lib
This release adds API to get and parse RFC 9218 priority.
nghttp2_select_next_protocol() has been deprecated. Use nghttp2_select_alpn() instead.
build
The following dependencies have been updated:
ngtcp2
libbpf
h2load
h2load now considers all h2 HEADERS when counting bytes and recording TTFB.
This release fixes the bug that TTFB is not recorded if h3 stream has no data.
h2load now ignores 1xx status code.
IPv6 address is now enclosed by square brackets when set in :authority header field.
nghttpx
This release adds SSL_CTX_set_recv_max_early_data() call which OpenSSL requires.
__FILE_NAME__ macro is preferred if available.
nghttpx now propagates stream priority from backend to frontend.
This release fixes the bug that nghttpx sends QUIC RESET_STREAM when it receives RESET_STREAM from client.
src
This release drops old OpenSSL (< 1.1.1) support.
Now bundled applications can be built with aws-lc.
Nghttp2 v1.58.0
build
This release speeds up warning option detection with cmake.
The following dependencies have been updated:
ngtcp2
nghttp3
third-party
neverbleed has been updated.
nghttpx
This release introduces stricter transfer-encoding checks.
integration
Enable http3 test with cmake.
Nghttp2 v1.57.0
Security Advisory
CVE-2023-44487: HTTP/2 Rapid Reset
For more information, read the security advisory.
lib
This release has a fix to mitigate CVE-2023-44487: HTTP/2 Rapid Reset. It has reasonable amount of default budgets for incoming RST_STREAM frames. Application can tune the rate limit by using nghttp2_option_set_stream_reset_rate_limit. It can also implement its own rate limit by implementing nghttp2_on_frame_recv_callback and check RST_STREAM frame.
nghttpx
This release fixes the bug that --single-process does not work. It also fixes the bug that TLS connection is not rate limited.
Nghttp2 v1.56.0
third-party
llhttp has been updated.
nghttpx
Rework is done in functions that send ECN bits.
--frontend-quic-congestion-controller=bbr2 has been renamed to --frontend-quic-congestion-controller=bbrv2.
nghttpx, h2load
Fix issue that CMSG_DATA does not necessarily return an aligned pointer.
Nghttp2 v1.55.1
Security Advisory
CVE-2023-35945: HTTP/2 memory leak in nghttp2 codec
For more information, read the security advisory.
This CVE was filed by envoyproxy/envoy project, and has already been made public, and we did not take usual security procedure. See below why.
lib
This release fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been received, a HEADERS frame that opens new stream cannot be sent.
This issue has already been made public via CVE-2023-35945 issued by envoyproxy/envoy project. During embargo period, the patch to fix this bug was accidentally submitted to nghttp2/nghttp2 repository. And they decided to disclose CVE early. I was notified just 1.5 hours before disclosure. I had no time to respond.
PoC described in CVE is quite simple, but I think it is not enough to trigger this bug. While it is true that receiving GOAWAY prevents a client from opening new stream, and nghttp2 enters error handling branch, in order to cause the memory leak, nghttp2_session_close_stream function must return a fatal error. nghttp2 defines 2 fatal error codes:
NGHTTP2_ERR_NOMEM
NGHTTP2_ERR_CALLBACK_FAILURE
NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory. It is unlikely that a process gets short of memory with this simple PoC scenario unless application does something memory heavy processing.
NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined callback function (nghttp2_on_stream_close_callback, in this case), which indicates something fatal happened inside a callback, and a connection must be closed immediately without any further action. As nghttp2_on_stream_close_error_callback documentation says, any error code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal error code. More specifically, it is treated as if NGHTTP2_ERR_CALLBACK_FAILURE is returned. I guess that envoy returns NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated into NGHTTP2_ERR_CALLBACK_FAILURE.
Nghttp2 v1.55.0
build
The following dependencies have been updated:
ngtcp2
nghttp3
BoringSSL
This release fixes build error without libev.
third-party
llhttp has been updated.
Cross-compiling mruby is now supported.
nghttpx
UDP_GRO is enabled for QUIC socket.
The initial QUIC packet number is now randomized.
h2load
UDP_GRO is enabled for QUIC socket.
nghttp2 v1.54.0
nghttpx: Consistent error handling and use of high-level API
h2load: Fix http3 upload stall
h2load: Use std::chrono::steady_clock for quic timestamp
Avoid ev_now
Remove unused macro bswap64
Bump ngtcp2 and nghttp3
Bump libbpf to v1.2.0
Avoid copies
Used only by the tools, not by the library.
This drops the Python dependency on the library, which is needed by
curl -- should help mitigate the ouroboros of curling pythons here.
Nghttp2 v1.53.0
lib
libnghttp2 uses ngtcp2/sfparse to parse Structured Field Values.
build
The following dependencies have been updated:
ngtcp2
nghttp3
OpenSSL(quictls)
BoringSSL
third-party
Bumped mruby to 3.2.0.
nghttpx
nghttpx now sends NEW_TOKEN on path change.
This release fixes numeric hostname verification in peer certificate.
When quitting, nghttpx now waits for all worker processes to stop. Previously, we just exit the event loop when the last process exits. But the because of the bug, it does not work as intended.
nghttpx logs a correct PID on fork.
nghttpx now waits for new worker process to be ready before sending graceful shutdown event to the existing worker processes to avoid down time during configuration reload.
Fixes the bug that causes 400 response after HTTP upgrade failure.
Nghttp2 v1.52.0
doc
sphinx_rtd_theme has been removed from the repository and archive.
build
The following dependencies have been updated:
ngtcp2
nghttp3
OpenSSL(quictls)
BoringSSL
libbpf
CMake build now checks core and extra components to find libevent.
python
The deprecated Python bindings has been removed.
libnghttp2_asio
The deprecated libnghttp2_asio has been removed.
third-party
llhttp and neverbleed have been updated.
nghttpx
This release fixes the bug that stalls TLS connection.
integration
This release adds more http3 integration tests.
v1.50.0
lib
This release adds nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation which disables checking leading and trailing white spaces against HTTP field value.
nghttpx
nghttpx now respects backend-address-family option when dynamically resolving backend host with dns parameter in backend option.
Nghttp2 v1.49.0
lib
This release adds nghttp2_check_header_value_rfc9113 which complains leading and trailing white spaces. The library now uses this function instead of nghttp2_check_header_value when checking HTTP header fields.
asio
libnghttp2_asio has been moved to its own repository and got new maintainer. libnghttp2_asio related code in nghttp2 repository will not get any updates and be removed at the end of 2022.
python
Python bindings have been deprecated, and will not get any updates and be removed at the end of 2022 due to the maintenance issues.
nghttpx
Randomizing backend server selection has been added again.
The broken PROXY-protocol when TLS is used has been fixed.
nghttpx now removes trailing white spaces from HTTP header fields to align with RFC 9113.
v1.48.0
lib
This release adds RFC9218 Extensible Prioritization Scheme for HTTP. It is enabled by submitting NGHTTP2_SETTINGS_NO_RFC7540_PRIORITIES via nghttp2_submit_settings(). See Stream priorities section of Programmers’ Guide.
It fixes the stream stall bug when the initial window size is decreased.
build
Now applications can be built with Libressl 3.5.
If --enable-lib-only configure option is used, no application libraries are checked.
src
The default TLS cipher suites are updated.
ktls support has been added to nghttp, nghttpd, nghttpx, and h2load if they are built with OpenSSL >= 3.0.0.
nghttpd
This release fixes the bug that stalls TLS read operation.
nghttpx
nghttpx by default disables RFC 7540 tree based HTTP/2 priorities and uses RFC 9218 priorities instead. It has a fallback mechanism to RFC 7540 if client does not send SETTINGS_NO_RFC7540_PRIORITIES.
affinity-cookie-stickiness backend parameter has been added.
The session affinity feature which had been broken for quite some time has been fixed.
Nghttp2 v1.47.0
lib
This release fixes the incorrect HPACK decoder table size update, which lead to incorrectly require Dynamic Table Size Update from an encoder when it is not needed.
build
cmake build now disables libbpf by default.
h2load
Now maximum allowed maximum frame size is configurable with --max-frame-size.
nghttpx
--require-http-scheme option is added. It requires http or https scheme in HTTP request. It also requires that https scheme must be used for an encrypted connection. Otherwise, http scheme must be used. This option is recommended for a server deployment which directly faces clients and the services it provides only require http or https scheme.
BBR2 congestion control algorithm is added to QUIC connection.
libbpf is now bumped to v0.7.0 and turn on all strict features.
The qlog file extension is changed to .sqlog.
The bug that causes h3 stream ends prematurely has been fixed.
The issue that a forwarded h3 GET request to HTTP/1.1 hop always has chunked transfer-encoding: chunked has been fixed.
QUIC connection now sends and receives ECN bits.
HTTP/3 trailer fields support has been added.
Nghttp2 v1.46.0
build
A workaround is added to avoid the broken version check in AX_PYTHON_DEVEL macro.
It adds the missing cmake files to EXTRA_DIST.
nghttpx
HTTP/3 feature is now available with BoringSSL.
SCT data is now available with BoringSSL.
New QUIC and HTTP/3 related options were added: --frontend-quic-initial-rtt, --quic-server-id, and --rlimit-memlock.
--frontend-quic-connection-id-encryption-key has been removed, and the new option --frontend-quic-secret-file has been added which specifies initial keying materials to generate QUIC secrets and keys for connection ID and tokens. It also supports the rotation of keying materials.
HTTP/3 ALPN h3-29 is now supported.
--worker-process-grace-shutdown-period option was added to set the maximum grace period to wait for a worker process to terminate gracefully.
--max-worker-processes option was added to limit the number of the lingering worker processes.
h2load
HTTP/3 feature is now available with BoringSSL.
Nghttp2 v1.45.1
build
This release fixes packaging issues which lack some configuration files in tar archives.
Nghttp2 v1.45.0
lib
Stricter checks for :method: and :path pseudo header fields are introduced.
build
nghttp2 applications can be compiled with OpenSSL v3.0.0.
Fix warning about systemd when cmake is used.
Added build options to enable HTTP/3 and eBPF.
nghttpx
The experimental HTTP/3 support has been added.
“dnf” (= “do not forward”) parameter is added to backend option.
h2load
The experimental HTTP/3 support has been added.
SSLKEYLOGFILE environment variable support has been added.
1.44.0:
nghttpx
The bug which prevents a backend which is excluded from a load balancing group temporarily from being restored.
The word master is replaced main. The nghttpx master process is now called main process.
--no-http2-cipher-black-list and --client-no-http2-cipher-black-list are deprecated and replaced with --no-http2-cipher-block-list and --client-no-http2-cipher-block-list respectively.
Remove trailing white space after $method log variable.
h2load
--rps option has been added.
The time unit (e.g., ms) is now allowed in -D option.
v1.43.0:
doc
Documentations are now built with Sphinx 3.3.0 or later.
python
The python binding now requires Python 3.
All python scripts for nghttp2 development are translated to Python 3 compatible.
nghttpx
This release fixes a potential memory issue that a memory pool gets cleared while it is still in use.
ECDSA certificate is now chosen when compatible signature algorithm is available.
This release adds a workaround to include ‘:’ in backend pattern.
Nghttp2 v1.42.0
This release includes security advisory.
lib
The UBSAN errors are now fixed.
nghttp2_map is now backed by tree for storing collisions.
doc
Some clarifications are made for nghttp2_session_send function.
build
The missing cmake/FindSystemd.cmake has been added to the tar distribution.
Nghttp2 v1.41.0
Security Advisory
CVE-2020-11080: Denial of service: Overly large SETTINGS frames
For more information, read the security advisory.
lib
This release implements nghttp2_option_set_max_settings API which sets the maximum number of SETTINGS entries in one SETTINGS frame to mitigate the security issue. It also moves SETTINGS flood check earlier to make it more effective.
The bug which stalls receiving stream data is fixed. Previously, if automatic window update is enabled (which is default), after window size is set to 0 by nghttp2_session_set_local_window_size, once the receiving window is exhausted, even after window size is increased by nghttp2_session_set_local_window_size, no more data cannot be received. This is because nghttp2_session_set_local_window_size does not submit WINDOW_UPDATE. It is only triggered when new data arrives but since window is filled up, no more data cannot be received, thus dead lock happens.
build
With cmake build, the hard-coded static lib suffix is now optional.
nghttpx
proxyprotocol v2 has been implemented.
The bug in getting certificate serial number with mruby script has been fixed.
h2load
New option, --connect-to, is added.
nghttp2 v1.40.0
lib: Add nghttp2_check_authority as public API (GH-1413)
lib: Fix the bug that stream is closed with wrong error code (GH-1408)
lib: Faster huffman encoding and decoding (GH-1405)
build: Avoid filename collision of static and dynamic lib (Patch from William A Rowe Jr) (GH-1394)
build: Add new flag ENABLE_STATIC_CRT for Windows (Patch from William A Rowe Jr) (GH-1393)
build: cmake: Support building nghttpx with systemd (Patch from Andrew Penkrat) (GH-1377)
third-party: Update neverbleed to fix memory leak
nghttpx: Fix bug that mruby is incorrectly shared between backends (GH-1392)
nghttpx: Reconnect h1 backend if it lost connection before sending headers
nghttpx: Returns 408 if backend timed out before sending headers
nghttpx: Fix request stall (GH-1378)
nghttp2 v1.39.2
This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
“Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
frames cause Denial of Service by consuming CPU time. Check out
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.
Fix CVE-2019-9511 and CVE-2019-9513
Add nghttp2_option_set_max_outbound_ack API function
nghttpx: Fix request stall
v1.39.1:
nghttpx
This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend.
v1.39.0:
lib
libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230.
third-party
mruby has been upgraded to 2.0.1.
asio
libnghttp2-asio now supports boost-1.70.
src
http-parser has been replaced with llhttp.
nghttpx
nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT.
This release fixes the bug that the log level does not change to the default value on configuration reload if log-level option is missing in new configuration.