We have released nghttp2 v1.23.0.

libnghttp2

Previously, if libnghttp2 received an invalid header field, it is just ignored, and is treated like it was never happened. This release changes this behaviour, and now libnghttp2 treats an incoming invalid header field as error, and resets the stream with PROTOCOL_ERROR.

nghttp2_on_invalid_frame_callback is now called if validation of altsvc header field fails.

nghttpx

nghttpx now verifies that OCSP response received from a program specified by --fetch-ocsp-response-file. The validation can be turned off by using --no-verify-ocsp option. In this validation, it makes sure that the OCSP response is targeted to the expected certificate. This is important because we pass the file path to the external program (see --fetch-ocsp-response-file), and if the file is replaced because of renewal, and nghttpx has not reloaded its configuration, the certificate nghttpx has loaded and the one included in the file differ. Verifying the OCSP response detects this, and avoids to send wrong OCSP response.

The feature to select a certificate based on client’s supported group (curve) didn’t work as expected, but now it is fixed.

The certificate selection with SNI was broken, but now it is fixed.

--ocsp-startup option is added to postpone accepting incoming connections until the initial OCSP requests have finished.

When selecting backend based on a request path, now wildcard can be used. For example, if pattern is /foo/bar*, all request paths which have /foo/bar as prefix, and strictly longer than that match. * must match at least one character.

nghttp

-y option is added to suppress peer verification failure warning.