Change8

v2.10.0

Breaking Changes
📦 caddyView on GitHub →
1 breaking7 features🔧 5 symbols

Summary

Caddy 2.10 introduces major privacy enhancements with Encrypted ClientHello (ECH) support and default PQC key exchange, alongside a new global DNS configuration option and updates to wildcard certificate usage.

⚠️ Breaking Changes

  • The experimental `auto_https prefer_wildcard` option has been removed. Wildcards are now used by default if present in the configuration, which can be overridden with `tls force_automate` in the Caddyfile.

Migration Steps

  1. If you rely on DNS provider modules, be aware that they must update to be compatible with the new libdns 1.0 APIs.
  2. If you were using the removed `auto_https prefer_wildcard` option, you must now rely on the default wildcard behavior or use `tls force_automate` to prevent wildcard usage.
  3. To enable ECH, you must specify the `ech` global option and ensure a DNS provider module is compiled into your Caddy binary and configured (e.g., using the `dns` global option).
  4. If building Caddy from source, ensure you include necessary DNS modules using tools like xcaddy (e.g., `$ xcaddy build --with github.com/caddy-dns/cloudflare`).

✨ New Features

  • Support for Encrypted ClientHello (ECH) to encrypt the domain name in the TLS ClientHello.
  • Support for post-quantum (PQC) key exchange, defaulting to the `x25519mlkem768` cryptographic group.
  • Introduction of experimental ACME profiles for more flexible certificate property selection.
  • The reverse proxy now sets a `Via` header instead of a duplicate `Server` header.
  • A new global DNS provider option (`dns` global option in Caddyfile or `dns` parameter in `tls` app config) allows specifying a default DNS module to avoid repetition.
  • Wildcards are now utilized by default for subdomains instead of obtaining individual certificates, motivated by ECH privacy benefits.
  • Fully automated ECH configuration generation, rotation, publication, and serving, requiring a compiled-in DNS module.

🔧 Affected Symbols

libdns 1.0 APIsauto_https prefer_wildcardtls force_automatedns global optiontls app configuration (JSON config)