HTTP/2 C library and tools

Nghttp2 v1.47.0

We have released nghttp2 v1.47.0.


This release fixes the incorrect HPACK decoder table size update, which lead to incorrectly require Dynamic Table Size Update from an encoder when it is not needed.


cmake build now disables libbpf by default.


Now maximum allowed maximum frame size is configurable with --max-frame-size.


--require-http-scheme option is added. It requires http or https scheme in HTTP request. It also requires that https scheme must be used for an encrypted connection. Otherwise, http scheme must be used. This option is recommended for a server deployment which directly faces clients and the services it provides only require http or https scheme.

BBR2 congestion control algorithm is added to QUIC connection.

libbpf is now bumped to v0.7.0 and turn on all strict features.

The qlog file extension is changed to .sqlog.

The bug that causes h3 stream ends prematurely has been fixed.

The issue that a forwarded h3 GET request to HTTP/1.1 hop always has chunked transfer-encoding: chunked has been fixed.

QUIC connection now sends and receives ECN bits.

HTTP/3 trailer fields support has been added.

Nghttp2 v1.46.0

We have released nghttp2 v1.46.0.


A workaround is added to avoid the broken version check in AX_PYTHON_DEVEL macro.

It adds the missing cmake files to EXTRA_DIST.


HTTP/3 feature is now available with BoringSSL.

SCT data is now available with BoringSSL.

New QUIC and HTTP/3 related options were added: --frontend-quic-initial-rtt, --quic-server-id, and --rlimit-memlock.

--frontend-quic-connection-id-encryption-key has been removed, and the new option --frontend-quic-secret-file has been added which specifies initial keying materials to generate QUIC secrets and keys for connection ID and tokens. It also supports the rotation of keying materials.

HTTP/3 ALPN h3-29 is now supported.

--worker-process-grace-shutdown-period option was added to set the maximum grace period to wait for a worker process to terminate gracefully.

--max-worker-processes option was added to limit the number of the lingering worker processes.


HTTP/3 feature is now available with BoringSSL.

Nghttp2 v1.45.1

We have released nghttp2 v1.45.1.


This release fixes packaging issues which lack some configuration files in tar archives.

Nghttp2 v1.45.0

We have released nghttp2 v1.45.0.


Stricter checks for :method: and :path pseudo header fields are introduced.


nghttp2 applications can be compiled with OpenSSL v3.0.0.

Fix warning about systemd when cmake is used.

Added build options to enable HTTP/3 and eBPF.


The experimental HTTP/3 support has been added.

“dnf” (= “do not forward”) parameter is added to backend option.


The experimental HTTP/3 support has been added.

SSLKEYLOGFILE environment variable support has been added.

Nghttp2 v1.44.0

We have released nghttp2 v1.44.0.


More --with-* configure options have been added:

  • --with-jannson
  • --with-zlib
  • --with-libevent-openssl
  • --with-libcares
  • --with-openssl
  • --with-libev
  • --with-cunit

The following precious variables have been added:



Bump llhttp to v6.0.2.


The bug which prevents a backend which is excluded from a load balancing group temporarily from being restored.

The word master is replaced main. The nghttpx master process is now called main process.

--no-http2-cipher-black-list and --client-no-http2-cipher-black-list are deprecated and replaced with --no-http2-cipher-block-list and --client-no-http2-cipher-block-list respectively.

Remove trailing white space after $method log variable.


--rps option has been added.

The time unit (e.g., ms) is now allowed in -D option.

Nghttp2 v1.43.0

We have released nghttp2 v1.43.0.

This release has no changes in libnghttp2.


Documentations are now built with Sphinx 3.3.0 or later.


The python binding now requires Python 3.

All python scripts for nghttp2 development are translated to Python 3 compatible.


This release fixes a potential memory issue that a memory pool gets cleared while it is still in use.

ECDSA certificate is now chosen when compatible signature algorithm is available.

This release adds a workaround to include ‘:’ in backend pattern.

Nghttp2 v1.42.0

We have released nghttp2 v1.42.0.


The UBSAN errors are now fixed.

nghttp2_map is now backed by tree for storing collisions.


Some clarifications are made for nghttp2_session_send function.


The missing cmake/FindSystemd.cmake has been added to the tar distribution.


Bump llhttp to 2.2.0 and mruby to 2.1.2.


This release fixes the bug that nghttpx cannot deal with the case when h2 backend is retired before it is initialized.

New access logging variables are added: $method, $path, $path_without_query, and $protocol_version.

The bug that makes nghttpx stall when TLS follows after proxy protocol was fixed.

The bug in logging negative integer is fixed.

Nghttp2 v1.41.0

We have released nghttp2 v1.41.0.

This release includes security advisory.

Security Advisory

CVE-2020-11080: Denial of service: Overly large SETTINGS frames

For more information, read the security advisory.


This release implements nghttp2_option_set_max_settings API which sets the maximum number of SETTINGS entries in one SETTINGS frame to mitigate the security issue. It also moves SETTINGS flood check earlier to make it more effective.

The bug which stalls receiving stream data is fixed. Previously, if automatic window update is enabled (which is default), after window size is set to 0 by nghttp2_session_set_local_window_size, once the receiving window is exhausted, even after window size is increased by nghttp2_session_set_local_window_size, no more data cannot be received. This is because nghttp2_session_set_local_window_size does not submit WINDOW_UPDATE. It is only triggered when new data arrives but since window is filled up, no more data cannot be received, thus dead lock happens.


With cmake build, the hard-coded static lib suffix is now optional.


proxyprotocol v2 has been implemented.

The bug in getting certificate serial number with mruby script has been fixed.


New option, --connect-to, is added.

Nghttp2 v1.40.0

We have released nghttp2 v1.40.0.


New API function nghttp2_check_authority has been added.

This release fixes the bug that nghttp2_on_stream_close_callback is closed with the wrong error code.

HPACK huffman encoding and decoding get faster.


With cmake build, filename collision is now avoided.

New flag ENABLE_STATIC_CRT is added for Windows cmake build.

Support building nghttpx with systemd has been added to cmake.


neverbleed memory leak has been fixed.


This release fixes the bug that mruby script is incorrectly shared between backends with different configurations.

Now nghttpx reconnects to h1 backend if it lost connection before sending header fields.

nghttpx returns 408 if backend timed out before sending header fields.

The bug that makes nghttpx stall when backend connection is reused and buffer is full has been fixed.

Nghttp2 v1.39.2

We have released nghttp2 v1.39.2.

This release addresses following security issues.

Security Advisory

  • CVE-2019-9511: Data Dribble
  • CVE-2019-9513: Resource Loop


The details of advisories are described here.

libnghttp2 itself is not affected by vulnerabilities reported above.

nghttpx and nghttpd are subject to Denial of Service by consuming CPU time with CVE-2019-9511 and CVE-2019-9513.

Affected Versions

  • Affected versions: nghttp2 version < 1.39.2
  • Not affected versions: nghttp2 >= 1.39.2

The Solution

Upgrade to nghttp2 v1.39.2.

For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.