HTTP/2 C library and tools

Nghttp2 v0.6.4

We released bug fix release of nghttp2 v0.6.4. It still implements h2-14 and HPACK-09.

This release fixes the application (nghttpd, nghttpx and h2load) crash with libc++ when threading is enabled. This crash was caused because of heap-use-after-free of std::mutex object. Interestingly, libstdc++ did not exhibit this issue and clang address sanitizer also did not report anything. Hopefully, this release fixes the reported crash in Mac OS X (since it is likely to use libc++), and Mac OS X users finally get multi-threaded nghttp2 applications. So try building nghttp2 without –disable-threads and run one of applications and see they do not crash.

Nghttp2 v0.6.3

We happily announce yet another release of nghttp2 v0.6.3. It still implements h2-14 and HPACK-09.

This release addresses portability/compatibility issues reported by package maintainer and users. One of the problem was caused by use of std::future. Some platform lacks std::future, which causes compile error on application under src directoy. In this release, we check that whether std::future is available or not and if not, define NOTHREADS and exclude multi threading code entirely from applications.

Surprisingly, nghttp2 did not check first SETTINGS (a part of conneciton preface) strictly. From this release, nghttp2 library code checks whether SETTINGS is received as a first frame and if other frame type is received, treats it as PROTOCOL_ERROR.

The library code itself was optimized a bit more and improved its efficiency.

Nghttp2 v0.6.2

We happily announce immediate availability of nghttp2 v0.6.2. It still implements h2-14 and HPACK-09. This release fixes memory leaks. We added nghttp2_option_set_recv_client_preface() function. Previously, nghttp2 library only handles HTTP/2 frames and does not recognize first 24 bytes of client connection preface. This design choice is done due to the fact that server may want to detect the application protocol based on first few bytes on clear text communication. But for simple servers which only speak HTTP/2, it is easier for developers if nghttp2 library takes care of client connection preface as well. If this option is enabled, nghttp2 library checks first 24 bytes client connection preface. If it is not a valid one, nghttp2_session_recv() and nghttp2_session_mem_recv() will return new error code NGHTTP2_ERR_BAD_PREFACE, which is fatal error. By default, the option is turned off for backward compatibility.

The other thing worth mentioning is that now nghttp2_stream_resume_deferred_data() does not fail if data is deferred by flow control.

Previously processing incoming connection level WINDOW_UPDATE frame is quite expensive, but it is fixed and now 2x faster than v0.6.1.

We introduced the experimental libnghttp2_asio C++ library. It is built on top of libnghttp2 and intended to provide higher level APIs to build HTTP/2 client/server easily. Currently, only server APIs are provided. It depends on Boost::Asio and Boost::Thread libraries. For example, the rather useless simple HTTP/2 server which returns “hello, world” for any HTTP request is as follows:

#include <nghttp2/asio_http2.h>

using namespace nghttp2::asio_http2;
using namespace nghttp2::asio_http2::server;

int main(int argc, char **argv)
  http2 server;

    ("", 3000,
     [](std::shared_ptr<request> req, std::shared_ptr<response> res)
       res->end("hello, world");

For more details, consult library documentation.

We added examples/tiny-nghttpd server, which is stripped faster version of nghttpd. Its purpose is measure performance bottleneck in libnghttp2 code, avoding any overhead in external I/O library. Currently it requires epoll, so it can be built only on linux.

Host Lucid Erlang HTTP/2 Server now hosts Lucid HTTP/2 server written in Erlang. The access endpoint is Currently it returns simple html content including request headers. It only speaks h2-14.

Since Erlang SSL module does not support AEAD cipher suites, Firefox nightly refuses to connect to this server. To workaround this, open about:config in Firefox and set network.http.spdy.enforce-tls-profile to false.

Nghttp2 v0.6.1

We just released nghttp2 v0.6.1. This release fixes compile error in bundled application code on OSX. No library code has been changed since v0.6.0.

Nghttp2 v0.6.0

Finally, we released nghttp2 v0.6.0! It implements h2-14 and header compression HPACK 09.

In this release, we decided to hide the details of nghttp2_session_callbacks struct. The reason of this decision is to avoid so name bump each time we add new callback. Actually, we added 2 new callbacks in this release. We expect more to come, so it is a good time to make API open for extension.

We successfully performed interop testing with Firefox, Jetty and Twitter.

If you are shrpx users from spdylay project, this is a good time to migrate to nghttpx, which supports SPDY proxy as well.

Anyway, the every release for OSS project is happy time. Have fun!

Update to H2-14

Today We updated nghttp2 to support latest HTTP/2 draft, h2-14. The source code is available on github. This server is advertize h2-14 now.

Here is a quick summary of the changes since h2-13:

  • Frame length field was expanded to 24 bits.
  • The pseudo headers (aka, colon (:) headers) handling is tightened up. Now unexpected pseudo headers are subject to stream error.
  • WINDOW_UPDATE with 0 window-size is now treated as error.
  • END_SEGMENT flag was removed.
  • 1xx status codes, except for 101, are now supported.
  • Removed 0x00 concatenation rule.
  • HPACK: reference set was removed.
  • HPACK: static header table is now in front of dynamic header table.
  • HPACK: No copy when static header table entry is referenced.

Nghttp2 v0.5.1 Released

We happily announce the immediate availability of nghttp2 v0.5.1. The supported HTTP/2 protocol remains to h2-13.

This release fixes HPACK integer decoding bug, which occurs when encoded integer byte sequence crosses frame boundary or packet.

Nghttp2 v0.5.0 Released

We happily announce the immediate availability of nghttp2 v0.5.0. The supported HTTP/2 protocol is now h2-13.

The changes since h2-12 were described in the previous post. We still supports ALTSVC frame in this release, but it may be removed in the future release since it is now in the separate document. The BLOCKED frame was completely removed from the source code.

Update to H2-13

nghttp2 was updated to HTTP/2 draft-13 and HPACK draft-08.

The major changes are:

  • Simplified padding (Pad High field was removed)
  • No padding for CONTINUATION frame.
  • ALTSVC and BLOCKED frame was moved to extension. The current nghttp2 source code contains ALTSVC and BLOCKED as extension based on draft-12. But their specification may change and they may be dropped from nghttp2 public API until their specifications are settled.
  • Per-frame compression was removed.
  • Huffman code table and static header table were updated.

The https endpoint for now requires TLSv1.2 and DHE or EDCHE with GCM cipher suite for HTTP/2 connection. If HTTP/2 was negotiated and these requirements are not met, connection error will be issued with the error code INADEQUATE_SECURITY.