- lib: Ignore all input after calling session_terminate_session
- lib: Fix treatment of padding
- lib: Don't allow 101 HTTP status code because HTTP/2 removes
HTTP Upgrade
- build: add ENABLE_STATIC_LIB option to build static lib
- third-party: Upgrade neverbleed to the latest master
- asio: Support client side SNI
- src: Compile with libressl 2.7.2
- src: Allow building without NPN
- h2load: -r and --duration are mutually exclusive
nghttp2 v1.31.0:
lib: Add nghttp2_session_set_user_data() public API function
src: Define nghttp2_inet_pton wrapper to avoid inet_pton macro
nghttpx: Close listening socket on graceful shutdown
nghttpx: Add an option to accept expired client certificate
nghttpx: Add mruby tls_client_not_before, and tls_client_not_after
nghttpx: Fix potential memory leak
1.30.0:
lib:
This release fixes the bug so that PING frame can be sent after GOAWAY.
nghttpx:
This release fixes the bug that set_header method in mruby script wrongly overwrites other header fields.
upgrade-scheme parameter has been added to backend option to workaround the issue that a backend server requires that HTTP/2 :scheme pseudo header field value should be https.
This release fixes the bug that ALPN validation does not occur if client does not send TLS ALPN extension.
To more compliant to RFC 8297, nghttpx now remembers which resource is pushed per a single request.
nghttp2 v1.29.0:
lib
* NGHTTP2_REFUSED_STREAM is now used as an error code passed to nghttp2_on_stream_close_callback for streams which are closed by GOAWAY to indicate that they are safely retried.
build
* SPDY related code was completely removed.
nghttpx
* The commit which breaks load balancing among HTTP/2 backend in some situations has been reverted.
* The default value of --api-max-request-body option has been increased to 32MiB.
* The time to load the large number of backend options has been greatly improved.
* The crash with --backend-http-proxy-uri option has been fixed.
nghttp2 v1.28.0
lib: Add nghttp2_error_callback2
build: Add deprecation warning when spdylay support is enabled
Switch to clang-format-5.0
examples: Make client and server work with libevent-2.1.8
third-party: Update neverbleed
integration: Fix issues reported by the go vet tool.
nghttpx: Fix affinity retry
nghttpx: Fix stalled backend connection on retry
nghttpx: Cookie based session affinity
nghttpx: Expose additional TLS related variables to mruby and accesslog
nghttp2 v1.27.0
build: Fixed accidental compiler flags concatenation for MSVC
build: Reduce libxml2 version requirement to 2.6.26
asio: Support for Windows / MinGW
h2load: Print out h2 header fields with --verbose option
nghttpx: Send non-final response to HTTP/1.1 or HTTP/2 client only
nghttp2 v1.26.0
* docs: Fix some typos in the nghttpx how-to
* build: Update Dockerfile.android
* build: Refactoring include directories for build as CMake subdirectory (add_subdirectory(nghttp2))
* nghttpx: Fix OCSP related error when building with BoringSSL
* h2load: Fix bug that timing script stalls with -m1
* h2load: Reservoir sampling
* h2load: Add timing-based load-testing in h2load
Documentation
We have received several patches to fix grammer and typos.
The broken out-of-tree build has been also fixed.
nghttp
We fixed the bug that HTTP Upgrade fails if HTTP response does not have reason-phrase.
nghttpx
The default minimum TLS version is now TLSv1.2. This is because the default cipher list only contains cipher suites which are compatible with it.
libnghttp2
Previously, if libnghttp2 received an invalid header field, it is just ignored, and is treated like it was never happened. This release changes this behaviour, and now libnghttp2 treats an incoming invalid header field as error, and resets the stream with PROTOCOL_ERROR.
nghttp2_on_invalid_frame_callback is now called if validation of altsvc header field fails.
nghttpx
nghttpx now verifies that OCSP response received from a program specified by --fetch-ocsp-response-file. The validation can be turned off by using --no-verify-ocsp option. In this validation, it makes sure that the OCSP response is targeted to the expected certificate. This is important because we pass the file path to the external program (see --fetch-ocsp-response-file), and if the file is replaced because of renewal, and nghttpx has not reloaded its configuration, the certificate nghttpx has loaded and the one included in the file differ. Verifying the OCSP response detects this, and avoids to send wrong OCSP response.
lib: Add missing free call on error in inflight_settings_new()
asio: Support specifying stream priority via session::submit()
nghttpx: Clarify --conf option behaviour
nghttpx: Add $tls_sni access log variable
nghttpx: Rename ssl_* log variables as tls_*
nghttpx: Fix path matching bug
nghttpx: SNI based backend server selection
nghttpx: Enable signed_certificate_timestamp extension for TLSv1.3
nghttpx: Add options for X-Forwarded-Proto header field
nghttpx: Add --single-process option
nghttpx: Use 502 as server error code
nghttpx: Use SSL_CTX_set_early_data_enabled with boringssl
nghttp: Verify server certificate and show warning if it fails
integration: Use nip.io instead of xip.io
The bug which causes libnghttp2_asio client to crash has been fixed.
The bug which causes nghttpx to respond to a client with 502 status code if it receives 204 status code from HTTP/1 backend has been fixed.
libnghttp2
----------
The bug that nghttp2_session_want_write may return 0 if there is pending frames after GOAWAY frame is submitted has been fixed.
build
-----
_U_ macro has been eliminated in favor of old school (void)VAR for better compiler compatibility.
libnghttp2_asio
---------------
The asio client now sends PING frame when it gets idle for 30 seconds.
src
---
Mozilla’s “Modern compatibility” ciphers are used by default.
nghttpx
-------
The bug that -v option does not print out version number has been fixed.
The workaround of getaddrinfo failure with AI_ADDRCONFIG has been applied.
nghttpx now escapes certain characters in access log.
nghttpx now enables backend pattern matching with --http2-proxy option as well.
New API, nghttp2_option_set_no_closed_streams, has been added. By default, libnghttp2 retains closed streams as suggested by RFC 7540, Section 5.3.4. If this option is used, libnghttp2 discards closed streams from memory in order to save memory usage.
We fixed memory leak bug which only occurs in server side session. Client side sessions are not affected. This bug was detected by LLVM libFuzzer with HTTP/2 corpus that h2o
project uses. Due to the bad code path which nullifies next pointers of linked list in a certain condition, nghttp2_stream object is not going to be freed. We highly encourage to upgrade the existing installation to this latest version.
This release fixes several bugs in nghttpx proxy server. Since v1.18.0 release, dynamic DNS feature has been added to nghttpx. This release fixes these DNS related bugs. User reported that nghttpx exited with assertion error in libev code when DNS was enabled. After investigating it, it turned out that this bug had existed well before DNS was added, but enabling DNS helped to trigger the bug.
lib: Accept and ignore content-length: 0 in 204 response for now
build: Use pkg-config to detect libxml2
build: Require c-ares to compile applications under src
build: Add Windows CI via AppVeyor (Patch from Alexis La Goutte)
examples: Delete tiny-nghttpd
nghttpx: Retry h1 backend request if first write fails (GH-757)
nghttpx: Keep reading after backend write failed (GH-756)
nghttpx: Add frontend-keep-alive-timeout option (GH-755)
nghttpx: New error log format (GH-749)
nghttpx: Fix bug that fetch-ocsp-response does not work with OpenSSL 1.1.0 (GH-742)
nghttpx: Backend API call allows non-numeric host with dns parameter (GH-731)
nghttpx: Lookup backend host name dynamically (GH-721)
nghttpx: Accept and ignore content-length: 0 in 204 response for now (GH-735)
nghttpx: Wait for child process to exit
libnghttp2
* In this release, libnghttp2 by default disallows content-length header field in 1xx, 204, or 200 to a CONNECT request as described in RFC 7230.
libnghttp2_asio
* Previously, server-side on_close callback was not called when connection was closed while streams were still alive. Now on_close callback is called for active streams on connection close.
build
* Remo E provided a patch to include MSVC version resource in cmake Windows build.
nghttpx
* We fixed the bug that sometimes made nghttpx crash if --backend-http-proxy-uri was used.
* We fixed the bug that one HTTP header fields from HTTP/1.1 backend were split into multiple fields in some situations.
* We fixed the bug that zero-length POST was not forwarded to HTTP/1.1 backend, causing dead lock.
* We removed optional reason phrase from SPDY response header fields. This is OK since reason phrase is optional.
* To align the changes made in libnghttp2 that disallows content-length in 1xx, 204, or 200 to a CONNECT request, we did the same thing to HTTP/1.1 backend. We also disallow transfer-encoding in those status codes as well.
* dalf provided a patch to fix compile failure with BoringSSL.
nghttpd, nghttpx, and libnghttp2_asio
* We fixed the bug that mandatory SP after status code wass missing in HTTP/1.1 status line.
We fixed the bug that nghttp2 HPACK decoder may decode wrong integer because of undefined behaviour.
We fixed the bug in nghttpx that may make nghttpx crash if final response after non-final response from origin server is forwarded to HTTP/1.1 client.
libnghttp2
----------
Previously, if libnghttp2 is built with DEBUGBUILD macro defined, it prints out debug messages into stderr. In this release, Anders Bakken added nghttp2_set_debug_vprintf_callback() function to set a callback which can customize how debug message is processed. The parameters passed to the callback are suitable for use with vfprintf(3) function.
libnghttp2_asio
---------------
We fixed the bug which causes crash if nghttp2::asio_http2::server::response::end() is called from outside nghttp2 callback (e.g., asynchronous timer callback).
nghttpx
-------
We have added --backend-connect-timeout option to specify how long nghttpx waits until backend TCP connection is established.
The new option --ecdh-curves lets you specify the list of named curve for use in TLS.
We have added TLS signed_certificate_timestamp extension support. signed_certificate_timestamp extension is defined in RFC 6962. The new option --tls-sct-dir is used to specify the directory which contains *.sct files. These files are read in start up, and sent to client in TLS handshake. The format of *.sct files is the same as the one that nginx and Apache mod_ssl_ct use. For additional certificates specified by --subcert option, we extended the syntax of the option, and now it can take sct-dir parameter which takes the directory that should contain *.sct files for the certificate.
h2load
------
We have added --header-table-size and --encoder-header-table-size options to specify HPACK header table size for both direction.
lib: Add nghttp2_option_set_max_deflate_dynamic_table_size() API function (GH-684)
lib: Allow NGHTTP2_ERR_PAUSE from nghttp2_data_source_read_callback (GH-671)
lib: Add nghttp2_session_get_hd_deflate_dynamic_table_size() and nghttp2_session_get_hd_inflate_dynamic_table_size() API functions to get current HPACK dynamic table size (GH-664)
lib: Add nghttp2_session_get_local_settings() API function (GH-664)
lib: Add nghttp2_session_get_local_window_size() and nghttp2_session_get_stream_local_window_size() API functions (GH-664)
build: Add -lsocket -lnsl to APPLDFLAGS for solaris build (GH-674)
neverbleed: Update neverbleed to support ECDSA certificate
doc: Mention --enable-lib-only configure option in README
integration: Fix test failure with go1.7.1
src: Fix compile error with openssl 1.1.0
nghttpx: Improve performance with HTTP/1.1 backend when request body is involved
nghttpx: Use std::atomic_* overloads for std::shared_ptr if available
nghttpx: Migrate backend stream to another h2 session on graceful shutdown
nghttpx: Add option to specify HPACK encoder/decoder dynamic table size
nghttpx: Log client address
nghttpx: Add tls_sni to mruby Nghttpx::Env class
nghttpx: Add --frontend-http2-window-size option, and its family functions
nghttpx: Add experimental TCP optimization for h2 frontend
nghttpx: Workaround for std::make_shared bug in Xcode7, 7.1, and 7.2 (GH-670)
nghttpx: Fix bug that bytes are doubly counted to rate limit for TLS connections
nghttpx: Add --no-server-rewrite option not to rewrite server header field (GH-667)
nghttpx: Retry if backend h1 connection cannot be established due to timeout
nghttpx: Reset stream if invalid header field is received in h2
nghttpx: Add --server-name option to change server response header field (GH-667)
nghttpd: Add --encoder-header-table-size option
nghttp: Add --encoder-header-table-size option
python: Support ALPN, require Python 3.5
In this release, we fixed the bug which causes GOAWAY race with new incoming stream on server side. The bug has been reported in GH-681. This is a regression introduced in 16c4611. We were happy with that commit since nghttp2 server passed all strict mode h2spec tests. However, it turned out that it could not handle some cases well, and one of them is GOAWAY race on server side. We reverted part of that commit to fix this issue. This bug only affects nghttp2 server side session. The client side nghttp2 session is not affected by this bug.
This release adds 2 new API functions to libnghttp2. It also adds HTTP/1.1 POST support to h2load. nghttpx gets new features, and performance improvements.
This release adds ALTSVC frame support in libnghttp2. nghttp gets new option to exercise expect/continue dance with server. nghttpx gets several new features, robust load balancing, and bug fixes.
This release adds new library APIs to send and receive non-critical HTTP/2 extension frames. It also adds new features to nghttpx and nghttpd, and polishes many rough edges.
Reset (RST_STREAM) stream if flow control window gets overflow
Validate :authroity, host, and :scheme value more strictly
Check request/response submission error based side of session
Strict outgoing idle stream detection
Return error from nghttp2_submit_{headers,request} when self dependency is made
Add -ldl to APPLDFLAGS for static openssl linking
asio: Stop acceptor on server::http2::stop
asio: Rename http2::get_io_services() as http2::io_services()
h2load: Support UNIX domain socket
h2load: Improve readability of traffic numbers
h2load: Remove "auto" for -m option
h2load: Show progress in rate mode
h2load: Perform sampling for request and connection timings to reduce memory consumption
nghttpd: Add --no-content-length option to omit content-length in response
nghttpx: Interleave pushed streams with the associated stream if pushed streams are javascript and CSS resources
nghttpx: The initial value of request/response buffer is increased to 128K
nghttpx: Fix bug that --listener-disable-timeout option is not used
nghttpx: Don't emit :authority if request does not contain authority information
nghttpx: Add clarification of quotes in configuration file
nghttpx: Don't allow certain characters in host and :scheme header field
nghttpx: Add RFC 7239 Forwarded header field support
nghttpx: Fix crash when running on IPv6 only (Patch from Vernon Tang)
nghttpx: Take into account of trailers when applying max_header_fields
nghttpx: Don't apply max_header_fields and header_field_buffer limit to response
nghttpx: Strict validation for header fields given in configuration
nghttpx: header value should not be lower-cased (Patch from ayanamist)
This release fixes heap-use-after-free bug in idle stream handling code. We strongly recommend to upgrade the older installation to this latest version as soon as possible. Other than that we have minor polish up in libnghttp2 code base, and some new features to asio library, and h2load.
This release includes number of fixes for libnghttp2. We briefly explain notable bug fixes here. Previously, libnghttp2 ignored CONTINUATION frames if preceding HEADERS frame contained padding. The appearance of CONTINUATION is rare these days, but padding is used in some services already, and we may see CONTINUATION somewhere too. The second and third bugs are SETTINGS and HPACK dynamic table size related bugs. The second bug is that previously libnghttp2 did not shrink to minimum size of requested dynamic table size contained in SETTINGS frame sent from local endpoint if it contains several SETTINGS_HEADER_TABLE_SIZE. Now it is corrected, and libnghttp2 shrinks to the minimum size. The third bug is that due to the ambiguous text in RFC 7540 and 7541, we interpreted that if receiver received SETTINGS containing SETTINGS_HEADER_TABLE_SIZE, it always has to send dynamic table size update in the next compressed header block. But it turns out that it is not the intention of the specification author. The intended behaviour is the receiver is required to send dynamic table size update only when it really changed maximum dynamic table size. Depending on the SETTINGS_HEADER_TABLE_SIZE and the current maximum dynamic table size, the table size may not change.
* Make traditional init script fail if new config file is broken
* nghttpx-logrotate: Don't use killall since we have multiple processes
* nghttpx: Fix improper signal handling
