We released nghttp2 v1.6.0.
This release fixes heap-use-after-free bug in idle stream handling code. We strongly recommend to upgrade the older installation to this latest version as soon as possible. Other than that we have minor polish up in libnghttp2 code base, and some new features to asio library, and h2load.
We tightened up the error condition when we received frame which is not allowed in that state. We now make it connection error if we are sure that peer really violates the protocol.
Previously, the default remote SETTINGS_MAX_CONCURRENT_STREAMS
value
was unlimited as per RFC 7540. But this was problematic, and this
could lead to many REFUSED_STREAM
, or ENHANCE_YOUR_CALM
error. To
avoid this situation, and make it more friendly to peer, we assume
that the default remote SETTINGS_MAX_CONCURRENT_STREAMS
is 100.
When we get this SETTINGS value from peer, we will update it. The
application can change this initial value using
nghttp2_option_set_peer_max_concurrent_streams()
API.
Previously, stream object for pushed stream was not created when
nghttp2_submit_push_promise()
returned. It was created after
nghttp2_before_frame_send_callback
was called. So application had
to wait for its invocation when it wanted to use stream object. Now
stream object is created right after successful
nghttp2_submit_push_promise()
call.
We added new API, nghttp2_session_create_idle_stream()
. This
function creates idle stream without telling it the remote endpoint.
Previously, if we wanted to build libnghttp2 only, we had to give
--disable-app
, --disable-examples
, --disable-hpack-tools
, and
--disable-python-bindings
options to configure script. We added
--lib-only
configure option as a short hand for these options.
The previous package build failed without OpenSSL 1.0.2. This was fixed in this release by the patch contributed by Sunpoet Po-Chuan Hsieh.
Andreas Pohl added several new server APIs.
nghttp2::asio_http2::server::http2::get_io_services()
returns all
underlying io_service objects.
nghttp2::asio_http2::server::request::remote_endpoint()
returns the
remote endpoint address.
We added configurable connect, and read timeout for asio client API.
See nghttp2::asio_http2::client::session::connect_timeout()
, and
nghttp2::asio_http2::client::session::read_timeout()
API. This
involved backend incompatible change, and the application must be
recompiled to use new asio library (this applies to asio library only,
and libnghttp2 is fully backward compatible to 1.0.0).
Similarly, we added configurable TLS handshake, and read timeout for
asio server API. See
nghttp2::asio_http2::server::http2::tls_handshake_timeout()
, and
nghttp2::asio_http2::server::http2::read_timeout()
API.
h2load now shows min, max, mean and sd (standard deviation) of request per second value calculated per connection. This is useful to see how performance differs between connections.