nghttp2.org

HTTP/2 C library and tools

Nghttp2 v1.6.0

We released nghttp2 v1.6.0.

This release fixes heap-use-after-free bug in idle stream handling code. We strongly recommend to upgrade the older installation to this latest version as soon as possible. Other than that we have minor polish up in libnghttp2 code base, and some new features to asio library, and h2load.

We tightened up the error condition when we received frame which is not allowed in that state. We now make it connection error if we are sure that peer really violates the protocol.

Previously, the default remote SETTINGS_MAX_CONCURRENT_STREAMS value was unlimited as per RFC 7540. But this was problematic, and this could lead to many REFUSED_STREAM, or ENHANCE_YOUR_CALM error. To avoid this situation, and make it more friendly to peer, we assume that the default remote SETTINGS_MAX_CONCURRENT_STREAMS is 100. When we get this SETTINGS value from peer, we will update it. The application can change this initial value using nghttp2_option_set_peer_max_concurrent_streams() API.

Previously, stream object for pushed stream was not created when nghttp2_submit_push_promise() returned. It was created after nghttp2_before_frame_send_callback was called. So application had to wait for its invocation when it wanted to use stream object. Now stream object is created right after successful nghttp2_submit_push_promise() call.

We added new API, nghttp2_session_create_idle_stream(). This function creates idle stream without telling it the remote endpoint.

Previously, if we wanted to build libnghttp2 only, we had to give --disable-app, --disable-examples, --disable-hpack-tools, and --disable-python-bindings options to configure script. We added --lib-only configure option as a short hand for these options.

The previous package build failed without OpenSSL 1.0.2. This was fixed in this release by the patch contributed by Sunpoet Po-Chuan Hsieh.

Andreas Pohl added several new server APIs. nghttp2::asio_http2::server::http2::get_io_services() returns all underlying io_service objects. nghttp2::asio_http2::server::request::remote_endpoint() returns the remote endpoint address.

We added configurable connect, and read timeout for asio client API. See nghttp2::asio_http2::client::session::connect_timeout(), and nghttp2::asio_http2::client::session::read_timeout() API. This involved backend incompatible change, and the application must be recompiled to use new asio library (this applies to asio library only, and libnghttp2 is fully backward compatible to 1.0.0).

Similarly, we added configurable TLS handshake, and read timeout for asio server API. See nghttp2::asio_http2::server::http2::tls_handshake_timeout(), and nghttp2::asio_http2::server::http2::read_timeout() API.

h2load now shows min, max, mean and sd (standard deviation) of request per second value calculated per connection. This is useful to see how performance differs between connections.