RFC 7540 priorities (aka stream dependencies) APIs have been deprecated. They work just like before, but in the future release after the end of 2024, the functionality is removed, and the deprecated APIs start behaving differently. See the API documentation for details. RFC 7540 priorities have been deprecated by RFC 9113. Consider migrating RFC 9218 extensible prioritization scheme.
The APIs that use ssize_t
, including structs and callback functions,
have been deprecated. New APIs that use nghttp2_ssize
are
introduced as a replacement. The usage of ssize_t
is problematic
for several reasons. Some platforms do not define ssize_t
. The
minimum value of ssize_t
that POSIX requires is -1 which makes
nghttp2 error code out of range. nghttp2_ssize
is an alias of
ptrdiff_t
that is in C standard and covers our error code range.
New code should use new nghttp2_ssize
APIs. The existing
applications should consider migrating to new APIs.
The deprecated ssize_t
APIs continue to work for backward
compatibility.
Here is the summary of the deprecated APIs and their replacements:
Callback functions:
nghttp2_data_source_read_callback
=> nghttp2_data_source_read_callback2
nghttp2_data_source_read_length_callback
=> nghttp2_data_source_read_length_callback2
nghttp2_pack_extension_callback
=> nghttp2_pack_extension_callback2
nghttp2_recv_callback
=> nghttp2_recv_callback2
nghttp2_select_padding_callback
=> nghttp2_select_padding_callback2
nghttp2_send_callback
=> nghttp2_send_callback2
Structs:
nghttp2_data_provider
=> nghttp2_data_provider2
Functions:
nghttp2_hd_deflate_hd
=> nghttp2_hd_deflate_hd2
nghttp2_hd_deflate_hd_vec
=> nghttp2_hd_deflate_hd_vec2
nghttp2_hd_inflate_hd2
=> nghttp2_hd_inflate_hd3
nghttp2_pack_settings_payload
=> nghttp2_pack_settings_payload2
nghttp2_session_callbacks_set_data_source_read_length_callback
=> nghttp2_session_callbacks_set_data_source_read_length_callback2
nghttp2_session_callbacks_set_pack_extension_callback
=> nghttp2_session_callbacks_set_pack_extension_callback2
nghttp2_session_callbacks_set_recv_callback
=> nghttp2_session_callbacks_set_recv_callback2
nghttp2_session_callbacks_set_select_padding_callback
=> nghttp2_session_callbacks_set_select_padding_callback2
nghttp2_session_callbacks_set_send_callback
=> nghttp2_session_callbacks_set_send_callback2
nghttp2_session_mem_recv
=> nghttp2_session_mem_recv2
nghttp2_session_mem_send
=> nghttp2_session_mem_send2
nghttp2_submit_data
=> nghttp2_submit_data2
nghttp2_submit_request
=> nghttp2_submit_request2
nghttp2_submit_response
=> nghttp2_submit_response2
For those applications that do not want to see ssize_t
in nghttp2.h
header file at all, define NGHTTP2_NO_SSIZE_T
macro before including
nghttp2.h. It hides all ssize_t
APIs.
cmake build and install trees are now fixed.
The following dependencies have been updated:
CUnit has been replaced with ngtcp2/munit. munit is pulled via git submodule.
The flags to build applications with libbrotli have been added.
llhttp has been updated.
mruby is updated to v3.3.0.
--sni
option has been added.
The certificate compression support with boringssl (or aws-lc) and libbrotli has been added.
]]>This release adds API to get and parse RFC 9218 priority.
nghttp2_select_next_protocol()
has been deprecated. Use
nghttp2_select_alpn()
instead.
The following dependencies have been updated:
h2load now considers all h2 HEADERS when counting bytes and recording TTFB.
This release fixes the bug that TTFB is not recorded if h3 stream has no data.
h2load now ignores 1xx status code.
IPv6 address is now enclosed by square brackets when set in
:authority
header field.
This release adds SSL_CTX_set_recv_max_early_data()
call which
OpenSSL requires.
__FILE_NAME__
macro is preferred if available.
nghttpx now propagates stream priority from backend to frontend.
This release fixes the bug that nghttpx sends QUIC RESET_STREAM
when
it receives RESET_STREAM
from client.
This release drops old OpenSSL (< 1.1.1) support.
Now bundled applications can be built with aws-lc.
]]>This release fixes build issues with cygwin and mingw.
This release speeds up warning option detection with cmake.
The following dependencies have been updated:
neverbleed has been updated.
This release introduces stricter transfer-encoding checks.
Enable http3 test with cmake.
]]>This release includes security advisory.
CVE-2023-44487: HTTP/2 Rapid Reset
For more information, read the security advisory.
This release has a fix to mitigate CVE-2023-44487: HTTP/2 Rapid Reset.
It has reasonable amount of default budgets for incoming RST_STREAM
frames. Application can tune the rate limit by using
nghttp2_option_set_stream_reset_rate_limit
. It can also implement
its own rate limit by implementing nghttp2_on_frame_recv_callback
and check RST_STREAM frame.
This release fixes the bug that --single-process
does not work.
It also fixes the bug that TLS connection is not rate limited.
The following dependencies have been updated:
llhttp has been updated.
Rework is done in functions that send ECN bits.
--frontend-quic-congestion-controller=bbr2
has been renamed to
--frontend-quic-congestion-controller=bbrv2
.
Fix issue that CMSG_DATA does not necessarily return an aligned pointer.
]]>This release includes security advisory.
CVE-2023-35945: HTTP/2 memory leak in nghttp2 codec
For more information, read the security advisory.
This CVE was filed by envoyproxy/envoy project, and has already been made public, and we did not take usual security procedure. See below why.
This release fixes memory leak that happens when PUSH_PROMISE or
HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback
fails with a fatal error. For example, if GOAWAY frame has been
received, a HEADERS frame that opens new stream cannot be sent.
This issue has already been made public via CVE-2023-35945 issued by envoyproxy/envoy project. During embargo period, the patch to fix this bug was accidentally submitted to nghttp2/nghttp2 repository. And they decided to disclose CVE early. I was notified just 1.5 hours before disclosure. I had no time to respond.
PoC described in CVE is quite simple, but I think it is not enough to
trigger this bug. While it is true that receiving GOAWAY prevents a
client from opening new stream, and nghttp2 enters error handling
branch, in order to cause the memory leak,
nghttp2_session_close_stream
function must return a fatal error.
nghttp2 defines 2 fatal error codes:
NGHTTP2_ERR_NOMEM
NGHTTP2_ERR_CALLBACK_FAILURE
NGHTTP2_ERR_NOMEM
, as its name suggests, indicates out of memory.
It is unlikely that a process gets short of memory with this simple
PoC scenario unless application does something memory heavy
processing.
NGHTTP2_ERR_CALLBACK_FAILURE
is returned from application defined
callback function (nghttp2_on_stream_close_callback
, in this case),
which indicates something fatal happened inside a callback, and a
connection must be closed immediately without any further action. As
nghttp2_on_stream_close_error_callback
documentation says, any error
code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE
is treated as
fatal error code. More specifically, it is treated as if
NGHTTP2_ERR_CALLBACK_FAILURE
is returned. I guess that envoy
returns NGHTTP2_ERR_CALLBACK_FAILURE
or other error code which is
translated into NGHTTP2_ERR_CALLBACK_FAILURE
.
The following dependencies have been updated:
This release fixes build error without libev.
llhttp has been updated.
Cross-compiling mruby is now supported.
UDP_GRO is enabled for QUIC socket.
The initial QUIC packet number is now randomized.
UDP_GRO is enabled for QUIC socket.
]]>The following dependencies have been updated:
This release fixes HTTP/3 upload stall bug.
]]>libnghttp2 uses ngtcp2/sfparse to parse Structured Field Values.
The following dependencies have been updated:
Bumped mruby to 3.2.0.
nghttpx now sends NEW_TOKEN on path change.
This release fixes numeric hostname verification in peer certificate.
When quitting, nghttpx now waits for all worker processes to stop. Previously, we just exit the event loop when the last process exits. But the because of the bug, it does not work as intended.
nghttpx logs a correct PID on fork.
nghttpx now waits for new worker process to be ready before sending graceful shutdown event to the existing worker processes to avoid down time during configuration reload.
Fixes the bug that causes 400 response after HTTP upgrade failure.
]]>sphinx_rtd_theme
has been removed from the repository and archive.
The following dependencies have been updated:
CMake build now checks core and extra components to find libevent.
The deprecated Python bindings has been removed.
The deprecated libnghttp2_asio has been removed.
llhttp and neverbleed have been updated.
This release fixes the bug that stalls TLS connection.
This release adds more http3 integration tests.
]]>This release adds casts to silence implicit conversion warnings for windows build.
Updated packages described in README based on Ubuntu 22.04.
Android documentation has been updated.
The following dependencies have been updated:
Python bindings are now disabled by default because it has been deprecated.
llhttp has been updated.
This release fixes affinity-cookie-stickiness
parameter handling.
This release adds http3 integration test.
]]>This release adds
nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
which disables checking leading and trailing white spaces against HTTP
field value.
nghttpx now respects backend-address-family
option when dynamically
resolving backend host with dns
parameter in backend
option.
This release adds nghttp2_check_header_value_rfc9113
which complains
leading and trailing white spaces. The library now uses this function
instead of nghttp2_check_header_value
when checking HTTP header
fields.
libnghttp2_asio has been moved to its own repository and got new maintainer. libnghttp2_asio related code in nghttp2 repository will not get any updates and be removed at the end of 2022.
Python bindings have been deprecated, and will not get any updates and be removed at the end of 2022 due to the maintenance issues.
Randomizing backend server selection has been added again.
The broken PROXY-protocol when TLS is used has been fixed.
nghttpx now removes trailing white spaces from HTTP header fields to align with RFC 9113.
]]>This release adds RFC9218 Extensible
Prioritization Scheme for HTTP. It is enabled by submitting
NGHTTP2_SETTINGS_NO_RFC7540_PRIORITIES
via
nghttp2_submit_settings()
. See Stream priorities
section of Programmers’ Guide.
It fixes the stream stall bug when the initial window size is decreased.
Now applications can be built with Libressl 3.5.
If --enable-lib-only
configure option is used, no application
libraries are checked.
The default TLS cipher suites are updated.
ktls support has been added to nghttp, nghttpd, nghttpx, and h2load if they are built with OpenSSL >= 3.0.0.
This release fixes the bug that stalls TLS read operation.
nghttpx by default disables RFC 7540 tree based HTTP/2 priorities and
uses RFC 9218 priorities instead. It has a fallback mechanism to RFC
7540 if client does not send SETTINGS_NO_RFC7540_PRIORITIES
.
affinity-cookie-stickiness
backend parameter has been added.
The session affinity feature which had been broken for quite some time has been fixed.
llhttp has been updated to the latest version.
mruby has been updated to 3.1.0.
neverbleed has been updated the latest version with some amends.
]]>This release fixes the incorrect HPACK decoder table size update, which lead to incorrectly require Dynamic Table Size Update from an encoder when it is not needed.
cmake build now disables libbpf by default.
Now maximum allowed maximum frame size is configurable with
--max-frame-size
.
--require-http-scheme
option is added. It requires http or https
scheme in HTTP request. It also requires that https scheme must be
used for an encrypted connection. Otherwise, http scheme must be
used. This option is recommended for a server deployment which
directly faces clients and the services it provides only require http
or https scheme.
BBR2 congestion control algorithm is added to QUIC connection.
libbpf is now bumped to v0.7.0 and turn on all strict features.
The qlog file extension is changed to .sqlog
.
The bug that causes h3 stream ends prematurely has been fixed.
The issue that a forwarded h3 GET request to HTTP/1.1 hop always has
chunked transfer-encoding: chunked
has been fixed.
QUIC connection now sends and receives ECN bits.
HTTP/3 trailer fields support has been added.
]]>A workaround is added to avoid the broken version check in
AX_PYTHON_DEVEL
macro.
It adds the missing cmake files to EXTRA_DIST
.
HTTP/3 feature is now available with BoringSSL.
SCT data is now available with BoringSSL.
New QUIC and HTTP/3 related options were added:
--frontend-quic-initial-rtt
, --quic-server-id
, and
--rlimit-memlock
.
--frontend-quic-connection-id-encryption-key
has been removed, and
the new option --frontend-quic-secret-file
has been added which
specifies initial keying materials to generate QUIC secrets and keys
for connection ID and tokens. It also supports the rotation of keying
materials.
HTTP/3 ALPN h3-29 is now supported.
--worker-process-grace-shutdown-period
option was added to set the
maximum grace period to wait for a worker process to terminate
gracefully.
--max-worker-processes
option was added to limit the number of the
lingering worker processes.
HTTP/3 feature is now available with BoringSSL.
]]>This release fixes packaging issues which lack some configuration files in tar archives.
]]>Stricter checks for :method:
and :path
pseudo header fields are
introduced.
nghttp2 applications can be compiled with OpenSSL v3.0.0.
Fix warning about systemd when cmake is used.
Added build options to enable HTTP/3 and eBPF.
The experimental HTTP/3 support has been added.
“dnf” (= “do not forward”) parameter is added to backend
option.
The experimental HTTP/3 support has been added.
SSLKEYLOGFILE
environment variable support has been added.
More --with-*
configure options have been added:
--with-jannson
--with-zlib
--with-libevent-openssl
--with-libcares
--with-openssl
--with-libev
--with-cunit
The following precious variables have been added:
LIBEV_CFLAGS
LIBEV_LIBS
JEMALLOC_CFLAGS
JEMALLOC_LIBS
LIBTOOL_LDFLAGS
Bump llhttp to v6.0.2.
The bug which prevents a backend which is excluded from a load balancing group temporarily from being restored.
The word master
is replaced main
. The nghttpx master process is
now called main process.
--no-http2-cipher-black-list
and
--client-no-http2-cipher-black-list
are deprecated and replaced with
--no-http2-cipher-block-list
and
--client-no-http2-cipher-block-list
respectively.
Remove trailing white space after $method
log variable.
--rps
option has been added.
The time unit (e.g., ms) is now allowed in -D
option.
This release has no changes in libnghttp2.
Documentations are now built with Sphinx 3.3.0 or later.
The python binding now requires Python 3.
All python scripts for nghttp2 development are translated to Python 3 compatible.
This release fixes a potential memory issue that a memory pool gets cleared while it is still in use.
ECDSA certificate is now chosen when compatible signature algorithm is available.
This release adds a workaround to include ‘:’ in backend pattern.
]]>