![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / www / nghttp2
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
nghttp2: update to 1.65.0.
lib
RFC 7540 Priorities implementation has been removed. Here is the summary of the behavioral changes in the public API functions:
nghttp2_session_change_stream_priority: This function is noop. It always returns 0.
nghttp2_session_create_idle_stream: This function is noop. It always returns 0.
nghttp2_submit_request: pri_spec is ignored.
nghttp2_submit_request2: pri_spec is ignored.
nghttp2_submit_headers: pri_spec is ignored.
nghttp2_submit_priority: This function is noop. It always returns
nghttp2_stream_get_parent: This function always returns NULL.
nghttp2_stream_get_next_sibling: This function always returns NULL.
nghttp2_stream_get_previous_sibling: This function always returns NULL.
nghttp2_stream_get_first_child: This function always returns NULL.
nghttp2_stream_get_weight: This function always returns NGHTTP2_DEFAULT_WEIGHT.
nghttp2_stream_get_sum_dependency_weight: This function always returns 0.
nghttp2_option_set_server_fallback_rfc7540_priorities and nghttp2_option_set_no_closed_streams have also been deprecated, and have no effect.
QNX build support has been added.
cmake
Disable src tests if BUILD_TESTING is OFF.
src
url-parser has been replaced with urlparse.
h2load
Account for bytes on closing connections.
nghttp
nghttp now does not create the initial dependency tree. --no-dep and --no-rfc7540-pri options have been deprecated.
nghttp now always sends NGHTTP2_SETTINGS_NO_RFC7540_PRIORITIES HTTP/2 setting. --extpri option has been added to set priority for a given URI.
nghttpd
This change deprecates --no-rfc7540-pri option. SETTINGS_NO_RFC7540_PRIORITIES HTTP/2 setting is now always sent.
nghttp2 nghttp2-tools: updated to 1.64.0 1.64.0 lib The internal :authoriy and host field value validation now treats @ as invalid. nghttp2_check_authority still treats it as a valid character. cmake This release fixes c-ares v1.34.0 version detection failure. h2load This release fixes race condition on h1 connection close. It also fixes UDP datagram send/recv metric.
nghttp2 nghttp2-tools: updated to 1.63.0 nghttp2 v1.63.0 Bump libbpf to v1.4.2 build(deps): bump golang.org/x/net from 0.24.0 to 0.25.0 nghttpx: Fix batch UDP QUIC packet dropped on GRO read CMakeLists.txt: allow to compile the C only lib without CXX compiler build(deps): bump github.com/quic-go/quic-go from 0.43.1 to 0.44.0 Fix compiler versions in readme build(deps): bump golang.org/x/net from 0.25.0 to 0.26.0 build(deps): bump github.com/quic-go/quic-go from 0.44.0 to 0.45.0 Bump ngtcp2 and its dependencies build(deps): bump docker/build-push-action from 5 to 6 Add wolfSSL support Append --shallow-submodules to git clone --recursive Always append options to extra options build(deps): bump github.com/quic-go/quic-go from 0.45.0 to 0.45.1 Disable dependency tracking Fix Dockerfile.android build failure Fix UDP_GRO struct cmsghdr data type GHA: Suppress warnings Fix levenshtein initialization build(deps): bump golang.org/x/net from 0.26.0 to 0.27.0 Undefine NGHTTP2_NO_SSIZE_T if BUILDING_NGHTTP2 is defined Bump clang format Suppress old compiler error build(deps): bump github.com/quic-go/quic-go from 0.45.1 to 0.45.2 build(deps): bump golang.org/x/net from 0.27.0 to 0.28.0 build(deps): bump github.com/quic-go/quic-go from 0.45.2 to 0.46.0 Bump ngtcp2 and its dependencies Bump libbpf to v1.4.5 Update go levenshtein: Use size_t
nghttp2: updated to 1.62.1 nghttp2 v1.62.1 nghttpx: Fix batch UDP QUIC packet dropped on GRO read
nghttp2 nghttp2-tools: updated to 1.62.0 nghttp2 v1.62.0 nghttpx: Fix QUIC stateless reset stack buffer overflow Require c-ares >= 1.16.0 for ares_getaddrinfo Require C++20 compiler ci: Bump macos to 13 Adopt std::to_array and remove make_array nghttpx: Define APIEndpoints separately build(deps): bump golang.org/x/net from 0.22.0 to 0.24.0 nghttpx: Do not send error/status body when method is HEAD nghttpx: Fix alignment issues in BlockAllocator nghttpx: Simplify parameter declaration for ipc_fd functions CMakListsts: Add Build Test info on summary nghttpx: Add extent to ipc_fd explicitly src: Add util::format_hex overload functions taking std::span Make make_byte_ref return std::span Make util::decode_hex return std::span Rewrite util::parse_uint Let base64::decode return std::span Refactor StringRef Stringref refactor c str and str Add StringRef literal operator and remove StringRef::from_lit Make StringRef(const std::string&) implicit Add http2::make_field family functions Bump munit Remove std::string conversion operator from StringRef Optimize StringRef comparisons against c-string Pack more quic pkt nghttpx: Dynamic GSO failover Refactor ImmutableString nghttpx: Refactor QUIC data path nghttpx: Fix inherited TCP port comparison make_websocket_accept_token: Lesser conversions Add http3::make_field family functions Remove unnecessary namespace qualifications Refactor http utils Refactor streq Remove util::streq and let StringRef operator== deal with it Update the link for the Prefix.pdf document. Rewrite util:shuffle build(deps): bump github.com/quic-go/quic-go from 0.42.0 to 0.43.0 nghttpd: Use nghttp2_ssize build(deps): bump github.com/quic-go/quic-go from 0.43.0 to 0.43.1 Bump ngtcp2 Bump llhttp to v9.2.1 Introduce typed nghttp2_min and nghttp2_max Add macos 14 Add dedicated distcheck buildtool parameter
nghttp2: updated to 1.61.0 Nghttp2 v1.61.0 Security Advisory CVE-2024-28182: Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage
nghttp2: updated to 1.60.0 Nghttp2 v1.60.0 lib RFC 7540 priorities (aka stream dependencies) APIs have been deprecated. They work just like before, but in the future release after the end of 2024, the functionality is removed, and the deprecated APIs start behaving differently. See the API documentation for details. RFC 7540 priorities have been deprecated by RFC 9113. Consider migrating RFC 9218 extensible prioritization scheme. The APIs that use ssize_t, including structs and callback functions, have been deprecated. New APIs that use nghttp2_ssize are introduced as a replacement. The usage of ssize_t is problematic for several reasons. Some platforms do not define ssize_t. The minimum value of ssize_t that POSIX requires is -1 which makes nghttp2 error code out of range. nghttp2_ssize is an alias of ptrdiff_t that is in C standard and covers our error code range. New code should use new nghttp2_ssize APIs. The existing applications should consider migrating to new APIs. The deprecated ssize_t APIs continue to work for backward compatibility. Here is the summary of the deprecated APIs and their replacements: Callback functions: nghttp2_data_source_read_callback => nghttp2_data_source_read_callback2 nghttp2_data_source_read_length_callback => nghttp2_data_source_read_length_callback2 nghttp2_pack_extension_callback => nghttp2_pack_extension_callback2 nghttp2_recv_callback => nghttp2_recv_callback2 nghttp2_select_padding_callback => nghttp2_select_padding_callback2 nghttp2_send_callback => nghttp2_send_callback2 Structs: nghttp2_data_provider => nghttp2_data_provider2 Functions: nghttp2_hd_deflate_hd => nghttp2_hd_deflate_hd2 nghttp2_hd_deflate_hd_vec => nghttp2_hd_deflate_hd_vec2 nghttp2_hd_inflate_hd2 => nghttp2_hd_inflate_hd3 nghttp2_pack_settings_payload => nghttp2_pack_settings_payload2 nghttp2_session_callbacks_set_data_source_read_length_callback => nghttp2_session_callbacks_set_data_source_read_length_callback2 nghttp2_session_callbacks_set_pack_extension_callback => nghttp2_session_callbacks_set_pack_extension_callback2 nghttp2_session_callbacks_set_recv_callback => nghttp2_session_callbacks_set_recv_callback2 nghttp2_session_callbacks_set_select_padding_callback => nghttp2_session_callbacks_set_select_padding_callback2 nghttp2_session_callbacks_set_send_callback => nghttp2_session_callbacks_set_send_callback2 nghttp2_session_mem_recv => nghttp2_session_mem_recv2 nghttp2_session_mem_send => nghttp2_session_mem_send2 nghttp2_submit_data => nghttp2_submit_data2 nghttp2_submit_request => nghttp2_submit_request2 nghttp2_submit_response => nghttp2_submit_response2 For those applications that do not want to see ssize_t in nghttp2.h header file at all, define NGHTTP2_NO_SSIZE_T macro before including nghttp2.h. It hides all ssize_t APIs.
nghttp2*: update to 1.59.0
lib
This release adds API to get and parse RFC 9218 priority.
nghttp2_select_next_protocol() has been deprecated. Use nghttp2_select_alpn() instead.
build
The following dependencies have been updated:
ngtcp2
libbpf
h2load
h2load now considers all h2 HEADERS when counting bytes and recording TTFB.
This release fixes the bug that TTFB is not recorded if h3 stream has no data.
h2load now ignores 1xx status code.
IPv6 address is now enclosed by square brackets when set in :authority header field.
nghttpx
This release adds SSL_CTX_set_recv_max_early_data() call which OpenSSL requires.
__FILE_NAME__ macro is preferred if available.
nghttpx now propagates stream priority from backend to frontend.
This release fixes the bug that nghttpx sends QUIC RESET_STREAM when it receives RESET_STREAM from client.
src
This release drops old OpenSSL (< 1.1.1) support.
Now bundled applications can be built with aws-lc.
nghttp2 nghttp2-tools: updated to 1.58.0 Nghttp2 v1.58.0 build This release speeds up warning option detection with cmake. The following dependencies have been updated: ngtcp2 nghttp3 third-party neverbleed has been updated. nghttpx This release introduces stricter transfer-encoding checks. integration Enable http3 test with cmake.
nghttp2 nghttp2-tools: updated to 1.57.0 Nghttp2 v1.57.0 Security Advisory CVE-2023-44487: HTTP/2 Rapid Reset For more information, read the security advisory. lib This release has a fix to mitigate CVE-2023-44487: HTTP/2 Rapid Reset. It has reasonable amount of default budgets for incoming RST_STREAM frames. Application can tune the rate limit by using nghttp2_option_set_stream_reset_rate_limit. It can also implement its own rate limit by implementing nghttp2_on_frame_recv_callback and check RST_STREAM frame. nghttpx This release fixes the bug that --single-process does not work. It also fixes the bug that TLS connection is not rate limited.
nghttp2 nghttp2-tools: updated to 1.56.0 Nghttp2 v1.56.0 third-party llhttp has been updated. nghttpx Rework is done in functions that send ECN bits. --frontend-quic-congestion-controller=bbr2 has been renamed to --frontend-quic-congestion-controller=bbrv2. nghttpx, h2load Fix issue that CMSG_DATA does not necessarily return an aligned pointer.
nghttp2 nghttp2-tools: updated to 1.55.1 Nghttp2 v1.55.1 Security Advisory CVE-2023-35945: HTTP/2 memory leak in nghttp2 codec For more information, read the security advisory. This CVE was filed by envoyproxy/envoy project, and has already been made public, and we did not take usual security procedure. See below why. lib This release fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been received, a HEADERS frame that opens new stream cannot be sent. This issue has already been made public via CVE-2023-35945 issued by envoyproxy/envoy project. During embargo period, the patch to fix this bug was accidentally submitted to nghttp2/nghttp2 repository. And they decided to disclose CVE early. I was notified just 1.5 hours before disclosure. I had no time to respond. PoC described in CVE is quite simple, but I think it is not enough to trigger this bug. While it is true that receiving GOAWAY prevents a client from opening new stream, and nghttp2 enters error handling branch, in order to cause the memory leak, nghttp2_session_close_stream function must return a fatal error. nghttp2 defines 2 fatal error codes: NGHTTP2_ERR_NOMEM NGHTTP2_ERR_CALLBACK_FAILURE NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory. It is unlikely that a process gets short of memory with this simple PoC scenario unless application does something memory heavy processing. NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined callback function (nghttp2_on_stream_close_callback, in this case), which indicates something fatal happened inside a callback, and a connection must be closed immediately without any further action. As nghttp2_on_stream_close_error_callback documentation says, any error code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal error code. More specifically, it is treated as if NGHTTP2_ERR_CALLBACK_FAILURE is returned. I guess that envoy returns NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated into NGHTTP2_ERR_CALLBACK_FAILURE.
nghttp2, nghttp2-tools: updated to 1.55.0 Nghttp2 v1.55.0 build The following dependencies have been updated: ngtcp2 nghttp3 BoringSSL This release fixes build error without libev. third-party llhttp has been updated. Cross-compiling mruby is now supported. nghttpx UDP_GRO is enabled for QUIC socket. The initial QUIC packet number is now randomized. h2load UDP_GRO is enabled for QUIC socket.
nghttp2 nghttp2-tools: updated to 1.54.0 nghttp2 v1.54.0 nghttpx: Consistent error handling and use of high-level API h2load: Fix http3 upload stall h2load: Use std::chrono::steady_clock for quic timestamp Avoid ev_now Remove unused macro bswap64 Bump ngtcp2 and nghttp3 Bump libbpf to v1.2.0 Avoid copies
nghttp2: Move fetch-ocsp-response script to nghttp2-tools. Used only by the tools, not by the library. This drops the Python dependency on the library, which is needed by curl -- should help mitigate the ouroboros of curling pythons here.
nghttp2: updated to 1.53.0 Nghttp2 v1.53.0 lib libnghttp2 uses ngtcp2/sfparse to parse Structured Field Values. build The following dependencies have been updated: ngtcp2 nghttp3 OpenSSL(quictls) BoringSSL third-party Bumped mruby to 3.2.0. nghttpx nghttpx now sends NEW_TOKEN on path change. This release fixes numeric hostname verification in peer certificate. When quitting, nghttpx now waits for all worker processes to stop. Previously, we just exit the event loop when the last process exits. But the because of the bug, it does not work as intended. nghttpx logs a correct PID on fork. nghttpx now waits for new worker process to be ready before sending graceful shutdown event to the existing worker processes to avoid down time during configuration reload. Fixes the bug that causes 400 response after HTTP upgrade failure.
nghttp2: updated to 1.52.0 Nghttp2 v1.52.0 doc sphinx_rtd_theme has been removed from the repository and archive. build The following dependencies have been updated: ngtcp2 nghttp3 OpenSSL(quictls) BoringSSL libbpf CMake build now checks core and extra components to find libevent. python The deprecated Python bindings has been removed. libnghttp2_asio The deprecated libnghttp2_asio has been removed. third-party llhttp and neverbleed have been updated. nghttpx This release fixes the bug that stalls TLS connection. integration This release adds more http3 integration tests.
nghttp2 nghttp2-tools: updated to 1.51.0 nghttp2 v1.51.0 lib: add casts to silence implicit conversion warnings (GH-1822) doc: Update Ubuntu packages based on Ubuntu 22.04 (GH-1812) doc: Update android build documentation (GH-1806) build: Bump NDK and others to the latest (GH-1804) build: Bump OpenSSL versions (GH-1828) build: Bump libbpf to v1.0.1 (GH-1830) build: Bump ngtcp2 (GH-1819, GH-1831) build: Disable python bindings by default because it has been deprecated (GH-1811, GH-1826, GH-1829) build: Dockerfile android improvements (GH-1805) build: Update dependency versions for Dockerfile.android (GH-1802) third-party: Bump llhttp (GH-1827) src: Fix test failure on Linux if tz database is not available (GH-1813) nghttpx: Fix affinity-cookie-stickiness parameter handling (GH-1818) integration: Add http3 integration test (GH-1832)
nghttp2: updated to 1.50.0 v1.50.0 lib This release adds nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation which disables checking leading and trailing white spaces against HTTP field value. nghttpx nghttpx now respects backend-address-family option when dynamically resolving backend host with dns parameter in backend option.
nghttp2: updated to 1.49.0 Nghttp2 v1.49.0 lib This release adds nghttp2_check_header_value_rfc9113 which complains leading and trailing white spaces. The library now uses this function instead of nghttp2_check_header_value when checking HTTP header fields. asio libnghttp2_asio has been moved to its own repository and got new maintainer. libnghttp2_asio related code in nghttp2 repository will not get any updates and be removed at the end of 2022. python Python bindings have been deprecated, and will not get any updates and be removed at the end of 2022 due to the maintenance issues. nghttpx Randomizing backend server selection has been added again. The broken PROXY-protocol when TLS is used has been fixed. nghttpx now removes trailing white spaces from HTTP header fields to align with RFC 9113.
nghttp2: updated to 1.48.0 v1.48.0 lib This release adds RFC9218 Extensible Prioritization Scheme for HTTP. It is enabled by submitting NGHTTP2_SETTINGS_NO_RFC7540_PRIORITIES via nghttp2_submit_settings(). See Stream priorities section of Programmers’ Guide. It fixes the stream stall bug when the initial window size is decreased. build Now applications can be built with Libressl 3.5. If --enable-lib-only configure option is used, no application libraries are checked. src The default TLS cipher suites are updated. ktls support has been added to nghttp, nghttpd, nghttpx, and h2load if they are built with OpenSSL >= 3.0.0. nghttpd This release fixes the bug that stalls TLS read operation. nghttpx nghttpx by default disables RFC 7540 tree based HTTP/2 priorities and uses RFC 9218 priorities instead. It has a fallback mechanism to RFC 7540 if client does not send SETTINGS_NO_RFC7540_PRIORITIES. affinity-cookie-stickiness backend parameter has been added. The session affinity feature which had been broken for quite some time has been fixed.
nghttp2: updated to 1.47.0 Nghttp2 v1.47.0 lib This release fixes the incorrect HPACK decoder table size update, which lead to incorrectly require Dynamic Table Size Update from an encoder when it is not needed. build cmake build now disables libbpf by default. h2load Now maximum allowed maximum frame size is configurable with --max-frame-size. nghttpx --require-http-scheme option is added. It requires http or https scheme in HTTP request. It also requires that https scheme must be used for an encrypted connection. Otherwise, http scheme must be used. This option is recommended for a server deployment which directly faces clients and the services it provides only require http or https scheme. BBR2 congestion control algorithm is added to QUIC connection. libbpf is now bumped to v0.7.0 and turn on all strict features. The qlog file extension is changed to .sqlog. The bug that causes h3 stream ends prematurely has been fixed. The issue that a forwarded h3 GET request to HTTP/1.1 hop always has chunked transfer-encoding: chunked has been fixed. QUIC connection now sends and receives ECN bits. HTTP/3 trailer fields support has been added.
nghttp2: use BLAKE2s
nghttp2: updated to 1.46.0 Nghttp2 v1.46.0 build A workaround is added to avoid the broken version check in AX_PYTHON_DEVEL macro. It adds the missing cmake files to EXTRA_DIST. nghttpx HTTP/3 feature is now available with BoringSSL. SCT data is now available with BoringSSL. New QUIC and HTTP/3 related options were added: --frontend-quic-initial-rtt, --quic-server-id, and --rlimit-memlock. --frontend-quic-connection-id-encryption-key has been removed, and the new option --frontend-quic-secret-file has been added which specifies initial keying materials to generate QUIC secrets and keys for connection ID and tokens. It also supports the rotation of keying materials. HTTP/3 ALPN h3-29 is now supported. --worker-process-grace-shutdown-period option was added to set the maximum grace period to wait for a worker process to terminate gracefully. --max-worker-processes option was added to limit the number of the lingering worker processes. h2load HTTP/3 feature is now available with BoringSSL.
www: Remove SHA1 hashes for distfiles
nghttp2: updated to 1.45.1 Nghttp2 v1.45.1 build This release fixes packaging issues which lack some configuration files in tar archives. Nghttp2 v1.45.0 lib Stricter checks for :method: and :path pseudo header fields are introduced. build nghttp2 applications can be compiled with OpenSSL v3.0.0. Fix warning about systemd when cmake is used. Added build options to enable HTTP/3 and eBPF. nghttpx The experimental HTTP/3 support has been added. “dnf” (= “do not forward”) parameter is added to backend option. h2load The experimental HTTP/3 support has been added. SSLKEYLOGFILE environment variable support has been added.
nghttp2: updated to 1.44.0 1.44.0: nghttpx The bug which prevents a backend which is excluded from a load balancing group temporarily from being restored. The word master is replaced main. The nghttpx master process is now called main process. --no-http2-cipher-black-list and --client-no-http2-cipher-black-list are deprecated and replaced with --no-http2-cipher-block-list and --client-no-http2-cipher-block-list respectively. Remove trailing white space after $method log variable. h2load --rps option has been added. The time unit (e.g., ms) is now allowed in -D option.
nghttp2: accept lower python3. Upstream has only intended to reject python 2.x.
nghttp2: updated to 1.43.0 v1.43.0: doc Documentations are now built with Sphinx 3.3.0 or later. python The python binding now requires Python 3. All python scripts for nghttp2 development are translated to Python 3 compatible. nghttpx This release fixes a potential memory issue that a memory pool gets cleared while it is still in use. ECDSA certificate is now chosen when compatible signature algorithm is available. This release adds a workaround to include ‘:’ in backend pattern.
nghttp2 nghttp2-tools: updated to 1.42.0 Nghttp2 v1.42.0 This release includes security advisory. lib The UBSAN errors are now fixed. nghttp2_map is now backed by tree for storing collisions. doc Some clarifications are made for nghttp2_session_send function. build The missing cmake/FindSystemd.cmake has been added to the tar distribution.
nghttp2: updated to 1.14.0 Nghttp2 v1.41.0 Security Advisory CVE-2020-11080: Denial of service: Overly large SETTINGS frames For more information, read the security advisory. lib This release implements nghttp2_option_set_max_settings API which sets the maximum number of SETTINGS entries in one SETTINGS frame to mitigate the security issue. It also moves SETTINGS flood check earlier to make it more effective. The bug which stalls receiving stream data is fixed. Previously, if automatic window update is enabled (which is default), after window size is set to 0 by nghttp2_session_set_local_window_size, once the receiving window is exhausted, even after window size is increased by nghttp2_session_set_local_window_size, no more data cannot be received. This is because nghttp2_session_set_local_window_size does not submit WINDOW_UPDATE. It is only triggered when new data arrives but since window is filled up, no more data cannot be received, thus dead lock happens. build With cmake build, the hard-coded static lib suffix is now optional. nghttpx proxyprotocol v2 has been implemented. The bug in getting certificate serial number with mruby script has been fixed. h2load New option, --connect-to, is added.
nghttp2: updated to 1.40.0 nghttp2 v1.40.0 lib: Add nghttp2_check_authority as public API (GH-1413) lib: Fix the bug that stream is closed with wrong error code (GH-1408) lib: Faster huffman encoding and decoding (GH-1405) build: Avoid filename collision of static and dynamic lib (Patch from William A Rowe Jr) (GH-1394) build: Add new flag ENABLE_STATIC_CRT for Windows (Patch from William A Rowe Jr) (GH-1393) build: cmake: Support building nghttpx with systemd (Patch from Andrew Penkrat) (GH-1377) third-party: Update neverbleed to fix memory leak nghttpx: Fix bug that mruby is incorrectly shared between backends (GH-1392) nghttpx: Reconnect h1 backend if it lost connection before sending headers nghttpx: Returns 408 if backend timed out before sending headers nghttpx: Fix request stall (GH-1378)
nghttp2: updated to 1.39.2 nghttp2 v1.39.2 This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513 “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. Fix CVE-2019-9511 and CVE-2019-9513 Add nghttp2_option_set_max_outbound_ack API function nghttpx: Fix request stall
nghttp2: updated to 1.39.1 v1.39.1: nghttpx This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. v1.39.0: lib libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. third-party mruby has been upgraded to 2.0.1. asio libnghttp2-asio now supports boost-1.70. src http-parser has been replaced with llhttp. nghttpx nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. This release fixes the bug that the log level does not change to the default value on configuration reload if log-level option is missing in new configuration.
nghttp2: updated to 1.38.0 lib This release fixes the bug that on_header callback is still called after stream is closed. third-party http-parser is upgraded to v2.9.1. nghttpx This release fixes the bug that authority and path altered by per-pattern mruby script can affect backend selection on retry. It also fixes the bug that HTTP/1.1 chunked request stalls. Now nghttpx does not log authorization request header field value with -LINFO. Now nghttpx can be built with modern LibreSSL.
nghttp2: updated to 1.37.0 v1.37.0: build CMake build explicitly sets install location when building shared library. nghttpx This release fixes possible backend stall when header and request body are sent in their own packets. The backend option gets weight parameter to influence backend selection. This release fixes compile error with BoringSSL.
nghttp2: updated to 1.36.0 nghttp2 v1.36.0. build CMake build disables shared library if ENABLE_SHARED_LIB is OFF. third-party http-parser has been upgraded to v2.9.0. mruby has been upgraded to v2.0.0. nghttpx nghttpx now pools h1 backend connection per address and uses it when the round robin index points to the address. nghttpx now randomizes backend address round robin order per thread. The bug that long certificate serial numbers cannot be handled has been fixed. h2load An option to write per-request logs has been added. asio The API to get the current server port has been added.
nghttp2: updated to 1.35.1 Nghttp2 v1.35.1 nghttpx This release fixes the broken trailing slash handling when routing a request. nghttpx allows a pattern which ends “/” to match the request path which just lacks the trailing “/”. Previously, this special handling did not work if certain patterns were registered.
nghttp2: updated to 1.35.0 Nghttp2 v1.35.0 lib Use __has_declspec_attribute in order to check that dllexport/dllimport can be used. build libevent detection with cmake has been improved. src C++14 language features are now required. nghttpx mruby send_info non-final response is now written early. Fix assertion failure on mruby send_info with HTTP/1.1 frontend. h2load HTTP/1.1 non-final response is now handled correctly. Clarify that time for connect includes TLS handshake.
nghttp2: updated to 1.34.0 Nghttp2 v1.34.0 lib libnghttp2 now supports extended CONNECT method and :protocol pseudo header field defined in RFC 8441. To enable this functionality on server side, send NGHTTP2_SETTINGS_ENABLE_CONNECT_PROTOCOL using nghttp2_submit_settings(). nghttpx nghttpx now supports “Bootstrapping WebSockets with HTTP/2” defined in RFC 8441 for both frontend and backend HTTP/2 connections. read-timeout and write-timeout parameters have been added to --backend option to specify read/write timeouts per pattern which override values set by --backend-read-timeout and --backend-write-timeout options. This release fixes stability issues in neverbleed with OpenSSL 1.1.1. mruby has been updated to version 1.4.1. env.tls_handshake_finished has been added to mruby scripting to know whether TLS handshake has been completed or not. This might be useful to decide that 0-RTT data should be processed or not. --tls13-ciphers and --tls-client-ciphers options have been added to configure TLSv1.3 ciphers. nghttpx now adds Early-Data header field to the request header field when request is included in 0-RTT packet, and TLS handshake has not been completed yet. Early-Data header field is defined in RFC 8470. nghttpx now supports TLSv1.3 0-RTT data. By default, it accepts 0-RTT data, but postpones the request until TLS handshake completes. The new option --tls-no-postpone-early-data makes nghttpx not to postpone request and adds Early-Data header field to backend request. It is important to make sure that all backends must recognize Early-Data header field to mitigate reply attack. To enable 0-RTT data and most of the TLSv1.3 features, OpenSSL 1.1.1 is required.
www/nghttp2: Update to 1.33.0. - lib: Tweak nghttp2_session_set_stream_user_data - lib: Fix handling of SETTINGS_MAX_CONCURRENT_STREAMS. - lib: Implement ORIGIN frame - asio: support definition of local endpoint for cleartext client session - integration: Remove remaining SPDY code from the integration tests. - nghttpx: Fix worker process crash with neverbleed write error - nghttpx: Support per-backend mruby script - nghttpx: Fix stream reset if data from client is arrived before dconn is attached
nghttp2: updated to 1.32.1 Nghttp2 v1.32.1: nghttp2_session_set_stream_user_data now works for a stream which is not created yet, but the request which creates the stream is queued.
www/nghttp2: Update to 1.32.0. - lib: Ignore all input after calling session_terminate_session - lib: Fix treatment of padding - lib: Don't allow 101 HTTP status code because HTTP/2 removes HTTP Upgrade - build: add ENABLE_STATIC_LIB option to build static lib - third-party: Upgrade neverbleed to the latest master - asio: Support client side SNI - src: Compile with libressl 2.7.2 - src: Allow building without NPN - h2load: -r and --duration are mutually exclusive
nghttp2: updated to 1.31.0 nghttp2 v1.31.0: lib: Add nghttp2_session_set_user_data() public API function src: Define nghttp2_inet_pton wrapper to avoid inet_pton macro nghttpx: Close listening socket on graceful shutdown nghttpx: Add an option to accept expired client certificate nghttpx: Add mruby tls_client_not_before, and tls_client_not_after nghttpx: Fix potential memory leak
nghttp2: updated to 1.30.0 1.30.0: lib: This release fixes the bug so that PING frame can be sent after GOAWAY. nghttpx: This release fixes the bug that set_header method in mruby script wrongly overwrites other header fields. upgrade-scheme parameter has been added to backend option to workaround the issue that a backend server requires that HTTP/2 :scheme pseudo header field value should be https. This release fixes the bug that ALPN validation does not occur if client does not send TLS ALPN extension. To more compliant to RFC 8297, nghttpx now remembers which resource is pushed per a single request.
nghttp2: updated to 1.29.0 nghttp2 v1.29.0: lib * NGHTTP2_REFUSED_STREAM is now used as an error code passed to nghttp2_on_stream_close_callback for streams which are closed by GOAWAY to indicate that they are safely retried. build * SPDY related code was completely removed. nghttpx * The commit which breaks load balancing among HTTP/2 backend in some situations has been reverted. * The default value of --api-max-request-body option has been increased to 32MiB. * The time to load the large number of backend options has been greatly improved. * The crash with --backend-http-proxy-uri option has been fixed.
nghttp2: updated to 1.28.0 nghttp2 v1.28.0 lib: Add nghttp2_error_callback2 build: Add deprecation warning when spdylay support is enabled Switch to clang-format-5.0 examples: Make client and server work with libevent-2.1.8 third-party: Update neverbleed integration: Fix issues reported by the go vet tool. nghttpx: Fix affinity retry nghttpx: Fix stalled backend connection on retry nghttpx: Cookie based session affinity nghttpx: Expose additional TLS related variables to mruby and accesslog
nghttp2: updated to 1.27.0 nghttp2 v1.27.0 build: Fixed accidental compiler flags concatenation for MSVC build: Reduce libxml2 version requirement to 2.6.26 asio: Support for Windows / MinGW h2load: Print out h2 header fields with --verbose option nghttpx: Send non-final response to HTTP/1.1 or HTTP/2 client only
nghttp2: update to 1.26.0 nghttp2 v1.26.0 * docs: Fix some typos in the nghttpx how-to * build: Update Dockerfile.android * build: Refactoring include directories for build as CMake subdirectory (add_subdirectory(nghttp2)) * nghttpx: Fix OCSP related error when building with BoringSSL * h2load: Fix bug that timing script stalls with -m1 * h2load: Reservoir sampling * h2load: Add timing-based load-testing in h2load
nghttp2 v1.25.0 lib: add nghttp2_rcbuf_is_static() nghttpx: Fix bug that forwarded for is not affected by proxy protocol nghttpx: Update mruby to 1.3.0
nghttp2 v1.24.0: Documentation We have received several patches to fix grammer and typos. The broken out-of-tree build has been also fixed. nghttp We fixed the bug that HTTP Upgrade fails if HTTP response does not have reason-phrase. nghttpx The default minimum TLS version is now TLSv1.2. This is because the default cipher list only contains cipher suites which are compatible with it.
Changes 1.23.1: This release fixes the bug which makes nghttpx crash in OCSP response verification with certain kind of OCSP response.
Changes 1.23.0: libnghttp2 Previously, if libnghttp2 received an invalid header field, it is just ignored, and is treated like it was never happened. This release changes this behaviour, and now libnghttp2 treats an incoming invalid header field as error, and resets the stream with PROTOCOL_ERROR. nghttp2_on_invalid_frame_callback is now called if validation of altsvc header field fails. nghttpx nghttpx now verifies that OCSP response received from a program specified by --fetch-ocsp-response-file. The validation can be turned off by using --no-verify-ocsp option. In this validation, it makes sure that the OCSP response is targeted to the expected certificate. This is important because we pass the file path to the external program (see --fetch-ocsp-response-file), and if the file is replaced because of renewal, and nghttpx has not reloaded its configuration, the certificate nghttpx has loaded and the one included in the file differ. Verifying the OCSP response detects this, and avoids to send wrong OCSP response.
Changes 1.22.0: lib: Add missing free call on error in inflight_settings_new() asio: Support specifying stream priority via session::submit() nghttpx: Clarify --conf option behaviour nghttpx: Add $tls_sni access log variable nghttpx: Rename ssl_* log variables as tls_* nghttpx: Fix path matching bug nghttpx: SNI based backend server selection nghttpx: Enable signed_certificate_timestamp extension for TLSv1.3 nghttpx: Add options for X-Forwarded-Proto header field nghttpx: Add --single-process option nghttpx: Use 502 as server error code nghttpx: Use SSL_CTX_set_early_data_enabled with boringssl nghttp: Verify server certificate and show warning if it fails integration: Use nip.io instead of xip.io
Changes 1.21.1: The bug which causes libnghttp2_asio client to crash has been fixed. The bug which causes nghttpx to respond to a client with 502 status code if it receives 204 status code from HTTP/1 backend has been fixed.
Nghttp2 v1.21.0 libnghttp2 ---------- The bug that nghttp2_session_want_write may return 0 if there is pending frames after GOAWAY frame is submitted has been fixed. build ----- _U_ macro has been eliminated in favor of old school (void)VAR for better compiler compatibility. libnghttp2_asio --------------- The asio client now sends PING frame when it gets idle for 30 seconds. src --- Mozilla’s “Modern compatibility” ciphers are used by default. nghttpx ------- The bug that -v option does not print out version number has been fixed. The workaround of getaddrinfo failure with AI_ADDRCONFIG has been applied. nghttpx now escapes certain characters in access log. nghttpx now enables backend pattern matching with --http2-proxy option as well.
Changes 1.20.0: New API, nghttp2_option_set_no_closed_streams, has been added. By default, libnghttp2 retains closed streams as suggested by RFC 7540, Section 5.3.4. If this option is used, libnghttp2 discards closed streams from memory in order to save memory usage.
Changes 1.19.0: We fixed memory leak bug which only occurs in server side session. Client side sessions are not affected. This bug was detected by LLVM libFuzzer with HTTP/2 corpus that h2o project uses. Due to the bad code path which nullifies next pointers of linked list in a certain condition, nghttp2_stream object is not going to be freed. We highly encourage to upgrade the existing installation to this latest version.
Changes 1.18.1: This release fixes several bugs in nghttpx proxy server. Since v1.18.0 release, dynamic DNS feature has been added to nghttpx. This release fixes these DNS related bugs. User reported that nghttpx exited with assertion error in libev code when DNS was enabled. After investigating it, it turned out that this bug had existed well before DNS was added, but enabling DNS helped to trigger the bug.
Changes 1.18.0: lib: Accept and ignore content-length: 0 in 204 response for now build: Use pkg-config to detect libxml2 build: Require c-ares to compile applications under src build: Add Windows CI via AppVeyor (Patch from Alexis La Goutte) examples: Delete tiny-nghttpd nghttpx: Retry h1 backend request if first write fails (GH-757) nghttpx: Keep reading after backend write failed (GH-756) nghttpx: Add frontend-keep-alive-timeout option (GH-755) nghttpx: New error log format (GH-749) nghttpx: Fix bug that fetch-ocsp-response does not work with OpenSSL 1.1.0 (GH-742) nghttpx: Backend API call allows non-numeric host with dns parameter (GH-731) nghttpx: Lookup backend host name dynamically (GH-721) nghttpx: Accept and ignore content-length: 0 in 204 response for now (GH-735) nghttpx: Wait for child process to exit
Changes 1.17.0: libnghttp2 * In this release, libnghttp2 by default disallows content-length header field in 1xx, 204, or 200 to a CONNECT request as described in RFC 7230. libnghttp2_asio * Previously, server-side on_close callback was not called when connection was closed while streams were still alive. Now on_close callback is called for active streams on connection close. build * Remo E provided a patch to include MSVC version resource in cmake Windows build. nghttpx * We fixed the bug that sometimes made nghttpx crash if --backend-http-proxy-uri was used. * We fixed the bug that one HTTP header fields from HTTP/1.1 backend were split into multiple fields in some situations. * We fixed the bug that zero-length POST was not forwarded to HTTP/1.1 backend, causing dead lock. * We removed optional reason phrase from SPDY response header fields. This is OK since reason phrase is optional. * To align the changes made in libnghttp2 that disallows content-length in 1xx, 204, or 200 to a CONNECT request, we did the same thing to HTTP/1.1 backend. We also disallow transfer-encoding in those status codes as well. * dalf provided a patch to fix compile failure with BoringSSL. nghttpd, nghttpx, and libnghttp2_asio * We fixed the bug that mandatory SP after status code wass missing in HTTP/1.1 status line.
Changes 1.16.1: We fixed the bug that nghttp2 HPACK decoder may decode wrong integer because of undefined behaviour. We fixed the bug in nghttpx that may make nghttpx crash if final response after non-final response from origin server is forwarded to HTTP/1.1 client.
Changes 1.16.0: libnghttp2 ---------- Previously, if libnghttp2 is built with DEBUGBUILD macro defined, it prints out debug messages into stderr. In this release, Anders Bakken added nghttp2_set_debug_vprintf_callback() function to set a callback which can customize how debug message is processed. The parameters passed to the callback are suitable for use with vfprintf(3) function. libnghttp2_asio --------------- We fixed the bug which causes crash if nghttp2::asio_http2::server::response::end() is called from outside nghttp2 callback (e.g., asynchronous timer callback). nghttpx ------- We have added --backend-connect-timeout option to specify how long nghttpx waits until backend TCP connection is established. The new option --ecdh-curves lets you specify the list of named curve for use in TLS. We have added TLS signed_certificate_timestamp extension support. signed_certificate_timestamp extension is defined in RFC 6962. The new option --tls-sct-dir is used to specify the directory which contains *.sct files. These files are read in start up, and sent to client in TLS handshake. The format of *.sct files is the same as the one that nginx and Apache mod_ssl_ct use. For additional certificates specified by --subcert option, we extended the syntax of the option, and now it can take sct-dir parameter which takes the directory that should contain *.sct files for the certificate. h2load ------ We have added --header-table-size and --encoder-header-table-size options to specify HPACK header table size for both direction.
Changes 1.15.0: lib: Add nghttp2_option_set_max_deflate_dynamic_table_size() API function (GH-684) lib: Allow NGHTTP2_ERR_PAUSE from nghttp2_data_source_read_callback (GH-671) lib: Add nghttp2_session_get_hd_deflate_dynamic_table_size() and nghttp2_session_get_hd_inflate_dynamic_table_size() API functions to get current HPACK dynamic table size (GH-664) lib: Add nghttp2_session_get_local_settings() API function (GH-664) lib: Add nghttp2_session_get_local_window_size() and nghttp2_session_get_stream_local_window_size() API functions (GH-664) build: Add -lsocket -lnsl to APPLDFLAGS for solaris build (GH-674) neverbleed: Update neverbleed to support ECDSA certificate doc: Mention --enable-lib-only configure option in README integration: Fix test failure with go1.7.1 src: Fix compile error with openssl 1.1.0 nghttpx: Improve performance with HTTP/1.1 backend when request body is involved nghttpx: Use std::atomic_* overloads for std::shared_ptr if available nghttpx: Migrate backend stream to another h2 session on graceful shutdown nghttpx: Add option to specify HPACK encoder/decoder dynamic table size nghttpx: Log client address nghttpx: Add tls_sni to mruby Nghttpx::Env class nghttpx: Add --frontend-http2-window-size option, and its family functions nghttpx: Add experimental TCP optimization for h2 frontend nghttpx: Workaround for std::make_shared bug in Xcode7, 7.1, and 7.2 (GH-670) nghttpx: Fix bug that bytes are doubly counted to rate limit for TLS connections nghttpx: Add --no-server-rewrite option not to rewrite server header field (GH-667) nghttpx: Retry if backend h1 connection cannot be established due to timeout nghttpx: Reset stream if invalid header field is received in h2 nghttpx: Add --server-name option to change server response header field (GH-667) nghttpd: Add --encoder-header-table-size option nghttp: Add --encoder-header-table-size option python: Support ALPN, require Python 3.5
Changes 1.14.1: In this release, we fixed the bug which causes GOAWAY race with new incoming stream on server side. The bug has been reported in GH-681. This is a regression introduced in 16c4611. We were happy with that commit since nghttp2 server passed all strict mode h2spec tests. However, it turned out that it could not handle some cases well, and one of them is GOAWAY race on server side. We reverted part of that commit to fix this issue. This bug only affects nghttp2 server side session. The client side nghttp2 session is not affected by this bug.
Changes 1.12.0: This release adds 2 new API functions to libnghttp2. It also adds HTTP/1.1 POST support to h2load. nghttpx gets new features, and performance improvements.
nghttp2 v1.10.0: This release adds ALTSVC frame support in libnghttp2. nghttp gets new option to exercise expect/continue dance with server. nghttpx gets several new features, robust load balancing, and bug fixes.
Changes 1.9.2: This release fixes several stability issues of nghttpx.
Changes 1.8.0: This release adds new library APIs to send and receive non-critical HTTP/2 extension frames. It also adds new features to nghttpx and nghttpd, and polishes many rough edges.
Changes 1.7.0:
Reset (RST_STREAM) stream if flow control window gets overflow
Validate :authroity, host, and :scheme value more strictly
Check request/response submission error based side of session
Strict outgoing idle stream detection
Return error from nghttp2_submit_{headers,request} when self dependency is made
Add -ldl to APPLDFLAGS for static openssl linking
asio: Stop acceptor on server::http2::stop
asio: Rename http2::get_io_services() as http2::io_services()
h2load: Support UNIX domain socket
h2load: Improve readability of traffic numbers
h2load: Remove "auto" for -m option
h2load: Show progress in rate mode
h2load: Perform sampling for request and connection timings to reduce memory consumption
nghttpd: Add --no-content-length option to omit content-length in response
nghttpx: Interleave pushed streams with the associated stream if pushed streams are javascript and CSS resources
nghttpx: The initial value of request/response buffer is increased to 128K
nghttpx: Fix bug that --listener-disable-timeout option is not used
nghttpx: Don't emit :authority if request does not contain authority information
nghttpx: Add clarification of quotes in configuration file
nghttpx: Don't allow certain characters in host and :scheme header field
nghttpx: Add RFC 7239 Forwarded header field support
nghttpx: Fix crash when running on IPv6 only (Patch from Vernon Tang)
nghttpx: Take into account of trailers when applying max_header_fields
nghttpx: Don't apply max_header_fields and header_field_buffer limit to response
nghttpx: Strict validation for header fields given in configuration
nghttpx: header value should not be lower-cased (Patch from ayanamist)
Changes 1.6.0: This release fixes heap-use-after-free bug in idle stream handling code. We strongly recommend to upgrade the older installation to this latest version as soon as possible. Other than that we have minor polish up in libnghttp2 code base, and some new features to asio library, and h2load.
Changes 1.4.0: This release includes number of fixes for libnghttp2. We briefly explain notable bug fixes here. Previously, libnghttp2 ignored CONTINUATION frames if preceding HEADERS frame contained padding. The appearance of CONTINUATION is rare these days, but padding is used in some services already, and we may see CONTINUATION somewhere too. The second and third bugs are SETTINGS and HPACK dynamic table size related bugs. The second bug is that previously libnghttp2 did not shrink to minimum size of requested dynamic table size contained in SETTINGS frame sent from local endpoint if it contains several SETTINGS_HEADER_TABLE_SIZE. Now it is corrected, and libnghttp2 shrinks to the minimum size. The third bug is that due to the ambiguous text in RFC 7540 and 7541, we interpreted that if receiver received SETTINGS containing SETTINGS_HEADER_TABLE_SIZE, it always has to send dynamic table size update in the next compressed header block. But it turns out that it is not the intention of the specification author. The intended behaviour is the receiver is required to send dynamic table size update only when it really changed maximum dynamic table size. Depending on the SETTINGS_HEADER_TABLE_SIZE and the current maximum dynamic table size, the table size may not change.
Changes 1.3.4: * Make traditional init script fail if new config file is broken * nghttpx-logrotate: Don't use killall since we have multiple processes * nghttpx: Fix improper signal handling
Import nghttp2-1.0.1 as www/nghttp2. nghttp2 is an implementation of HTTP/2 and its header compression algorithm HPACK in C.