3.3.33 Apfelkuchen

What's Changed

• feat(api): add GET /v1/stats/users/active-ips endpoint by @amirotin in #588
• Support running TeleMT as a background system service by @vkrivopalov in #515
• feat(server): configurable TCP listen_backlog by @sintanial in #596
• Apply [timeouts] tg_connect to upstream DC TCP connect attempts by @sintanial in #595

New Contributors

• @vkrivopalov made their first contribution in #515

Full Changelog: 3.3.32...3.3.33

3.3.32 Lebkuchen

What's Changed

• Update CONFIG_PARAMS, QUICK_START_GUIDE and FAQ by @Dimasssss in #584
• Bounded Hybrid Loop + Watch + Family ArcSwap Snapshots + Health in Parallel + ArcSwap Writers + Registry Split + Endpoint on ArcSwap + New Backpressure Model + ME Decomposition by @axkurcom in #586

Full Changelog: 3.3.31...3.3.32

3.3.31 Spielecke

What's Changed

• Update release profile settings for better optimization by @vladon in #574
• TLS Validator: Unknown SNI as WARN in Log by @axkurcom in #579

Full Changelog: 3.3.30...3.3.31

3.3.30 Wiederankommen

3.3.30

Security & Validation

• TLS Validator now enforces SNI from tls_domain(s) with low-cost drop for invalid

---

TLS Fetcher Redesign

The TLS Fetcher has been fully rearchitected into a modular engine with explicit contracts, improved compatibility, and deterministic behavior.

1. Engine-based architecture

• Introduced a structured execution model:

  • FetchContext (target, SNI, transport policy, budget)
  • FetchAttempt
  • FetchOutcome

• Responsibilities are clearly separated into components:

  • TransportConnector
  • ClientHelloProfile
  • ProbeExecutor
  • MetadataExtractor

• The existing fetch_real_tls(...) API is preserved as a thin wrapper over the new engine for backward compatibility

2. Adaptive profile strategy (compatibility-first)

• Implemented a fixed profile cascade:

  • modern_chrome_like → modern_firefox_like → compat_tls12 → legacy_minimal

• Added per-target profile cache:

  • Key: (host, port, SNI, transport kind, proxy protocol)
  • TTL-based

• On handshake failures (early EOF, alert handshake_failure, no ServerHello):

  • Automatically fallback to the next profile within the same budget

• The last successful (“winner”) profile is cached and prioritized for subsequent fetches

3. Unified transport pipeline

• Introduced a single transport selection layer:

  • unix_sock | upstream(scope) | direct

• Explicit routing policy:

  • strict_route = true → no fallback to direct
  • strict_route = false → controlled fallback allowed

• Unified handling for:

  • PROXY protocol preface
  • Timeouts across both raw and rustls-based paths

4. TLS fingerprint realism

• Profile-driven TLS handshake templates:

  • Extension ordering
  • Cipher suites
  • Signature algorithms
  • Supported groups
  • TLS versions
  • ALPN sets
  • Padding policy

• Introduced:

  • Controlled GREASE (configurable)
  • Bounded randomization (configurable)

• Added deterministic mode for reproducible testing and debugging

5. Diagnostics and observability

• Normalized error taxonomy:

  • FetchErrorKind::{connect, route, early_eof, tls_alert, parse, timeout}

• Metrics:

  • tls_fetch_attempts_total{profile,outcome}
  • tls_fetch_early_eof_total{profile,route}
  • tls_fetch_success_total{profile}

• Structured logging per attempt:

  • target, SNI, profile, route, proxy_protocol, outcome, latency

---

Control Plane / Upstream

• Upstream-driven getProxyConfig / getProxySecret via UpstreamManager

---

Performance

• Per-user quotas migrated to atomic model
  • Removed locking from hot path
  • Improved throughput under load

---

Δ 3.3.29

• PROXY header is trusted from any source unless proxy_protocol_trusted_cidrs is set

What's Changed

• DOCS: VPS doube hop manual Ru\En by @avbor in #544
• Security Refactor by @axkurcom in #520
• Update CONFIG_PARAMS.en.md and FAQ by @Dimasssss in #545
• Cross-mode Quota Locks, Masking Prefetch & Tiny-Frame Debt Protection by @DavidOsipov in #538
• DOCS: Update VPS_DOUBLE_HOP.*.md - AmneziaWG 2.0 by @avbor in #568
• New TLS-Fetcher + TLS SNI Validator + Upstream-driver getProxySecret/Config + Workflow Tunings + Redesign Quotas on Atomics + Tests Swap by @axkurcom in #569

New Contributors

• @avbor made their first contribution in #544

Full Changelog: 3.3.29...3.3.30

3.3.29 Pioniergeist

What's Changed

• PR-SEC-1 (WIP): Первый PR с узкой пачкой исправлений безопасности и маскировки. Упор сделан на /src/proxy by @DavidOsipov in #447
• PR-SEC-1: Доп. харденинг и маскинг by @DavidOsipov in #454
• [WIP] Enhance metrics configuration, add health monitoring tests, security hardening, perf optimizations & loads of tests by @DavidOsipov in #463
• Fix typo in systemd service metadata by @dzhus in #507
• Add Shadowsocks upstream support by @hunmar in #430
• docs: fix typo in ru QUICK_START by @M1h4n1k in #514
• Усиление обхода DPI (Shape/Timing Hardening), защита от тайминг-атак и масштабное покрытие тестами by @DavidOsipov in #517
• Усиление обхода DPI (Shape/Timing Hardening), защита от тайминг-атак и масштабное покрытие тестами by @DavidOsipov in #529
• Small brittle test fix by @DavidOsipov in #531

New Contributors

• @dzhus made their first contribution in #507
• @hunmar made their first contribution in #430
• @M1h4n1k made their first contribution in #514

Full Changelog: 3.3.28...3.3.29

toolchains

Toolchains for Telemt Workflows

3.3.28 Fensterscheibe

What's Changed

• ME Draining on Dual-Stack + TLS Fetcher Upstream Selection by @axkurcom in #508
• Update Cargo.toml by @axkurcom in #509

Full Changelog: 3.3.27...3.3.28

3.3.27 Blindstopfen

What's Changed

• Update README.md by @axkurcom in #506
• Teardown Monitoring in API and Metrics by @axkurcom in #505

Full Changelog: 3.3.26...3.3.27

3.3.26 Belohnung

What's Changed

• Update README.md by @axkurcom in #502
• ME Writers Anti-stuck + Quarantine fixes + ME Writers Advanced Cleanup + Authoritative Teardown + Orphan Watchdog + Force-Close Safery Policy by @axkurcom in #504

Full Changelog: 3.3.25...3.3.26

3.3.25 Wankelmut

What's Changed

• Update install.sh by @Dimasssss in #494
• fix(docker): expose port 9091 and allow external API access by @temandroid in #492
• Instadrain + Hard-remove for long draining-state by @axkurcom in #497
• Update Cargo.toml by @axkurcom in #498

Full Changelog: 3.3.24...3.3.25