HTTP/2 C library and tools

Nghttp2 v1.39.2

We have released nghttp2 v1.39.2.

This release addresses following security issues.

Security Advisory

  • CVE-2019-9511: Data Dribble
  • CVE-2019-9513: Resource Loop


The details of advisories are described here.

libnghttp2 itself is not affected by vulnerabilities reported above.

nghttpx and nghttpd are subject to Denial of Service by consuming CPU time with CVE-2019-9511 and CVE-2019-9513.

Affected Versions

  • Affected versions: nghttp2 version < 1.39.2
  • Not affected versions: nghttp2 >= 1.39.2

The Solution

Upgrade to nghttp2 v1.39.2.

For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

Nghttp2 v1.39.1

We have released nghttp2 v1.39.1.

This release fixes critical bugs in v1.39.0.


This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend.

Nghttp2 v1.39.0

We have released nghttp2 v1.39.0.


libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230.


mruby has been upgraded to 2.0.1.


libnghttp2-asio now supports boost-1.70.


http-parser has been replaced with llhttp.


nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT.

This release fixes the bug that the log level does not change to the default value on configuration reload if log-level option is missing in new configuration.

Nghttp2 v1.38.0

We have released nghttp2 v1.38.0.


This release fixes the bug that on_header callback is still called after stream is closed.


http-parser is upgraded to v2.9.1.


This release fixes the bug that authority and path altered by per-pattern mruby script can affect backend selection on retry.

It also fixes the bug that HTTP/1.1 chunked request stalls.

Now nghttpx does not log authorization request header field value with -LINFO.

Now nghttpx can be built with modern LibreSSL.

Nghttp2 v1.37.0

We have released nghttp2 v1.37.0.


CMake build explicitly sets install location when building shared library.


This release fixes possible backend stall when header and request body are sent in their own packets.

The backend option gets weight parameter to influence backend selection.

This release fixes compile error with BoringSSL.

Nghttp2 v1.36.0

We have released nghttp2 v1.36.0.


CMake build disables shared library if ENABLE_SHARED_LIB is OFF.


http-parser has been upgraded to v2.9.0.

mruby has been upgraded to v2.0.0.


nghttpx now pools h1 backend connection per address and uses it when the round robin index points to the address.

nghttpx now randomizes backend address round robin order per thread.

The bug that long certificate serial numbers cannot be handled has been fixed.


An option to write per-request logs has been added.


The API to get the current server port has been added.

Nghttp2 v1.35.1

We have released nghttp2 v1.35.1.


This release fixes the broken trailing slash handling when routing a request. nghttpx allows a pattern which ends “/” to match the request path which just lacks the trailing “/”. Previously, this special handling did not work if certain patterns were registered.

Nghttp2 v1.35.0

We have released nghttp2 v1.35.0.


Use __has_declspec_attribute in order to check that dllexport/dllimport can be used.


libevent detection with cmake has been improved.


C++14 language features are now required.


mruby send_info non-final response is now written early.

Fix assertion failure on mruby send_info with HTTP/1.1 frontend.


HTTP/1.1 non-final response is now handled correctly.

Clarify that time for connect includes TLS handshake.

Nghttp2 v1.34.0

We have released nghttp2 v1.34.0.


libnghttp2 now supports extended CONNECT method and :protocol pseudo header field defined in RFC 8441. To enable this functionality on server side, send NGHTTP2_SETTINGS_ENABLE_CONNECT_PROTOCOL using nghttp2_submit_settings().


nghttpx now supports “Bootstrapping WebSockets with HTTP/2” defined in RFC 8441 for both frontend and backend HTTP/2 connections.

read-timeout and write-timeout parameters have been added to --backend option to specify read/write timeouts per pattern which override values set by --backend-read-timeout and --backend-write-timeout options.

This release fixes stability issues in neverbleed with OpenSSL 1.1.1.

mruby has been updated to version 1.4.1.

env.tls_handshake_finished has been added to mruby scripting to know whether TLS handshake has been completed or not. This might be useful to decide that 0-RTT data should be processed or not.

--tls13-ciphers and --tls-client-ciphers options have been added to configure TLSv1.3 ciphers.

nghttpx now adds Early-Data header field to the request header field when request is included in 0-RTT packet, and TLS handshake has not been completed yet. Early-Data header field is defined in RFC 8470.

nghttpx now supports TLSv1.3 0-RTT data. By default, it accepts 0-RTT data, but postpones the request until TLS handshake completes. The new option --tls-no-postpone-early-data makes nghttpx not to postpone request and adds Early-Data header field to backend request. It is important to make sure that all backends must recognize Early-Data header field to mitigate reply attack.

To enable 0-RTT data and most of the TLSv1.3 features, OpenSSL 1.1.1 is required.

Nghttp2 v1.33.0

We have released nghttp2 v1.33.0.


RFC 8336 ORIGIN frame support has been added.

The value of SETTINGS_MAX_CONCURRENT_STREAMS is now set to unlimited if a remote peer does not explicitly include it in SETTINGS frame. Previously, it remains the initial value, 100.


Configuring local address for cleartext connection has been added.


mruby parameter has been added to backend option. mruby parameter specifies the path to mruby script file which is executed when the particular pattern is selected.

Fix bug which causes worker process to abort if neverbleed daemon process is killed before deleting SSL_CTX object.

Fix bug that stream is reset if request body is arrived before backend is selected.