We have released nghttp2 v1.68.0.

Do not download the archive files generated by GitHub. They do not work. Please download the signed and versioned tar balls, such as nghttp2-1.68.0.tar.gz.

lib

This release adds more glitch counters for the unexpected builtin extension frames.

h2load

This release changes the default QUIC window-bits to 24 to reduce the fragmentation on huge packet losses.

nghttpd

This release makes the supported groups configurable with --groups option.

nghttpx

TLSv1.0 and TLSv1.1 support has been dropped.

ML-DSA certificates are now selected over ECDSA and RSA. ML-DSA certificates are supported by OpenSSL and wolfSSL TLS backends.

Certificate selection based on client capability is extended to wolfSSL and BoringSSL.

--group option has been added. --ecdh-curves option has been deprecated, and if it is used, it is treated as if --group option is used.

We have released nghttp2 v1.67.1.

Do not download the archive files generated by GitHub. They do not work. Please download the signed and versioned tar balls, such as nghttp2-1.67.1.tar.gz.

lib

Remove session_update_glitch_ratelim call from session_handle_invalid_stream2. Because that makes error handling quite difficult because it might be called in the nested function calls, and that might lead to the unexpected result. It seems to me that this was accidentally added.

We have released nghttp2 v1.67.0.

Do not download the archive files generated by GitHub. They do not work. Please download the signed and versioned tar balls, such as nghttp2-1.67.0.tar.gz.

lib

This release adds nghttp2_rand_callback, and the internal hash map is initialized with the seed sampled from this callback.

Some stream errors are now promoted to the connection errors. This means that an event that previously just resets a single stream now closes a connection entirely. The promoted errors are mostly implementation errors.

We have some contradictory specifications around nghttp2_on_invalid_header and nghttp2_on_invalid_header2 callbacks. nghttp2_on_invalid_header says that if it is omitted, a stream is reset. Meanwhile, nghttp2_on_invalid_header2 says that if it is omitted, invalid field is silently ignored. In actual implementation, if both omitted, we treat it as stream error. In practice, it is often required not to bail out if invalid header is received. In this change, if both callbacks are omitted, invalid field is silently ignored as the documentation of nghttp2_on_invalid_header2 says.

The “glitch” counter has been introduced. Any suspicious activity such as DATA frames to a stream which does not exist are counted to so called “glitch” counter. If it increases more than the configured rate, GOAWAY is sent and the connection is closed.

We have released nghttp2 v1.66.0.

Do not download the archive files generated by GitHub. They do not work. Please download the signed and versioned tar balls, such as nghttp2-1.66.0.tar.gz.

lib

nghttp2_submit_rst_stream now does not add RST_STREAM frame more than once.

src

The support for the draft HTTP/2 ALPNs (e.g., h2-14, h2-16) have been removed.

doc

This release fixes build failure with rubydomain namespace.

h2load

QUIC is now enabled with OpenSSL >= 3.5.0.

nghttpx

QUIC is now enabled with OpenSSL >= 3.5.0.

The bug in Forwarded By parameter value that exhibits when a frontend socket listens on wildcard address has been fixed.

The rate limiting for incoming QUIC traffic has been implemented. --read-rate and --read-burst options are now applied to QUIC connection as well.

Each worker thread has its listening TCP sockets.

The usage counts of a weight group are preserved after replacing backends with backendconfig API if the name and weight of the groups under the pattern have not changed.

OCSP stapling feature has been removed.

TLS session cache via memcached has been removed.

nghttpd

Support for SSLKEYLOGFILE has been added.

We have released nghttp2 v1.65.0.

Do not download the archive files generated by GitHub. They do not work. Please download the signed and versioned tar balls, such as nghttp2-1.65.0.tar.gz.

lib

RFC 7540 Priorities implementation has been removed. Here is the summary of the behavioral changes in the public API functions:

• nghttp2_session_change_stream_priority: This function is noop. It always returns 0.
• nghttp2_session_create_idle_stream: This function is noop. It always returns 0.
• nghttp2_submit_request: pri_spec is ignored.
• nghttp2_submit_request2: pri_spec is ignored.
• nghttp2_submit_headers: pri_spec is ignored.
• nghttp2_submit_priority: This function is noop. It always returns
• nghttp2_stream_get_parent: This function always returns NULL.
• nghttp2_stream_get_next_sibling: This function always returns NULL.
• nghttp2_stream_get_previous_sibling: This function always returns NULL.
• nghttp2_stream_get_first_child: This function always returns NULL.
• nghttp2_stream_get_weight: This function always returns NGHTTP2_DEFAULT_WEIGHT.
• nghttp2_stream_get_sum_dependency_weight: This function always returns 0.

nghttp2_option_set_server_fallback_rfc7540_priorities and nghttp2_option_set_no_closed_streams have also been deprecated, and have no effect.

QNX build support has been added.

cmake

Disable src tests if BUILD_TESTING is OFF.

src

url-parser has been replaced with urlparse.

h2load

Account for bytes on closing connections.

nghttp

nghttp now does not create the initial dependency tree. --no-dep and --no-rfc7540-pri options have been deprecated.

nghttp now always sends NGHTTP2_SETTINGS_NO_RFC7540_PRIORITIES HTTP/2 setting. --extpri option has been added to set priority for a given URI.

nghttpd

This change deprecates --no-rfc7540-pri option. SETTINGS_NO_RFC7540_PRIORITIES HTTP/2 setting is now always sent.

We have released nghttp2 v1.64.0.

Do not download the archive files generated by GitHub. They do not work. Please download the signed and versioned tar balls, such as nghttp2-1.64.0.tar.gz.

lib

The internal :authoriy and host field value validation now treats @ as invalid. nghttp2_check_authority still treats it as a valid character.

cmake

This release fixes c-ares v1.34.0 version detection failure.

h2load

This release fixes race condition on h1 connection close.

It also fixes UDP datagram send/recv metric.

We have released nghttp2 v1.63.0.

Do not download the archive files generated by GitHub. They do not work. Please download the signed and versioned tar balls, such as nghttp2-1.63.0.tar.gz.

lib

Compile error emitted by old compilers is suppressed.

nghttp2.h undefines NGHTTP2_NO_SSIZE_T if BUILDING_NGHTTP2 is defined.

src

wolfSSL support has been added.

We have released nghttp2 v1.62.0.

Do not download the archive files generated by GitHub. They do not work. Please download the signed and versioned tar balls, such as nghttp2-1.62.0.tar.gz.

We have released nghttp2 v1.61.0.

This release includes security advisory.

Security Advisory

CVE-2024-28182: Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage

For more information, read the security advisory.

For other changes, refer to v1.61.0 release notes.

Do not download the archive files generated by GitHub. They do not work. Please download the signed and versioned tar balls, such as nghttp2-1.61.0.tar.gz.

We have released nghttp2 v1.60.0.

lib

RFC 7540 priorities (aka stream dependencies) APIs have been deprecated. They work just like before, but in the future release after the end of 2024, the functionality is removed, and the deprecated APIs start behaving differently. See the API documentation for details. RFC 7540 priorities have been deprecated by RFC 9113. Consider migrating RFC 9218 extensible prioritization scheme.

The APIs that use ssize_t, including structs and callback functions, have been deprecated. New APIs that use nghttp2_ssize are introduced as a replacement. The usage of ssize_t is problematic for several reasons. Some platforms do not define ssize_t. The minimum value of ssize_t that POSIX requires is -1 which makes nghttp2 error code out of range. nghttp2_ssize is an alias of ptrdiff_t that is in C standard and covers our error code range.

New code should use new nghttp2_ssize APIs. The existing applications should consider migrating to new APIs.

The deprecated ssize_t APIs continue to work for backward compatibility.

Here is the summary of the deprecated APIs and their replacements:

Callback functions:

• nghttp2_data_source_read_callback => nghttp2_data_source_read_callback2
• nghttp2_data_source_read_length_callback => nghttp2_data_source_read_length_callback2
• nghttp2_pack_extension_callback => nghttp2_pack_extension_callback2
• nghttp2_recv_callback => nghttp2_recv_callback2
• nghttp2_select_padding_callback => nghttp2_select_padding_callback2
• nghttp2_send_callback => nghttp2_send_callback2

Structs:

• nghttp2_data_provider => nghttp2_data_provider2

Functions:

• nghttp2_hd_deflate_hd => nghttp2_hd_deflate_hd2
• nghttp2_hd_deflate_hd_vec => nghttp2_hd_deflate_hd_vec2
• nghttp2_hd_inflate_hd2 => nghttp2_hd_inflate_hd3
• nghttp2_pack_settings_payload => nghttp2_pack_settings_payload2
• nghttp2_session_callbacks_set_data_source_read_length_callback => nghttp2_session_callbacks_set_data_source_read_length_callback2
• nghttp2_session_callbacks_set_pack_extension_callback => nghttp2_session_callbacks_set_pack_extension_callback2
• nghttp2_session_callbacks_set_recv_callback => nghttp2_session_callbacks_set_recv_callback2
• nghttp2_session_callbacks_set_select_padding_callback => nghttp2_session_callbacks_set_select_padding_callback2
• nghttp2_session_callbacks_set_send_callback => nghttp2_session_callbacks_set_send_callback2
• nghttp2_session_mem_recv => nghttp2_session_mem_recv2
• nghttp2_session_mem_send => nghttp2_session_mem_send2
• nghttp2_submit_data => nghttp2_submit_data2
• nghttp2_submit_request => nghttp2_submit_request2
• nghttp2_submit_response => nghttp2_submit_response2

For those applications that do not want to see ssize_t in nghttp2.h header file at all, define NGHTTP2_NO_SSIZE_T macro before including nghttp2.h. It hides all ssize_t APIs.

build

cmake build and install trees are now fixed.

The following dependencies have been updated:

• ngtcp2
• nghttp3

CUnit has been replaced with ngtcp2/munit. munit is pulled via git submodule.

The flags to build applications with libbrotli have been added.

third-party

llhttp has been updated.

mruby is updated to v3.3.0.

h2load

--sni option has been added.

src

The certificate compression support with boringssl (or aws-lc) and libbrotli has been added.