HTTP/2 C library and tools

Nghttp2 v1.31.0

We have released nghttp2 v1.31.0.


nghttp2_session_set_user_data() is added to set new user data to nghttp2_session.


The option --verify-client-tolerate-expired has been added, which makes nghttpx accept expired client certificate.

tls_client_not_before, and tls_client_not_after are now available to mruby scripting. They return NotBefore, and NotAfter of client certificate respectively.

Nghttp2 v1.30.0

We have released nghttp2 v1.30.0.


This release fixes the bug so that PING frame can be sent after GOAWAY.


This release fixes the bug that set_header method in mruby script wrongly overwrites other header fields.

upgrade-scheme parameter has been added to backend option to workaround the issue that a backend server requires that HTTP/2 :scheme pseudo header field value should be https.

This release fixes the bug that ALPN validation does not occur if client does not send TLS ALPN extension.

To more compliant to RFC 8297, nghttpx now remembers which resource is pushed per a single request.

Nghttp2 v1.29.0

We have released nghttp2 v1.29.0.


NGHTTP2_REFUSED_STREAM is now used as an error code passed to nghttp2_on_stream_close_callback for streams which are closed by GOAWAY to indicate that they are safely retried.


SPDY related code was completely removed.


The commit which breaks load balancing among HTTP/2 backend in some situations has been reverted.

The default value of --api-max-request-body option has been increased to 32MiB.

The time to load the large number of backend options has been greatly improved.

The crash with --backend-http-proxy-uri option has been fixed.

Nghttp2 v1.28.0

We have released nghttp2 v1.28.0.


nghttp2_error_callback2 callback function has been added. It is an extended version of the existing nghttp2_error_callback. The new callback takes a new parameter which indicates the error code. nghttp2_error_callback is now deprecated.


This release officially deprecates spdylay support. The next release, v1.29.0, will remove all SPDY related code.


Cookie based session affinity has been implemented. To use cookie based session affinity, specify affinity=cookie in backend option. affinity-cookie-name parameter must also be specified to specify a name of cookie. affinity-cookie-path and affinity-cookie-secure control a path and secure attributes of cookie respectively.

The bug that backend connection might be stalled on retry has been fixed.

The existing TLS related variables available to the access log are now exposed to mruby Env object. This release also adds new TLS related variables: $tls_client_fingerprint_sha256, $tls_client_fingerprint_sha1, $tls_client_subject_name, $tls_client_issuer_name, and $tls_client_serial. They are available to both mruby, and the access log.

Nghttp2 v1.27.0

We have released nghttp2 v1.27.0.


LazyHamster fixed accidental compiler flags concatenation for MSVC.

Mike Lothian sent us a patch to reduce libxml2 version requirement to 2.6.26.


Daniel Evers added libnghttp2_asio support for Windows / MinGW.


HTTP/2 header fields are now printed with --verbose option.


An HTTP non-final response is now sent to HTTP/1.1 or HTTP/2 client only.

Nghttp2 v1.26.0

We have released nghttp2 v1.26.0.


Soham Sinha added timing-based load-testing in h2load. This new method performs load-testing in terms of a given duration instead of a pre-defined number of requests. The new option --duration specifies how long the load-testing takes. For example, --duration=10 makes h2load perform load-testing against a server for 10 seconds. You can also specify a “warming-up” period with --warm-up-time. If --duration is used, -n option is ignored.

Nghttp2 v1.25.0

We have released nghttp2 v1.25.0.


Anna Henningsen added nghttp2_rcbuf_is_static() API function which checks whether the underlying buffer is statically allocated or not to save extra allocation.


mruby has been updated to v1.3.0.

The bug that forwarded header field was not affected by proxy protocol was fixed.

Nghttp2 v1.24.0

We have released nghttp2 v1.24.0.


We have received several patches to fix grammer and typos.

The broken out-of-tree build has been also fixed.


We fixed the bug that HTTP Upgrade fails if HTTP response does not have reason-phrase.


The default minimum TLS version is now TLSv1.2. This is because the default cipher list only contains cipher suites which are compatible with it.

Nghttp2 v1.23.1

We have released nghttp2 v1.23.1.

This release fixes the bug which makes nghttpx crash in OCSP response verification with certain kind of OCSP response.

Nghttp2 v1.23.0

We have released nghttp2 v1.23.0.


Previously, if libnghttp2 received an invalid header field, it is just ignored, and is treated like it was never happened. This release changes this behaviour, and now libnghttp2 treats an incoming invalid header field as error, and resets the stream with PROTOCOL_ERROR.

nghttp2_on_invalid_frame_callback is now called if validation of altsvc header field fails.


nghttpx now verifies that OCSP response received from a program specified by --fetch-ocsp-response-file. The validation can be turned off by using --no-verify-ocsp option. In this validation, it makes sure that the OCSP response is targeted to the expected certificate. This is important because we pass the file path to the external program (see --fetch-ocsp-response-file), and if the file is replaced because of renewal, and nghttpx has not reloaded its configuration, the certificate nghttpx has loaded and the one included in the file differ. Verifying the OCSP response detects this, and avoids to send wrong OCSP response.

The feature to select a certificate based on client’s supported group (curve) didn’t work as expected, but now it is fixed.

The certificate selection with SNI was broken, but now it is fixed.

--ocsp-startup option is added to postpone accepting incoming connections until the initial OCSP requests have finished.

When selecting backend based on a request path, now wildcard can be used. For example, if pattern is /foo/bar*, all request paths which have /foo/bar as prefix, and strictly longer than that match. * must match at least one character.


-y option is added to suppress peer verification failure warning.