We released nghttp2 v1.4.0.
This release includes number of fixes for libnghttp2. We briefly
explain notable bug fixes here. Previously, libnghttp2 ignored
CONTINUATION frames if preceding HEADERS frame contained padding. The
appearance of CONTINUATION is rare these days, but padding is used in
some services already, and we may see CONTINUATION somewhere too. The
second and third bugs are SETTINGS and HPACK dynamic table size
related bugs. The second bug is that previously libnghttp2 did not
shrink to minimum size of requested dynamic table size contained in
SETTINGS frame sent from local endpoint if it contains several
SETTINGS_HEADER_TABLE_SIZE. Now it is corrected, and libnghttp2
shrinks to the minimum size. The third bug is that due to the
ambiguous text in RFC 7540 and 7541, we interpreted that if receiver
received SETTINGS containing
SETTINGS_HEADER_TABLE_SIZE, it always
has to send dynamic table size update in the next compressed header
block. But it turns out that
it is not the intention of the specification author.
The intended behaviour is the receiver is required to send dynamic
table size update only when it really changed maximum dynamic table
size. Depending on the
SETTINGS_HEADER_TABLE_SIZE and the current
maximum dynamic table size, the table size may not change. The
original bug report is
To protect from suspicious peer, if libnghttp2 detected peer is
flooding local endpoint with excessive SETTINGS and PING,
nghttp2_session_recv() now return
fatal error code
Application now can return
nghttp2_send_data_callback to indicate that application wants to
immediately without processing next outgoing frames.
libnghttp2 now hides all internal private symbols using
-fvisibility=hidden, if compiler supports it. This should not
affect current applications since they should use public APIs only.
It will increase performance, but the downside is that now static
library is required to run unit tests. To offer the same
functionality of python HPACK binding, deflatehd and inflatehd
applications which previously used internal private functions, we
added the following functions to public API:
nghttp2_hd_deflate_get_max_dynamic_table_size() and their
nghttp2_hd_inflater counterparts. These are used to get header
table entry using 1-based index, and current and maximum dynamic table
configuration summary now prints out more detailed information, including CFLAGS and LIBS for each detected third party library.
Applications under src directory can be now compiled with BoringSSL. Building programs under examples, including libevent-client and libevent-server, with BoringSSL is a bit tricky, since you have to build libevent with BoringSSL first. We haven’t verified that works.
nghttpx has new options, and some bug fixes. The bug that PUT method
is replaced with POST in HTTP/1 frontend was fixed. Lucas Pardue
added TLS dynamic record size behaviour command line options.
--tls-dyn-rec-warmup-threshold option sets the number of bytes
before switching to full TLS record size.
--tls-dyn-rec-idle-timeout option specifies the idle time duration.
When it is passed, TLS record size is back to 1300 bytes. Peeyush
--fastopen option to enable
RFC 7413 (TCP Fast Open) for
listening connections. We also added
neverbleed support to nghttpx.
It is disabled by default, and is enabled by
configure option. mruby scripting API has changed along with the
option name (now unified
--mruby-file option), see the
for details. We changed default timeouts for read sockets to 1
minutes. Previous timeout is a bit too long.
h2load also gets new features. Lucas Pardue added option
--rate-period for user-definable rate period. Previously, it was
fixed to 1 second, but now user can specify any value, from subseconds
period to more than 1 second. Previously, if HTTP/1 is used, h2load
did not reconnect to the server if server closed connection gracefully
with “Connection: close”. Apache web server does this actively after
processing several number of requests. If that happened, h2load
marked all remaining requests assigned to that connection failure.
Now it is corrected, and h2load connects to the server again, and
continues to load testing. We also enabled SSL/TLS session resumption
in h2load client.
We simplified h2load rate mode in this release. In this change, we
-C option. Instead,
-c option is used to specify the
number of connections to be made, and it is now required argument if
more than 1 client are required (this is usually the case). The
number of requests made per connection is calculated simply by
In h2load, we changed the handling of
-n option when
--timing-script-file is used. If
-n is used with
--timing-script, it specifies the number of requests each client
will make rather than the total number of requests h2load will perform
across clients. This handling applies to rate mode as well.
nghttp now allows multiple
-c option occurrences, and takes min and
last value, and sends both of them in SETTINGS to simulate multiple
dynamic table size changes.