Nghttp2 v1.41.0
Security Advisory
CVE-2020-11080: Denial of service: Overly large SETTINGS frames
For more information, read the security advisory.
lib
This release implements nghttp2_option_set_max_settings API which sets the maximum number of SETTINGS entries in one SETTINGS frame to mitigate the security issue. It also moves SETTINGS flood check earlier to make it more effective.
The bug which stalls receiving stream data is fixed. Previously, if automatic window update is enabled (which is default), after window size is set to 0 by nghttp2_session_set_local_window_size, once the receiving window is exhausted, even after window size is increased by nghttp2_session_set_local_window_size, no more data cannot be received. This is because nghttp2_session_set_local_window_size does not submit WINDOW_UPDATE. It is only triggered when new data arrives but since window is filled up, no more data cannot be received, thus dead lock happens.
build
With cmake build, the hard-coded static lib suffix is now optional.
nghttpx
proxyprotocol v2 has been implemented.
The bug in getting certificate serial number with mruby script has been fixed.
h2load
New option, --connect-to, is added.
nghttp2 v1.40.0
lib: Add nghttp2_check_authority as public API (GH-1413)
lib: Fix the bug that stream is closed with wrong error code (GH-1408)
lib: Faster huffman encoding and decoding (GH-1405)
build: Avoid filename collision of static and dynamic lib (Patch from William A Rowe Jr) (GH-1394)
build: Add new flag ENABLE_STATIC_CRT for Windows (Patch from William A Rowe Jr) (GH-1393)
build: cmake: Support building nghttpx with systemd (Patch from Andrew Penkrat) (GH-1377)
third-party: Update neverbleed to fix memory leak
nghttpx: Fix bug that mruby is incorrectly shared between backends (GH-1392)
nghttpx: Reconnect h1 backend if it lost connection before sending headers
nghttpx: Returns 408 if backend timed out before sending headers
nghttpx: Fix request stall (GH-1378)
nghttp2 v1.39.2
This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
“Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
frames cause Denial of Service by consuming CPU time. Check out
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.
Fix CVE-2019-9511 and CVE-2019-9513
Add nghttp2_option_set_max_outbound_ack API function
nghttpx: Fix request stall
v1.39.1:
nghttpx
This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend.
v1.39.0:
lib
libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230.
third-party
mruby has been upgraded to 2.0.1.
asio
libnghttp2-asio now supports boost-1.70.
src
http-parser has been replaced with llhttp.
nghttpx
nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT.
This release fixes the bug that the log level does not change to the default value on configuration reload if log-level option is missing in new configuration.
lib
This release fixes the bug that on_header callback is still called after stream is closed.
third-party
http-parser is upgraded to v2.9.1.
nghttpx
This release fixes the bug that authority and path altered by per-pattern mruby script can affect backend selection on retry.
It also fixes the bug that HTTP/1.1 chunked request stalls.
Now nghttpx does not log authorization request header field value with -LINFO.
Now nghttpx can be built with modern LibreSSL.
v1.37.0:
build
CMake build explicitly sets install location when building shared library.
nghttpx
This release fixes possible backend stall when header and request body are sent in their own packets.
The backend option gets weight parameter to influence backend selection.
This release fixes compile error with BoringSSL.
nghttp2 v1.36.0.
build
CMake build disables shared library if ENABLE_SHARED_LIB is OFF.
third-party
http-parser has been upgraded to v2.9.0.
mruby has been upgraded to v2.0.0.
nghttpx
nghttpx now pools h1 backend connection per address and uses it when the round robin index points to the address.
nghttpx now randomizes backend address round robin order per thread.
The bug that long certificate serial numbers cannot be handled has been fixed.
h2load
An option to write per-request logs has been added.
asio
The API to get the current server port has been added.
Back out the previous build fix.
The base package does not even need C++, so drop from USE_LANGUAGES,
and remove GCC_REQD. Builds on netbsd-7/amd64 with gcc 4.8.
Both options build C++ code. Add c++14 to USE_LANGUAGES and 6 to
GCC_REQD, following upstream documentation.
While the package without options does not actually use C++14,
configure looks for it, and fails to find the C++ version of the C
preprocessor, at least on betbsd-7 with gcc 4.8.5.
(Perhaps the cpp searching could be fixed, and the USE_LANGUAGES pushed
into options that need it, but that seems more complicated than is
useful, given that one more or less needs to have a C++14 cpmpiler
anyway.)
Nghttp2 v1.35.1
nghttpx
This release fixes the broken trailing slash handling when routing a request. nghttpx allows a pattern which ends “/” to match the request path which just lacks the trailing “/”. Previously, this special handling did not work if certain patterns were registered.
Nghttp2 v1.35.0
lib
Use __has_declspec_attribute in order to check that dllexport/dllimport can be used.
build
libevent detection with cmake has been improved.
src
C++14 language features are now required.
nghttpx
mruby send_info non-final response is now written early.
Fix assertion failure on mruby send_info with HTTP/1.1 frontend.
h2load
HTTP/1.1 non-final response is now handled correctly.
Clarify that time for connect includes TLS handshake.
Nghttp2 v1.34.0
lib
libnghttp2 now supports extended CONNECT method and :protocol pseudo header field defined in RFC 8441. To enable this functionality on server side, send NGHTTP2_SETTINGS_ENABLE_CONNECT_PROTOCOL using nghttp2_submit_settings().
nghttpx
nghttpx now supports “Bootstrapping WebSockets with HTTP/2” defined in RFC 8441 for both frontend and backend HTTP/2 connections.
read-timeout and write-timeout parameters have been added to --backend option to specify read/write timeouts per pattern which override values set by --backend-read-timeout and --backend-write-timeout options.
This release fixes stability issues in neverbleed with OpenSSL 1.1.1.
mruby has been updated to version 1.4.1.
env.tls_handshake_finished has been added to mruby scripting to know whether TLS handshake has been completed or not. This might be useful to decide that 0-RTT data should be processed or not.
--tls13-ciphers and --tls-client-ciphers options have been added to configure TLSv1.3 ciphers.
nghttpx now adds Early-Data header field to the request header field when request is included in 0-RTT packet, and TLS handshake has not been completed yet. Early-Data header field is defined in RFC 8470.
nghttpx now supports TLSv1.3 0-RTT data. By default, it accepts 0-RTT data, but postpones the request until TLS handshake completes. The new option --tls-no-postpone-early-data makes nghttpx not to postpone request and adds Early-Data header field to backend request. It is important to make sure that all backends must recognize Early-Data header field to mitigate reply attack.
To enable 0-RTT data and most of the TLSv1.3 features, OpenSSL 1.1.1 is required.
- lib: Tweak nghttp2_session_set_stream_user_data
- lib: Fix handling of SETTINGS_MAX_CONCURRENT_STREAMS.
- lib: Implement ORIGIN frame
- asio: support definition of local endpoint for cleartext client
session
- integration: Remove remaining SPDY code from the integration tests.
- nghttpx: Fix worker process crash with neverbleed write error
- nghttpx: Support per-backend mruby script
- nghttpx: Fix stream reset if data from client is arrived before dconn
is attached
Nghttp2 v1.32.1:
nghttp2_session_set_stream_user_data now works for a stream which is not created yet, but the request which creates the stream is queued.
- lib: Ignore all input after calling session_terminate_session
- lib: Fix treatment of padding
- lib: Don't allow 101 HTTP status code because HTTP/2 removes
HTTP Upgrade
- build: add ENABLE_STATIC_LIB option to build static lib
- third-party: Upgrade neverbleed to the latest master
- asio: Support client side SNI
- src: Compile with libressl 2.7.2
- src: Allow building without NPN
- h2load: -r and --duration are mutually exclusive
nghttp2 v1.31.0:
lib: Add nghttp2_session_set_user_data() public API function
src: Define nghttp2_inet_pton wrapper to avoid inet_pton macro
nghttpx: Close listening socket on graceful shutdown
nghttpx: Add an option to accept expired client certificate
nghttpx: Add mruby tls_client_not_before, and tls_client_not_after
nghttpx: Fix potential memory leak
1.30.0:
lib:
This release fixes the bug so that PING frame can be sent after GOAWAY.
nghttpx:
This release fixes the bug that set_header method in mruby script wrongly overwrites other header fields.
upgrade-scheme parameter has been added to backend option to workaround the issue that a backend server requires that HTTP/2 :scheme pseudo header field value should be https.
This release fixes the bug that ALPN validation does not occur if client does not send TLS ALPN extension.
To more compliant to RFC 8297, nghttpx now remembers which resource is pushed per a single request.
nghttp2 v1.29.0:
lib
* NGHTTP2_REFUSED_STREAM is now used as an error code passed to nghttp2_on_stream_close_callback for streams which are closed by GOAWAY to indicate that they are safely retried.
build
* SPDY related code was completely removed.
nghttpx
* The commit which breaks load balancing among HTTP/2 backend in some situations has been reverted.
* The default value of --api-max-request-body option has been increased to 32MiB.
* The time to load the large number of backend options has been greatly improved.
* The crash with --backend-http-proxy-uri option has been fixed.
nghttp2 v1.28.0
lib: Add nghttp2_error_callback2
build: Add deprecation warning when spdylay support is enabled
Switch to clang-format-5.0
examples: Make client and server work with libevent-2.1.8
third-party: Update neverbleed
integration: Fix issues reported by the go vet tool.
nghttpx: Fix affinity retry
nghttpx: Fix stalled backend connection on retry
nghttpx: Cookie based session affinity
nghttpx: Expose additional TLS related variables to mruby and accesslog
nghttp2 v1.27.0
build: Fixed accidental compiler flags concatenation for MSVC
build: Reduce libxml2 version requirement to 2.6.26
asio: Support for Windows / MinGW
h2load: Print out h2 header fields with --verbose option
nghttpx: Send non-final response to HTTP/1.1 or HTTP/2 client only
nghttp2 v1.26.0
* docs: Fix some typos in the nghttpx how-to
* build: Update Dockerfile.android
* build: Refactoring include directories for build as CMake subdirectory (add_subdirectory(nghttp2))
* nghttpx: Fix OCSP related error when building with BoringSSL
* h2load: Fix bug that timing script stalls with -m1
* h2load: Reservoir sampling
* h2load: Add timing-based load-testing in h2load
Documentation
We have received several patches to fix grammer and typos.
The broken out-of-tree build has been also fixed.
nghttp
We fixed the bug that HTTP Upgrade fails if HTTP response does not have reason-phrase.
nghttpx
The default minimum TLS version is now TLSv1.2. This is because the default cipher list only contains cipher suites which are compatible with it.
libnghttp2
Previously, if libnghttp2 received an invalid header field, it is just ignored, and is treated like it was never happened. This release changes this behaviour, and now libnghttp2 treats an incoming invalid header field as error, and resets the stream with PROTOCOL_ERROR.
nghttp2_on_invalid_frame_callback is now called if validation of altsvc header field fails.
nghttpx
nghttpx now verifies that OCSP response received from a program specified by --fetch-ocsp-response-file. The validation can be turned off by using --no-verify-ocsp option. In this validation, it makes sure that the OCSP response is targeted to the expected certificate. This is important because we pass the file path to the external program (see --fetch-ocsp-response-file), and if the file is replaced because of renewal, and nghttpx has not reloaded its configuration, the certificate nghttpx has loaded and the one included in the file differ. Verifying the OCSP response detects this, and avoids to send wrong OCSP response.
lib: Add missing free call on error in inflight_settings_new()
asio: Support specifying stream priority via session::submit()
nghttpx: Clarify --conf option behaviour
nghttpx: Add $tls_sni access log variable
nghttpx: Rename ssl_* log variables as tls_*
nghttpx: Fix path matching bug
nghttpx: SNI based backend server selection
nghttpx: Enable signed_certificate_timestamp extension for TLSv1.3
nghttpx: Add options for X-Forwarded-Proto header field
nghttpx: Add --single-process option
nghttpx: Use 502 as server error code
nghttpx: Use SSL_CTX_set_early_data_enabled with boringssl
nghttp: Verify server certificate and show warning if it fails
integration: Use nip.io instead of xip.io
The bug which causes libnghttp2_asio client to crash has been fixed.
The bug which causes nghttpx to respond to a client with 502 status code if it receives 204 status code from HTTP/1 backend has been fixed.
libnghttp2
----------
The bug that nghttp2_session_want_write may return 0 if there is pending frames after GOAWAY frame is submitted has been fixed.
build
-----
_U_ macro has been eliminated in favor of old school (void)VAR for better compiler compatibility.
libnghttp2_asio
---------------
The asio client now sends PING frame when it gets idle for 30 seconds.
src
---
Mozilla’s “Modern compatibility” ciphers are used by default.
nghttpx
-------
The bug that -v option does not print out version number has been fixed.
The workaround of getaddrinfo failure with AI_ADDRCONFIG has been applied.
nghttpx now escapes certain characters in access log.
nghttpx now enables backend pattern matching with --http2-proxy option as well.
New API, nghttp2_option_set_no_closed_streams, has been added. By default, libnghttp2 retains closed streams as suggested by RFC 7540, Section 5.3.4. If this option is used, libnghttp2 discards closed streams from memory in order to save memory usage.
We fixed memory leak bug which only occurs in server side session. Client side sessions are not affected. This bug was detected by LLVM libFuzzer with HTTP/2 corpus that h2o
project uses. Due to the bad code path which nullifies next pointers of linked list in a certain condition, nghttp2_stream object is not going to be freed. We highly encourage to upgrade the existing installation to this latest version.
This release fixes several bugs in nghttpx proxy server. Since v1.18.0 release, dynamic DNS feature has been added to nghttpx. This release fixes these DNS related bugs. User reported that nghttpx exited with assertion error in libev code when DNS was enabled. After investigating it, it turned out that this bug had existed well before DNS was added, but enabling DNS helped to trigger the bug.
lib: Accept and ignore content-length: 0 in 204 response for now
build: Use pkg-config to detect libxml2
build: Require c-ares to compile applications under src
build: Add Windows CI via AppVeyor (Patch from Alexis La Goutte)
examples: Delete tiny-nghttpd
nghttpx: Retry h1 backend request if first write fails (GH-757)
nghttpx: Keep reading after backend write failed (GH-756)
nghttpx: Add frontend-keep-alive-timeout option (GH-755)
nghttpx: New error log format (GH-749)
nghttpx: Fix bug that fetch-ocsp-response does not work with OpenSSL 1.1.0 (GH-742)
nghttpx: Backend API call allows non-numeric host with dns parameter (GH-731)
nghttpx: Lookup backend host name dynamically (GH-721)
nghttpx: Accept and ignore content-length: 0 in 204 response for now (GH-735)
nghttpx: Wait for child process to exit
libnghttp2
* In this release, libnghttp2 by default disallows content-length header field in 1xx, 204, or 200 to a CONNECT request as described in RFC 7230.
libnghttp2_asio
* Previously, server-side on_close callback was not called when connection was closed while streams were still alive. Now on_close callback is called for active streams on connection close.
build
* Remo E provided a patch to include MSVC version resource in cmake Windows build.
nghttpx
* We fixed the bug that sometimes made nghttpx crash if --backend-http-proxy-uri was used.
* We fixed the bug that one HTTP header fields from HTTP/1.1 backend were split into multiple fields in some situations.
* We fixed the bug that zero-length POST was not forwarded to HTTP/1.1 backend, causing dead lock.
* We removed optional reason phrase from SPDY response header fields. This is OK since reason phrase is optional.
* To align the changes made in libnghttp2 that disallows content-length in 1xx, 204, or 200 to a CONNECT request, we did the same thing to HTTP/1.1 backend. We also disallow transfer-encoding in those status codes as well.
* dalf provided a patch to fix compile failure with BoringSSL.
nghttpd, nghttpx, and libnghttp2_asio
* We fixed the bug that mandatory SP after status code wass missing in HTTP/1.1 status line.
