   165  - `nebula-cert ca` now supports encrypting the CA's private key with a
   166    passphrase. Pass `-encrypt` in order to be prompted for a passphrase.
   167    Encryption is performed using AES-256-GCM and Argon2id for KDF. KDF
   168    parameters default to RFC recommendations, but can be overridden via CLI
   169    flags `-argon-memory`, `-argon-parallelism`, and `-argon-iterations`. (#386)
   170  
   171  - Support for curve P256 and BoringCrypto has been added. See README section
   172    "Curve P256 and BoringCrypto" for more details. (#865, #861, #769, #856, #803)
   173  
   174  - New firewall rule `local_cidr`. This could be used to filter destinations
   175    when using `unsafe_routes`. (#507)
   176  
   177  - Add `unsafe_route` option `install`. This controls whether the route is
   178    installed in the systems routing table. (#831)
   179  
   180  - Add `tun.use_system_route_table` option. Set to true to manage unsafe routes
   181    directly on the system route table with gateway routes instead of in Nebula
   182    configuration files. This is only supported on Linux. (#839)
   183  
   184  - The metric `certificate.ttl_seconds` is now exposed via stats. (#782)
   185  
   186  - Add `punchy.respond_delay` option. This allows you to change the delay
   187    before attempting punchy.respond. Default is 5 seconds. (#721)
   188  
   189  - Added SSH commands to allow the capture of a mutex profile. (#737)
   190  
   191  - You can now set `lighthouse.calculated_remotes` to make it possible to do
   192    handshakes without a lighthouse in certain configurations. (#759)
   193  
   194  - The firewall can be configured to send REJECT replies instead of the default
   195    DROP behavior. (#738)
   196  
   197  - For macOS, an example launchd configuration file is now provided. (#762)
   198  
   199  ### Changed
   200  
   201  - Lighthouses and other `static_host_map` entries that use DNS names will now
   202    be automatically refreshed to detect when the IP address changes. (#796)
   203  
   204  - Lighthouses send ACK replies back to clients so that they do not fall into
   205    connection testing as often by clients. (#851, #408)
   206  
   207  - Allow the `listen.host` option to contain a hostname. (#825)
   208  
   209  - When Nebula switches to a new certificate (such as via SIGHUP), we now
   210    rehandshake with all existing tunnels. This allows firewall groups to be
   211    updated and `pki.disconnect_invalid` to know about the new certificate
   212    expiration time. (#838, #857, #842, #840, #835, #828, #820, #807)
   213  
   214  ### Fixed
   215  
   216  - Always disconnect blocklisted hosts, even if `pki.disconnect_invalid` is
   217    not set. (#858)
   218  
   219  - Dependencies updated and go1.20 required. (#780, #824, #855, #854)
   220  
   221  - Fix possible race condition with relays. (#827)
   222  
   223  - FreeBSD: Fix connection to the localhost's own Nebula IP. (#808)
   224  
   225  - Normalize and document some common log field values. (#837, #811)
   226  
   227  - Fix crash if you set unlucky values for the firewall timeout configuration
   228    options. (#802)
   229  
   230  - Make DNS queries case insensitive. (#793)
   231  
   232  - Update example systemd configurations to want `nss-lookup`. (#791)
   233  
   234  - Errors with SSH commands now go to the SSH tunnel instead of stderr. (#757)
   235  
   236  - Fix a hang when shutting down Android. (#772)
   237  
   238  ## [1.6.1] - 2022-09-26
   239  
   240  ### Fixed
   241  
   242  - Refuse to process underlay packets received from overlay IPs. This prevents
   243    confusion on hosts that have unsafe routes configured. (#741)
   244  
   245  - The ssh `reload` command did not work on Windows, since it relied on sending
   246    a SIGHUP signal internally. This has been fixed. (#725)
   247  
   248  - A regression in v1.5.2 that broke unsafe routes on Mobile clients has been
   249    fixed. (#729)
   250  
   251  ## [1.6.0] - 2022-06-30
   252  
   253  ### Added
   254  
   255  - Experimental: nebula clients can be configured to act as relays for other nebula clients.
   256    Primarily useful when stubborn NATs make a direct tunnel impossible. (#678)
   257  
   258  - Configuration option to report manually specified `ip:port`s to lighthouses. (#650)
   259  
   260  - Windows arm64 build. (#638)
   261  
   262  - `punchy` and most `lighthouse` config options now support hot reloading. (#649)
   263  
   264  ### Changed
   265  
   266  - Build against go 1.18. (#656)
   267  
   268  - Promoted `routines` config from experimental to supported feature. (#702)
   269  
   270  - Dependencies updated. (#664)
   271  
   272  ### Fixed
   273  
   274  - Packets destined for the same host that sent it will be returned on MacOS.
   275    This matches the default behavior of other operating systems. (#501)
   276  
   277  - `unsafe_route` configuration will no longer crash on Windows. (#648)
   278  
   279  - A few panics that were introduced in 1.5.x. (#657, #658, #675)
   280  
   281  ### Security
   282  
   283  - You can set `listen.send_recv_error` to control the conditions in which
   284    `recv_error` messages are sent. Sending these messages can expose the fact
   285    that Nebula is running on a host, but it speeds up re-handshaking. (#670)
   286  
   287  ### Removed
   288  
   289  - `x509` config stanza support has been removed. (#685)
   290  
   291  ## [1.5.2] - 2021-12-14
   292  
   293  ### Added
   294  
   295  - Warn when a non lighthouse node does not have lighthouse hosts configured. (#587)
   296  
   297  ### Changed
   298  
   299  - No longer fatals if expired CA certificates are present in `pki.ca`, as long as 1 valid CA is present. (#599)
   300  
   301  - `nebula-cert` will now enforce ipv4 addresses. (#604)
   302  
   303  - Warn on macOS if an unsafe route cannot be created due to a collision with an
   304    existing route. (#610)
   305  
   306  - Warn if you set a route MTU on platforms where we don't support it. (#611)
   307  
   308  ### Fixed
   309  
   310  - Rare race condition when tearing down a tunnel due to `recv_error` and sending packets on another thread. (#590)
   311  
   312  - Bug in `routes` and `unsafe_routes` handling that was introduced in 1.5.0. (#595)
   313  
   314  - `-test` mode no longer results in a crash. (#602)
   315  
   316  ### Removed
   317  
   318  - `x509.ca` config alias for `pki.ca`. (#604)
   319  
   320  ### Security
   321  
   322  - Upgraded `golang.org/x/crypto` to address an issue which allowed unauthenticated clients to cause a panic in SSH
   323    servers. (#603)
   324  
   325  ## 1.5.1 - 2021-12-13
   326  
   327  (This release was skipped due to discovering #610 and #611 after the tag was
   328  created.)
   329  
   330  ## [1.5.0] - 2021-11-11
   331  
   332  ### Added
   333  
   334  - SSH `print-cert` has a new `-raw` flag to get the PEM representation of a certificate. (#483)
   335  
   336  - New build architecture: Linux `riscv64`. (#542)
   337  
   338  - New experimental config option `remote_allow_ranges`. (#540)
   339  
   340  - New config option `pki.disconnect_invalid` that will tear down tunnels when they become invalid (through expiry or
   341    removal of root trust). Default is `false`. Note, this will not currently recognize if a remote has changed
   342    certificates since the last handshake. (#370)
   343  
   344  - New config option `unsafe_routes.<route>.metric` will set a metric for a specific unsafe route. It's useful if you have
   345    more than one identical route and want to prefer one against the other. (#353)
   346  
   347  ### Changed
   348  
   349  - Build against go 1.17. (#553)
   350  
   351  - Build with `CGO_ENABLED=0` set, to create more portable binaries. This could
   352    have an effect on DNS resolution if you rely on anything non-standard. (#421)
   353  
   354  - Windows now uses the [wintun](https://www.wintun.net/) driver which does not require installation. This driver
   355    is a large improvement over the TAP driver that was used in previous versions. If you had a previous version
   356    of `nebula` running, you will want to disable the tap driver in Control Panel, or uninstall the `tap0901` driver
   357    before running this version. (#289)
   358  
   359  - Darwin binaries are now universal (works on both amd64 and arm64), signed, and shipped in a notarized zip file.
   360    `nebula-darwin.zip` will be the only darwin release artifact. (#571)
   361  
   362  - Darwin uses syscalls and AF_ROUTE to configure the routing table, instead of
   363    using `/sbin/route`. Setting `tun.dev` is now allowed on Darwin as well, it
   364    must be in the format `utun[0-9]+` or it will be ignored. (#163)
   365  
   366  ### Deprecated
   367  
   368  - The `preferred_ranges` option has been supported as a replacement for
   369    `local_range` since v1.0.0. It has now been documented and `local_range`
   370    has been officially deprecated. (#541)
   371  
   372  ### Fixed
   373  
   374  - Valid recv_error packets were incorrectly marked as "spoofing" and ignored. (#482)
   375  
   376  - SSH server handles single `exec` requests correctly. (#483)
   377  
   378  - Signing a certificate with `nebula-cert sign` now verifies that the supplied
   379    ca-key matches the ca-crt. (#503)
   380  
   381  - If `preferred_ranges` (or the deprecated `local_range`) is configured, we
   382    will immediately switch to a preferred remote address after the reception of
   383    a handshake packet (instead of waiting until 1,000 packets have been sent).
   384    (#532)
   385  
   386  - A race condition when `punchy.respond` is enabled and ensures the correct
   387    vpn ip is sent a punch back response in highly queried node. (#566)
   388  
   389  - Fix a rare crash during handshake due to a race condition. (#535)
   390  
   391  ## [1.4.0] - 2021-05-11
   392  
   393  ### Added
   394  
   395  - Ability to output qr code images in `print`, `ca`, and `sign` modes for `nebula-cert`.
   396    This is useful when configuring mobile clients. (#297)
   397  
   398  - Experimental: Nebula can now do work on more than 2 cpu cores in send and receive paths via
   399    the new `routines` config option. (#382, #391, #395)
   400  
   401  - ICMP ping requests can be responded to when the `tun.disabled` is `true`.
   402    This is useful so that you can "ping" a lighthouse running in this mode. (#342)
   403  
   404  - Run smoke tests via `make smoke-docker`. (#287)
   405  
   406  - More reported stats, udp memory use on linux, build version (when using Prometheus), firewall,
   407    handshake, and cached packet stats. (#390, #405, #450, #453)
   408  
   409  - IPv6 support for the underlay network. (#369)
   410  
   411  - End to end testing, run with `make e2e`. (#425, #427, #428)
   412  
   413  ### Changed
   414  
   415  - Darwin will now log stdout/stderr to a file when using `-service` mode. (#303)
   416  
   417  - Example systemd unit file now better arranged startup order when using `sshd`
   418    and other fixes. (#317, #412, #438)
   419  
   420  - Reduced memory utilization/garbage collection. (#320, #323, #340)
   421  
   422  - Reduced CPU utilization. (#329)
   423  
   424  - Build against go 1.16. (#381)
   425  
   426  - Refactored handshakes to improve performance and correctness. (#401, #402, #404, #416, #451)
   427  
   428  - Improved roaming support for mobile clients. (#394, #457)
   429  
   430  - Lighthouse performance and correctness improvements. (#406, #418, #429, #433, #437, #442, #449)
   431  
   432  - Better ordered startup to enable `sshd`, `stats`, and `dns` subsystems to listen on
   433    the nebula interface. (#375)
   434  
   435  ### Fixed
   436  
   437  - No longer report handshake packets as `lost` in stats. (#331)
   438  
   439  - Error handling in the `cert` package. (#339, #373)
   440  
   441  - Orphaned pending hostmap entries are cleaned up. (#344)
   442  
   443  - Most known data races are now resolved. (#396, #400, #424)
   444  
   445  - Refuse to run a lighthouse on an ephemeral port. (#399)
   446  
   447  - Removed the global references. (#423, #426, #446)
   448  
   449  - Reloading via ssh command avoids a panic. (#447)
   450  
   451  - Shutdown is now performed in a cleaner way. (#448)
   452  
   453  - Logs will now find their way to Windows event viewer when running under `-service` mode
   454    in Windows. (#443)
   455  
   456  ## [1.3.0] - 2020-09-22
   457  
   458  ### Added
   459  
   460  - You can emit statistics about non-message packets by setting the option
   461    `stats.message_metrics`. You can similarly emit detailed statistics about
   462    lighthouse packets by setting the option `stats.lighthouse_metrics`. See
   463    the example config for more details. (#230)
   464  
   465  - We now support freebsd/amd64. This is experimental, please give us feedback.
   466    (#103)
   467  
   468  - We now release a binary for `linux/mips-softfloat` which has also been
   469    stripped to reduce filesize and hopefully have a better chance on running on
   470    small mips devices. (#231)
   471  
   472  - You can set `tun.disabled` to true to run a standalone lighthouse without a
   473    tun device (and thus, without root). (#269)
   474  
   475  - You can set `logging.disable_timestamp` to remove timestamps from log lines,
   476    which is useful when output is redirected to a logging system that already
   477    adds timestamps. (#288)
   478  
   479  ### Changed
   480  
   481  - Handshakes should now trigger faster, as we try to be proactive with sending
   482    them instead of waiting for the next timer tick in most cases. (#246, #265)
   483  
   484  - Previously, we would drop the conntrack table whenever firewall rules were
   485    changed during a SIGHUP. Now, we will maintain the table and just validate
   486    that an entry still matches with the new rule set. (#233)
   487  
   488  - Debug logs for firewall drops now include the reason. (#220, #239)
   489  
   490  - Logs for handshakes now include the fingerprint of the remote host. (#262)
   491  
   492  - Config item `pki.blacklist` is now `pki.blocklist`. (#272)
   493  
   494  - Better support for older Linux kernels. We now only set `SO_REUSEPORT` if
   495    `tun.routines` is greater than 1 (default is 1). We also only use the
   496    `recvmmsg` syscall if `listen.batch` is greater than 1 (default is 64).
   497    (#275)
   498  
   499  - It is possible to run Nebula as a library inside of another process now.
   500    Note that this is still experimental and the internal APIs around this might
   501    change in minor version releases. (#279)
   502  
   503  ### Deprecated
   504  
   505  - `pki.blacklist` is deprecated in favor of `pki.blocklist` with the same
   506     functionality. Existing configs will continue to load for this release to
   507     allow for migrations. (#272)
   508  
   509  ### Fixed
   510  
   511  - `advmss` is now set correctly for each route table entry when `tun.routes`
   512    is configured to have some routes with higher MTU. (#245)
   513  
   514  - Packets that arrive on the tun device with an unroutable destination IP are
   515    now dropped correctly, instead of wasting time making queries to the
   516    lighthouses for IP `0.0.0.0` (#267)
   517  
   518  ## [1.2.0] - 2020-04-08
   519  
   520  ### Added
   521  
   522  - Add `logging.timestamp_format` config option. The primary purpose of this
   523    change is to allow logging timestamps with millisecond precision. (#187)
   524  
   525  - Support `unsafe_routes` on Windows. (#184)
   526  
   527  - Add `lighthouse.remote_allow_list` to filter which subnets we will use to
   528    handshake with other hosts. See the example config for more details. (#217)
   529  
   530  - Add `lighthouse.local_allow_list` to filter which local IP addresses and/or
   531    interfaces we advertise to the lighthouses. See the example config for more
   532    details. (#217)
   533  
   534  - Wireshark dissector plugin. Add this file in `dist/wireshark` to your
   535    Wireshark plugins folder to see Nebula packet headers decoded. (#216)
   536  
   537  - systemd unit for Arch, so it can be built entirely from this repo. (#216)
   538  
   539  ### Changed
   540  
   541  - Added a delay to punching via lighthouse signal to deal with race conditions
   542    in some linux conntrack implementations. (#210)
   543  
   544    See deprecated, this also adds a new `punchy.delay` option that defaults to `1s`.
   545  
   546  - Validate all `lighthouse.hosts` and `static_host_map` VPN IPs are in the
   547    subnet defined in our cert. Exit with a fatal error if they are not in our
   548    subnet, as this is an invalid configuration (we will not have the proper
   549    routes set up to communicate with these hosts). (#170)
   550  
   551  - Use absolute paths to system binaries on macOS and Windows. (#191)
   552  
   553  - Add configuration options for `handshakes`. This includes options to tweak
   554    `try_interval`, `retries` and `wait_rotation`. See example config for
   555    descriptions. (#179)
   556  
   557  - Allow `-config` file to not end in `.yaml` or `yml`. Useful when using
   558    `-test` and automated tools like Ansible that create temporary files without
   559    suffixes. (#189)
   560  
   561  - The config test mode, `-test`, is now more thorough and catches more parsing
   562    issues. (#177)
   563  
   564  - Various documentation and example fixes. (#196)
   565  
   566  - Improved log messages. (#181, #200)
   567  
   568  - Dependencies updated. (#188)
   569  
   570  ### Deprecated
   571  
   572  - `punchy`, `punch_back` configuration options have been collapsed under the
   573    now top level `punchy` config directive. (#210)
   574  
   575    `punchy.punch` - This is the old `punchy` option. Should we perform NAT hole
   576    punching (default false)?
   577  
   578    `punchy.respond` - This is the old `punch_back` option. Should we respond to
   579    hole punching by hole punching back (default false)?
   580  
   581  ### Fixed
   582  
   583  - Reduce memory allocations when not using `unsafe_routes`. (#198)
   584  
   585  - Ignore packets from self to self. (#192)
   586  
   587  - MTU fixed for `unsafe_routes`. (#209)
   588  
   589  ## [1.1.0] - 2020-01-17
   590  
   591  ### Added
   592  
   593  - For macOS and Windows, build a special version of the binary that can install
   594    and manage its own service configuration. You can use this with `nebula
   595    -service`.  If you are building from source, use `make service` to build this feature.
   596  - Support for `mips`, `mips64`, `386` and `ppc64le` processors on Linux.
   597  - You can now configure the DNS listen host and port with `lighthouse.dns.host`
   598    and `lighthouse.dns.port`.
   599  - Subnet and routing support. You can now add a `unsafe_routes` section to your
   600    config to allow hosts to act as gateways to other subnets. Read the example
   601    config for more details. This is supported on Linux and macOS.
   602  
   603  ### Changed
   604  
   605  - Certificates now have more verifications performed, including making sure
   606    the certificate lifespan does not exceed the lifespan of the root CA. This
   607    could cause issues if you have signed certificates with expirations beyond
   608    the expiration of your CA, and you will need to reissue your certificates.
   609  - If lighthouse interval is set to `0`, never update the lighthouse (mobile
   610    optimization).
   611  - Various documentation and example fixes.
   612  - Improved error messages.
   613  - Dependencies updated.
   614  
   615  ### Fixed
   616  
   617  - If you have a firewall rule with `group: ["one-group"]`, this will
   618    now be accepted, with a warning to use `group: "one-group"` instead.
   619  - The `listen.host` configuration option was previously ignored (the bind host
   620    was always 0.0.0.0). This option will now be honored.
   621  - The `ca_sha` and `ca_name` firewall rule options should now work correctly.
   622  
   623  ## [1.0.0] - 2019-11-19
   624  
   625  ### Added
   626  
   627  - Initial public release.
   628  
   629  [Unreleased]: https://github.com/slackhq/nebula/compare/v1.9.0...HEAD
   630  [1.9.0]: https://github.com/slackhq/nebula/releases/tag/v1.9.0
   631  [1.8.2]: https://github.com/slackhq/nebula/releases/tag/v1.8.2
   632  [1.8.1]: https://github.com/slackhq/nebula/releases/tag/v1.8.1
   633  [1.8.0]: https://github.com/slackhq/nebula/releases/tag/v1.8.0
   634  [1.7.2]: https://github.com/slackhq/nebula/releases/tag/v1.7.2
   635  [1.7.1]: https://github.com/slackhq/nebula/releases/tag/v1.7.1
   636  [1.7.0]: https://github.com/slackhq/nebula/releases/tag/v1.7.0
   637  [1.6.1]: https://github.com/slackhq/nebula/releases/tag/v1.6.1
   638  [1.6.0]: https://github.com/slackhq/nebula/releases/tag/v1.6.0
   639  [1.5.2]: https://github.com/slackhq/nebula/releases/tag/v1.5.2
   640  [1.5.0]: https://github.com/slackhq/nebula/releases/tag/v1.5.0
   641  [1.4.0]: https://github.com/slackhq/nebula/releases/tag/v1.4.0
   642  [1.3.0]: https://github.com/slackhq/nebula/releases/tag/v1.3.0
   643  [1.2.0]: https://github.com/slackhq/nebula/releases/tag/v1.2.0
   644  [1.1.0]: https://github.com/slackhq/nebula/releases/tag/v1.1.0
   645  [1.0.0]: https://github.com/slackhq/nebula/releases/tag/v1.0.0