Hello gophers, We have just released go1.26rc3, a release candidate version of Go 1.26. It is cut from release-branch.go1.26 at the revision tagged go1.26rc3.
This release includes 1 security fix following the security policy <https://go.dev/doc/security/policy>: - crypto/tls: unexpected session resumption when using Config.GetConfigForClient Config.GetConfigForClient is documented to use the original Config's session ticket keys unless explicitly overridden. This can cause unexpected behavior if the returned Config modifies authentication parameters, like ClientCAs: a connection initially established with the parent (or a sibling) Config can be resumed, bypassing the modified authentication requirements. If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the server) or InsecureSkipVerify is false (on the client), crypto/tls now checks that the root of the previously-verified chain is still in ClientCAs/RootCAs when resuming a connection. Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue related to session ticket keys being implicitly shared by Config.Clone. Since this fix is broader, the Config.Clone behavior change has been reverted. Note that VerifyPeerCertificate still behaves as documented: it does not apply to resumed connections. Applications that use Config.GetConfigForClient or Config.Clone and do not wish to blindly resume connections established with the original Config must use VerifyConnection instead (or SetSessionTicketKeys or SessionTicketsDisabled). Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217. Please try your production load tests and unit tests with the new version. Your help testing these pre-release versions is invaluable. Report any problems using the issue tracker: https://go.dev/issue/new Please consider opting in to Go telemetry <https://go.dev/doc/telemetry> if you haven't already. Go telemetry helps validate this release candidate and future Go releases. You can opt in by running the following command: $ go telemetry on If you have Go installed already, an easy way to try go1.26rc3 is by using the go command: $ go install golang.org/dl/go1.26rc3@latest $ go1.26rc3 download You can download binary and source distributions from the usual place: https://go.dev/dl/#go1.26rc3 To find out what has changed in Go 1.26, read the draft release notes: https://tip.golang.org/doc/go1.26 Cheers, Michael and Dmitri for the Go team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/f68c058b.CAAACC3mUdMAAAAAAAAAA-p9MGIAAYKKSQYAAAAAADE8OwBpg25K%40mailjet.com.
