HTTP/2 C library and tools

Nghttp2 v1.27.0

We have released nghttp2 v1.27.0.


LazyHamster fixed accidental compiler flags concatenation for MSVC.

Mike Lothian sent us a patch to reduce libxml2 version requirement to 2.6.26.


Daniel Evers added libnghttp2_asio support for Windows / MinGW.


HTTP/2 header fields are now printed with --verbose option.


An HTTP non-final response is now sent to HTTP/1.1 or HTTP/2 client only.

Nghttp2 v1.26.0

We have released nghttp2 v1.26.0.


Soham Sinha added timing-based load-testing in h2load. This new method performs load-testing in terms of a given duration instead of a pre-defined number of requests. The new option --duration specifies how long the load-testing takes. For example, --duration=10 makes h2load perform load-testing against a server for 10 seconds. You can also specify a “warming-up” period with --warm-up-time. If --duration is used, -n option is ignored.

Nghttp2 v1.25.0

We have released nghttp2 v1.25.0.


Anna Henningsen added nghttp2_rcbuf_is_static() API function which checks whether the underlying buffer is statically allocated or not to save extra allocation.


mruby has been updated to v1.3.0.

The bug that forwarded header field was not affected by proxy protocol was fixed.

Nghttp2 v1.24.0

We have released nghttp2 v1.24.0.


We have received several patches to fix grammer and typos.

The broken out-of-tree build has been also fixed.


We fixed the bug that HTTP Upgrade fails if HTTP response does not have reason-phrase.


The default minimum TLS version is now TLSv1.2. This is because the default cipher list only contains cipher suites which are compatible with it.

Nghttp2 v1.23.1

We have released nghttp2 v1.23.1.

This release fixes the bug which makes nghttpx crash in OCSP response verification with certain kind of OCSP response.

Nghttp2 v1.23.0

We have released nghttp2 v1.23.0.


Previously, if libnghttp2 received an invalid header field, it is just ignored, and is treated like it was never happened. This release changes this behaviour, and now libnghttp2 treats an incoming invalid header field as error, and resets the stream with PROTOCOL_ERROR.

nghttp2_on_invalid_frame_callback is now called if validation of altsvc header field fails.


nghttpx now verifies that OCSP response received from a program specified by --fetch-ocsp-response-file. The validation can be turned off by using --no-verify-ocsp option. In this validation, it makes sure that the OCSP response is targeted to the expected certificate. This is important because we pass the file path to the external program (see --fetch-ocsp-response-file), and if the file is replaced because of renewal, and nghttpx has not reloaded its configuration, the certificate nghttpx has loaded and the one included in the file differ. Verifying the OCSP response detects this, and avoids to send wrong OCSP response.

The feature to select a certificate based on client’s supported group (curve) didn’t work as expected, but now it is fixed.

The certificate selection with SNI was broken, but now it is fixed.

--ocsp-startup option is added to postpone accepting incoming connections until the initial OCSP requests have finished.

When selecting backend based on a request path, now wildcard can be used. For example, if pattern is /foo/bar*, all request paths which have /foo/bar as prefix, and strictly longer than that match. * must match at least one character.


-y option is added to suppress peer verification failure warning.

Nghttp2 v1.22.0

We have released nghttp2 v1.22.0.


lstefani fixed the bug which results in memory leak because of missing free call on error in inflight_settings_new().


Matt Way added the functionality to specify a stream priority via session::submit().


Use of is replaced with


nghttp now shows a warning if certificate verification fails.


${tls_sni} access log variable has been added.

All ${ssl_*} access log variables have been renamed as ${tls_*}. The old names still work for backward compatibility.

SNI based backend server selection has been added. To enable this feature, use sni-fwd parameter in frontend option. The requests received in that frontend address are forwarded based on server name sent via TLS SNI extension rather than HTTP Host header field.

signed_certificate_timestamp extension has been enabled with TLSv1.3.

Historically, nghttpx always stripped incoming X-Forwarded-Proto header field, and set its own one. In this release, 2 new options have been added to tweak this behaviour. --no-strip-incoming-x-forwarded-proto option prevents nghttpx from stripping the header field from a client. --no-add-x-forwarded-proto option prevents nghttpx from adding X-Forwarded-Proto value.

--single-process option has been added which make nghttpx run in a single process. Note that if neverlbeed is enabled, nghttpx still spawns the new process for it.

SSL_CTX_set_early_data_enabled is enabled for BoringSSL.

Nghttp2 v1.21.1

We have released nghttp2 v1.21.1.

The bug which causes libnghttp2_asio client to crash has been fixed.

The bug which causes nghttpx to respond to a client with 502 status code if it receives 204 status code from HTTP/1 backend has been fixed.

Nghttp2 v1.21.0

We have released nghttp2 v1.21.0.


The bug that nghttp2_session_want_write may return 0 if there is pending frames after GOAWAY frame is submitted has been fixed.


_U_ macro has been eliminated in favor of old school (void)VAR for better compiler compatibility.


The asio client now sends PING frame when it gets idle for 30 seconds.


Mozilla’s “Modern compatibility” ciphers are used by default.


The bug that -v option does not print out version number has been fixed.

The workaround of getaddrinfo failure with AI_ADDRCONFIG has been applied.

nghttpx now escapes certain characters in access log.

nghttpx now enables backend pattern matching with --http2-proxy option as well.

TLSv1.3 Endpoint Is Now Online

In order to contribute to the development of the TLSv1.3 protocol, we have enabled TLSv1.3 support in nghttpx, and made it publicly available at It is currently draft-19.

nghttpx uses OpenSSL as an underlying TLS backend. OpenSSL community has done a great job, and been developing TLSv1.3 support (they are still WIP), and it is available in OpenSSL master branch. So just building nghttpx with this bleeding edge version of OpenSSL could enable TLSv1.3 support. But we have taken one step further, and implemented 0-RTT early data support using new SSL_read_early_data API.

For those of you to build OpenSSL from their git repository, in order to enable TLSv1.3 support, pass enable-tls1_3 option to Configure script.

In order to enable 0-RTT support in nghttpx, check out nghttpx: Enable TLSv1.3 0-RTT early data support. Please note that this branch may be rebased time to time.

To send 0-RTT early data with openssl s_client, first save a session, like so:

$ openssl s_client -connect -sess_out session.dat

The session is saved in session.dat file. We use this file to resume the session. 0-RTT early data should be stored in file. We have the following file for this example:

$ cat http.txt
GET / HTTP/1.1

$ # Don't forget to the trailing empty line to terminate HTTP request!

Then run the following command to resume session, and send 0-RTT early data:

$ openssl s_client -connect -sess_out session.dat -sess_in session.dat -early_data http.txt

If 0-RTT early data is sent, and accepted by the server, you will see the HTTP response header fields and body sent from the server.