We released nghttp2 v1.0.4.

This release fixes assertion failure in stream_update_dep_on_detach_item function, as reported in GH-264.

We released nghttp2 v1.0.3.

This release fixes the bug that PRIORITY frame including dependency to itself for idle stream resulted in fatal error from nghttp2_session_mem_recv or nghttp2_session_recv in server-side session. Now it is treated gracefully, and GOAWAY of type PROTOCOL_ERROR is issued.

We optimized priority tree handling to Firefox style dependency tree, and it dramatically speeds up the processing. The worst case, linearly linked dependency tree, is also much improved.

Now LibreSSL can be used to build nghttp2 applications. ocsp-fetch-response script also supports LibreSSL too.

We fixed the bug in nghttpx that x-forwarded-proto header field did not reflect the frontend scheme if used with HTTP/2 backend.

We released nghttp2 v1.0.2.

This release fixes the bug which causes connection window exhaustion if automatic flow-control is disabled (nghttp2_option_set_no_auto_window_update()) and certain race condition is met. When this happened, remote peer could not send any more DATA because there was no connection window left.

For Windows build, we now define NGHTTP2_EXTERN to __declspec(dllimport) when using nghttp2 library.

We translated fetch-ocsp-response script into Python, and it is now under script directory.

We got several patches to enhance Python API from Fabian Wiesel.

We fixed the bug in libevent-client that included broken :path in request if request URI did not contain path part.

For nghttpx, we added --add-request-header option to add arbitrary header fields to backend server. We also enabled generic HTTP Upgrade in HTTP/1.1 frontend (HTTP/2 disallows this, so it is not available). This means nghttpx now can proxy WebSocket connection between client and backend server.

We released nghttp2 v1.0.1.

This release fixes compilation error with MSVC eailer than 2013.

Previously, we used golang spdy package from golang.org/x/net/spdy for integration tests, but now it is removed from their repository. We pushed its copy to our github account and make integration tests work again. We will drop SPDY support when Chrome drops SPDY, until then we use that repository.

Previously, nghttpx did not allow HTTP Upgrade from POST request, or even it just erroneously terminated connection, due to the bug in http-parser. Now http-parser has been updated, and we fixed our code to allow HTTP Upgrade from POST request, if response header has not been sent to the client.

We fixed another nghttpx bug. Previously, nghttpx sent PUSH_PROMISE after associated response HEADERS. Now it is corrected, and PUSH_PROMISE is sent before associated response HEADERS.

Previously, nghttpd did not close connection after settings timeout and GOAWAY was sent. Now it is corrected, and nghttpd closes connection after GOAWAY is sent in this particular situation.

Previously, h2load erroneously dropped connection, saying there is no viable protocol negotiated, if it is built with ALPN support (OpenSSL >= 1.0.2), and server supports NPN-only, and it sends NPN protocol list correctly. Now it is corrected, and h2load works with NPN-only servers.

We finally released nghttp2 v1.0.0! Hooray!

This release is based on v0.7.15, and does not introduce any feature, but changed existing API in backward incompatible way. We hope these changes will improve usability of our API. Please read this article to upgrade from older release.

Now that HTTP/2 and HPACK RFCs are published, v1.0.0 uses h2 and h2c as primary protocol identifiers. For TLS connections, all bundled applications still accept h2-14 and h2-16. h2-14 and h2-16 will be removed in the future release. On the other hand, HTTP Upgrade now only accepts h2c only, and h2c-14 is not acceptable anymore.

We released nghttp2 v0.7.15.

This release fixes access violation in libnghttp2. This bug was found and patched by Etienne Cimon. We also fixed the bug that inflatehd crashed with malformed input.

We received another crash report for nghttpx. After investigation, we found the offending commit, 585af938287d329333d9c755698fb25aa6471dab. Reverting that commit has fixed the crash. This bug has existed since v0.7.6 release.

While working with libcurl development to implement multiplexed uploading, we added --echo-upload option to nghttpd. This feature, if enabled, sends back request body to the client if request method is POST or PUT. This will help debugging uploading feature for client side development.

Unless there is critical bug, this is the last release for 0.7 series. The development continues to 1.x series!

We released nghttp2 v0.7.14.

This release fixes global-buffer-overflow bug in HPACK compression code introduced in nghttp2 v0.7.12. We strongly recommend to upgrade the old installation to this latest release.

Previously, the example code in nghttp2_select_next_protocol documentation had a wrong code which could lead to segmentation fault, due to incorrect return value if no protocol was selected. Now it is corrected.

Previously, when header decompression failed for incoming PUSH_PROMISE, RST_STREAM was sent to the associated stream, instead of the promised stream. Now it is corrected, and RST_STREAM is sent to the promised stream.

Zhuoyun Wei kindly offered systemd and upstart configuration file for nghttpx proxy. Zhuoyun Wei also offered a patch to improve logrotate configuration file for nghttpx.

We updated sphinx_rtd_theme to the latest, which includes even nicer UI.

h2load now shows 2 new metrics: time to connect and TTFB (time to first byte). Thank you to ericcarlschwartz for bringing this awesome feature.

nghttpd now has -m option to specify its SETTINGS_MAX_CONCURRENT_STREAMS limit.

nghttpx now logs absolute URI in access log if it is configured as HTTP/2 or client proxy. It also gets --header-field-buffer and --max-header-fields options to specify maximum header field buffer size it can be received. Previously, it was hardcoded as 32KiB.

We fixed the bug in nghttp that it aborted with assertion error if very large value was given to -t option.

We released nghttp2 v0.7.13.

This release fixes the bug that promised stream was reset if NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE was returned from nghttp2_on_header_callback for PUSH_PROMISE. Instead, associated stream was reset.

nghttp2_on_begin_headers_callback now accepts NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE as return code just like nghttp2_on_header_callback.

h2load now effectively disables flow control by setting large window size. Previously h2load used default flow control window as described in HTTP/2 and SPDY specification. The window size is 64KiB, which is a bit small, and cannot utilize full server performance when response size is not too small. Basically, we do this kind of benchmarking test to measure server’s throughput, and optimal performance. Smaller window certainly degrades performance even in local testing because server is so fast that it has to wait for WINDOW_UPDATE from h2load. To make default behaviour suitable for peak performance test, we decided to disable flow control in h2load by setting large enough window size. Most users used h2load without -w or -W options, so they were implicitly throttled by flow control and the result was affected by that negatively. Now flow control is disabled by default, the result may improve depending on the implementations.

libnghttp2_asio server’s listen_and_serve function now takes asynchronous parameter, and if it is true, the function returns immediately and caller can gracefully shutdown server. This patch was contributed from Xiaoguang Sun.

We released nghttp2 v0.7.12.

This release fixes the bug that nghttp2_session_set_next_stream_id() accepts invalid stream ID as paremter. It also fixes the installation issue where libnghttp2_asio header files are installed even if build configuration disables it.

We did some optimization in HPACK code, and it is a bit faster than the previous version. We also made compressor encode “authorization” and “cookie” header fields with small values with never indexing representation automatically.

For documentation, previously some hyperlinks in man pages of bundled application pointed to wrong direction. Now they are corrected.

For libnghttp2_asio client library, error_cb is now called when error occurred in libnghttp2 code or async read/write code.

Previously nghttp uses its own dependency priority scheme by default and switches to Firefox style one if --idle-dep option is used. Now we rewrite --idle-dep feature, and now we closely mimics Firefox’s behaviour (not entirely the same, of course), and now it is the default priority scheme for nghttp. So we removed --idle-dep option.

With -s option, nghttp shows some statistics of request/response times. Now stream ID is included there.

nghttp also gets --no-push option to disable server push (for HTTP/2 expert, this sends SETTINGS_ENABLE_PUSH with 0 value).

We released nghttp2 v0.7.11.

This release fixes waitpid race condition in ocsp response update in nghttpx.