We have released nghttp2 v1.23.0.
Previously, if libnghttp2 received an invalid header field, it is just ignored, and is treated like it was never happened. This release changes this behaviour, and now libnghttp2 treats an incoming invalid header field as error, and resets the stream with PROTOCOL_ERROR.
nghttp2_on_invalid_frame_callback is now called if validation of
altsvc header field fails.
nghttpx now verifies that OCSP response received from a program
--fetch-ocsp-response-file. The validation can be
turned off by using
--no-verify-ocsp option. In this validation, it
makes sure that the OCSP response is targeted to the expected
certificate. This is important because we pass the file path to the
external program (see
--fetch-ocsp-response-file), and if the file
is replaced because of renewal, and nghttpx has not reloaded its
configuration, the certificate nghttpx has loaded and the one included
in the file differ. Verifying the OCSP response detects this, and
avoids to send wrong OCSP response.
The feature to select a certificate based on client’s supported group (curve) didn’t work as expected, but now it is fixed.
The certificate selection with SNI was broken, but now it is fixed.
--ocsp-startup option is added to postpone accepting incoming
connections until the initial OCSP requests have finished.
When selecting backend based on a request path, now wildcard can be
used. For example, if pattern is
/foo/bar*, all request paths which
/foo/bar as prefix, and strictly longer than that match.
must match at least one character.
-y option is added to suppress peer verification failure warning.