OpenZiti

v1.6.16 Feature

This release adds 7 notable features for engineering teams evaluating rollout.

Published 7d Network Security

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

security go mesh netsec network networking

+14 more

overlay overlay-network secure-networking vpn vpn-2 zero-trust zero-trust-cloud zero-trust-network zero-trust-network-access zero-trust-security zerotrust ztaa ztha ztna

Affected surfaces

auth rbac

Summary

AI summary

Broad release touches What's New, Release 1.6.16, https://github.com/openziti/channel/compare/v4.2.35...v4.3.11, and https://github.com/openziti/channel/issues/242.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Allow specifying a minimum number of underlays for a channel regardless of type. Allow specifying a minimum number of underlays for a channel regardless of type. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Add ChannelCreated event to UnderlayHandler API. Add ChannelCreated event to UnderlayHandler API. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Allow unknown underlay types to fall through to default dispatcher. Allow unknown underlay types to fall through to default dispatcher. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Allow injecting underlay type into messages. Allow injecting underlay type into messages. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Set x-omit-empty: false on ctrlChanListeners attribute. Set x-omit-empty: false on ctrlChanListeners attribute. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Add preferredLeader flag to controllers in edge‑api. Add preferredLeader flag to controllers in edge‑api. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Add ctrlChanListeners field to router types in edge‑api. Add ctrlChanListeners field to router types in edge‑api. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Add permissions list to identity in edge‑api. Add permissions list to identity in edge‑api. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Feature	Low	Add support for multi-bit set/get to AtomicBitSet in foundation/v2. Add support for multi-bit set/get to AtomicBitSet in foundation/v2. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Feature	Low	Add support for -pre version suffix in foundation/v2. Add support for -pre version suffix in foundation/v2. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Feature	Low	Add GaugeFloat64 metric type in metrics package. Add GaugeFloat64 metric type in metrics package. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Feature	Low	Add deadline for bind establishment in SDK. Add deadline for bind establishment in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Feature	Low	Return connection ID in inspect response in SDK. Return connection ID in inspect response in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Feature	Low	Add context‑level inspect support in SDK. Add context‑level inspect support in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Feature	Low	Improve adherence to MaxTerminator limit in SDK. Improve adherence to MaxTerminator limit in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Feature	Low	Support Go's built‑in context in SDK Dial methods. Support Go's built‑in context in SDK Dial methods. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Feature	Low	Expose dialing identity ID and name on dialed connections in SDK. Expose dialing identity ID and name on dialed connections in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix
Bugfix	High	Ensure initial version check succeeds to avoid legacy sessions on HA or OIDC‑enabled controllers in SDK. Ensure initial version check succeeds to avoid legacy sessions on HA or OIDC‑enabled controllers in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Medium	Prevent reconnecting channel from changing IDs. Prevent reconnecting channel from changing IDs. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Increase hello message headers size to 16 KB. Increase hello message headers size to 16 KB. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Ensure Underlay never returns nil on MultiChannel. Ensure Underlay never returns nil on MultiChannel. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Limit effect of sudden RTT spikes on moving average in SDK. Limit effect of sudden RTT spikes on moving average in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Medium	Fix mixed‑up content types in inspect response messages in SDK. Fix mixed‑up content types in inspect response messages in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Medium	Fix listener manager cleanup in SDK. Fix listener manager cleanup in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Medium	Backoff and retry on controller busy during service refresh instead of full refresh in SDK. Backoff and retry on controller busy during service refresh instead of full refresh in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Medium	Compare only relevant fields when detecting service changes in SDK. Compare only relevant fields when detecting service changes in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Medium	Prevent router‑level listener from remaining open if multi‑listener closes during establishment in SDK. Prevent router‑level listener from remaining open if multi‑listener closes during establishment in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Medium	Fuzz session refresh timers in SDK. Fuzz session refresh timers in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Medium	Fix responses from RX goroutines in SDK. Fix responses from RX goroutines in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Bugfix	Medium	Use new error codes and retry hints to correctly react to terminator errors in SDK. Use new error codes and retry hints to correctly react to terminator errors in SDK. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—

Full changelog

Release 1.6.16

What's New

Bug fixes and dependency updates

Component Updates and Bug Fixes

github.com/openziti/channel/v4: v4.2.35 -> v4.3.11
- Issue #242 - Reconnecting channel shouldn't allow changing ids
- Issue #235 - Bump allowed hello message headers size to 16k from 4k
- Issue #228 - Ensure that Underlay never return nil on MultiChannel
- Issue #226 - Allow specifying a minimum number of underlays for a channel, regardless of underlay type
- Issue #225 - Add ChannelCreated to the UnderlayHandler API to allow handlers to be initialized with the channel before binding
- Issue #224 - Update the underlay dispatcher to allow unknown underlay types to fall through to the default
- Issue #222 - Allow injecting the underlay type into messages
github.com/openziti/edge-api: v0.26.47 -> v0.27.5
- Issue #175 - ctrlChanListeners should have x-omit-empty: false attribute
- Issue #170 - Add preferredLeader flag to controllers
- Issue #167 - Add ctrlChanListeners to router types
- Issue #164 - Add permissions list to identity
github.com/openziti/foundation/v2: v2.0.77 -> v2.0.90
- Issue #472 - Add support for multi-bit set/get to AtomicBitSet
- Issue #464 - Add support for -pre in versions
github.com/openziti/identity: v1.0.116 -> v1.0.128
github.com/openziti/metrics: v1.4.3 -> v1.4.5
- Issue #58 - Add GaugeFloat64 support
github.com/openziti/sdk-golang: v1.2.4-patch1 -> v1.6.0
- Issue #895 - Limit effect sudden rtt spikes can have on rtt moving average
- Issue #902 - Inspect response message content types are mixed up
- Issue #887 - Fix listener manager cleanup
- Issue #886 - When controller is busy during service refresh, backoff and retry instead of falling back to full refresh
- Issue #885 - Only compare relevant service fields when looking for changes
- Issue #884 - Add deadline for bind establishment
- Issue #883 - Router level listener can be left open if multi-listener closes during listener establishment
- Issue #832 - Fuzz session refresh timers
- Issue #879 - Return the connId in inspect response
- Issue #878 - Fix responses from rx goroutines
- Issue #874 - Add inspect support at the context level
- Issue #871 - Make SDK better at sticking to MaxTerminator terminators
- Issue #708 - Support for Go's built-in context in Dial methods
- Issue #860 - Make the dialing identity's id and name available on dialed connections
- Issue #857 - Use new error code and retry hints to correctly react to terminator errors
- Issue #847 - Ensure the initial version check succeeds, to ensure we don't legacy sessions on ha or oidc-enabled controllers
- Issue #824 - release notes and hard errors on no TOTP handler breaks partial auth events
- Issue #818 - Full re-auth should not clear services list, as that breaks the on-change logic
- Issue #817 - goroutines can get stuck when iterating over randomized HA controller list
- Issue #736 - Migrate from github.com/mailru/easyjson
- Issue #813 - SDK doesn't stop close listener when it detects that a service being hosted gets deleted
- Issue #811 - Credentials are lost when explicitly set
- Issue #807 - Don't send close from rxer to avoid blocking
github.com/openziti/secretstream: v0.1.39 -> v0.1.49
github.com/openziti/transport/v2: v2.0.193 -> v2.0.215
- Issue #31 - ipv6 Transport Address Parsing
- Issue #149 - Archive transwarp code
github.com/openziti/ziti: v1.6.15 -> v1.6.16
- Issue #3788 - OIDC Endpoints return 400 Bad Request instead of underlying error
- Issue #3781 - [Backport-1.6] ER/T half-close logic is incorrect

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track OpenZiti

Get notified when new releases ship.

About OpenZiti

Fully-featured, zero trust, full mesh overlay network. Includes a 2FA support out of the box, clients for all major desktop/mobile OS'es.

All releases →

Related context

Related tools

Earlier breaking changes

v2.0.0 Service policy filter now requires string form; integer form removed.
v2.0.0 Legacy xgress_edge_tunnel v1 removed; use v2 with router data model.
v2.0.0 Terminator create/update/delete events removed; use entity change events instead.
v2.0.0 ziti edge create identity type parameter removed; type can be dropped.
v2.0.0 Controller managed links removed; upgrade to 1.x before jumping to 2.x.