We have released nghttp2 v1.35.1.

nghttpx

This release fixes the broken trailing slash handling when routing a request. nghttpx allows a pattern which ends “/” to match the request path which just lacks the trailing “/”. Previously, this special handling did not work if certain patterns were registered.

We have released nghttp2 v1.35.0.

lib

Use __has_declspec_attribute in order to check that dllexport/dllimport can be used.

build

libevent detection with cmake has been improved.

src

C++14 language features are now required.

nghttpx

mruby send_info non-final response is now written early.

Fix assertion failure on mruby send_info with HTTP/1.1 frontend.

h2load

HTTP/1.1 non-final response is now handled correctly.

Clarify that time for connect includes TLS handshake.

We have released nghttp2 v1.34.0.

lib

libnghttp2 now supports extended CONNECT method and :protocol pseudo header field defined in RFC 8441. To enable this functionality on server side, send NGHTTP2_SETTINGS_ENABLE_CONNECT_PROTOCOL using nghttp2_submit_settings().

nghttpx

nghttpx now supports “Bootstrapping WebSockets with HTTP/2” defined in RFC 8441 for both frontend and backend HTTP/2 connections.

read-timeout and write-timeout parameters have been added to --backend option to specify read/write timeouts per pattern which override values set by --backend-read-timeout and --backend-write-timeout options.

This release fixes stability issues in neverbleed with OpenSSL 1.1.1.

mruby has been updated to version 1.4.1.

env.tls_handshake_finished has been added to mruby scripting to know whether TLS handshake has been completed or not. This might be useful to decide that 0-RTT data should be processed or not.

--tls13-ciphers and --tls-client-ciphers options have been added to configure TLSv1.3 ciphers.

nghttpx now adds Early-Data header field to the request header field when request is included in 0-RTT packet, and TLS handshake has not been completed yet. Early-Data header field is defined in RFC 8470.

nghttpx now supports TLSv1.3 0-RTT data. By default, it accepts 0-RTT data, but postpones the request until TLS handshake completes. The new option --tls-no-postpone-early-data makes nghttpx not to postpone request and adds Early-Data header field to backend request. It is important to make sure that all backends must recognize Early-Data header field to mitigate reply attack.

To enable 0-RTT data and most of the TLSv1.3 features, OpenSSL 1.1.1 is required.

We have released nghttp2 v1.33.0.

lib

RFC 8336 ORIGIN frame support has been added.

The value of SETTINGS_MAX_CONCURRENT_STREAMS is now set to unlimited if a remote peer does not explicitly include it in SETTINGS frame. Previously, it remains the initial value, 100.

asio

Configuring local address for cleartext connection has been added.

nghttpx

mruby parameter has been added to backend option. mruby parameter specifies the path to mruby script file which is executed when the particular pattern is selected.

Fix bug which causes worker process to abort if neverbleed daemon process is killed before deleting SSL_CTX object.

Fix bug that stream is reset if request body is arrived before backend is selected.

We have released nghttp2 v1.32.1.

lib

nghttp2_session_set_stream_user_data now works for a stream which is not created yet, but the request which creates the stream is queued.

We have released nghttp2 v1.32.0.

lib

The incorrect validation of padding against frame boundary has been fixed.

Now once nghttp2_session went terminal state, it ignores all inputs.

The incoming HTTP status code 101 is now disallowed.

build

ENABLE_STATIC_LIB option is added to cmake build in order to build static library.

third-party

neverbleed has been updated to compile with LibreSSL 2.7.

asio

Now client sends TLS SNI extension.

src

The nghttp2 applications can now compile with LibreSSL 2.7 and without TLS NPN extension support.

h2load

h2load now exits early with the error if --rate and --duration are used at the same time.

We have released nghttp2 v1.31.1.

This release addresses following security issue.

Security Advisory

CVE-2018-1000168: Denial of service due to NULL pointer dereference.

Vulnerability

If ALTSVC frame is received by libnghttp2 and it is larger than it can accept, the pointer field which points to ALTSVC frame payload is left NULL. Later libnghttp2 attempts to access another field through the pointer, and gets segmentation fault.

ALTSVC frame is defined by RFC 7838.

The largest frame size libnghttp2 accept is by default 16384 bytes.

Receiving ALTSVC frame is disabled by default. Application has to enable it explicitly by calling nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC).

Transmission of ALTSVC is always enabled, and it does not cause this vulnerability.

ALTSVC frame is expected to be sent by server, and received by client as defined in RFC 7838.

Client and server are both affected by this vulnerability if the reception of ALTSVC frame is enabled. As written earlier, it is useless to enable reception of ALTSVC frame on server side. So, server is generally safe unless application accidentally enabled the reception of ALTSVC frame.

Affected Versions

• Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0
• Not affected versions: nghttp2 >= 1.31.1

The Solution

Upgrade to nghttp2 v1.31.1.

If the upgrade cannot be possible:

For client, disable ALTSVC, removing the call to nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)

For server, because it is never expected to receive ALTSVC, just remove nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC).

Time Line

It was first reported to the nghttp2 team April 4 2018.

nghttp2 v1.31.1 was released on April 12 2018.

Credits

Reported by Jordan Zebor at F5 Networks, and James M Snell from Node.js project. Fixed by the nghttp2 team.

Thank you for all who involved.

This security advisory format is inspired from curl/libcurl project.

We have released nghttp2 v1.31.0.

lib

nghttp2_session_set_user_data() is added to set new user data to nghttp2_session.

nghttpx

The option --verify-client-tolerate-expired has been added, which makes nghttpx accept expired client certificate.

tls_client_not_before, and tls_client_not_after are now available to mruby scripting. They return NotBefore, and NotAfter of client certificate respectively.

We have released nghttp2 v1.30.0.

lib

This release fixes the bug so that PING frame can be sent after GOAWAY.

nghttpx

This release fixes the bug that set_header method in mruby script wrongly overwrites other header fields.

upgrade-scheme parameter has been added to backend option to workaround the issue that a backend server requires that HTTP/2 :scheme pseudo header field value should be https.

This release fixes the bug that ALPN validation does not occur if client does not send TLS ALPN extension.

To more compliant to RFC 8297, nghttpx now remembers which resource is pushed per a single request.

We have released nghttp2 v1.29.0.

lib

NGHTTP2_REFUSED_STREAM is now used as an error code passed to nghttp2_on_stream_close_callback for streams which are closed by GOAWAY to indicate that they are safely retried.

build

SPDY related code was completely removed.

nghttpx

The commit which breaks load balancing among HTTP/2 backend in some situations has been reverted.

The default value of --api-max-request-body option has been increased to 32MiB.

The time to load the large number of backend options has been greatly improved.

The crash with --backend-http-proxy-uri option has been fixed.