We have released nghttp2 v1.67.0.

Do not download the archive files generated by GitHub. They do not work. Please download the signed and versioned tar balls, such as nghttp2-1.67.0.tar.gz.

lib

This release adds nghttp2_rand_callback, and the internal hash map is initialized with the seed sampled from this callback.

Some stream errors are now promoted to the connection errors. This means that an event that previously just resets a single stream now closes a connection entirely. The promoted errors are mostly implementation errors.

We have some contradictory specifications around nghttp2_on_invalid_header and nghttp2_on_invalid_header2 callbacks. nghttp2_on_invalid_header says that if it is omitted, a stream is reset. Meanwhile, nghttp2_on_invalid_header2 says that if it is omitted, invalid field is silently ignored. In actual implementation, if both omitted, we treat it as stream error. In practice, it is often required not to bail out if invalid header is received. In this change, if both callbacks are omitted, invalid field is silently ignored as the documentation of nghttp2_on_invalid_header2 says.

The “glitch” counter has been introduced. Any suspicious activity such as DATA frames to a stream which does not exist are counted to so called “glitch” counter. If it increases more than the configured rate, GOAWAY is sent and the connection is closed.