nghttp2

• lib: fix ubsan errors (Patch from Asra Ali) (GH-1468)
• lib: Don't send RST_STREAM to idle stream (GH-1477)
• lib: nghttp2_map backed by nghttp2_ksl
• doc: Update sphinx_rtd_theme
• doc: nghttp2_session_send is also affected by max concurrent streams (Patch from Tomas Krizek) (GH-1489)
• doc: clarify flow control behaviour for nghttp2_session_send() (Patch from Tomas Krizek) (GH-1488)
• build: Add missing cmake/FindSystemd.cmake to dist (GH-1526)
• third-party: Bump llhttp to 2.2.0
• third-party: Bump mruby to 2.1.2
• nghttpx: Deal with the case when h2 backend is retired before it is initialized
• nghttpx: Add accesslog variables to record request path without query (GH-1511)
• nghttpx: Fix stall when TLS follows after proxy protocol
• nghttpx: Fix logging integer

• Fix CVE-2020-11080
• lib: Implement max settings option (Patch from James M Snell)
• lib: Earlier check for settings flood (Patch from James M Snell)
• lib: Fix receiving stream data stall (GH-1444)
• build: cmake: Make hard-coded static lib suffix optional (Patch from Viktor Szakats) (GH-1418)
• third-party: Bump llhttp to 2.0.4 (GH-1442)
• nghttpx: Add PROXY-protocol v2 support (GH-1452)
• nghttpx: Fix get_x509_serial for long serial numbers (Patch from Jacky Tian) (GH-1455)
• h2load: Allow port in --connect-to
• h2load: add --connect-to option (Patch from Lucas Pardue) (GH-1426)

• lib: Add nghttp2_check_authority as public API (GH-1413)
• lib: Fix the bug that stream is closed with wrong error code (GH-1408)
• lib: Faster huffman encoding and decoding (GH-1405)
• build: Avoid filename collision of static and dynamic lib (Patch from William A Rowe Jr) (GH-1394)
• build: Add new flag ENABLE_STATIC_CRT for Windows (Patch from William A Rowe Jr) (GH-1393)
• build: cmake: Support building nghttpx with systemd (Patch from Andrew Penkrat) (GH-1377)
• third-party: Update neverbleed to fix memory leak
• nghttpx: Fix bug that mruby is incorrectly shared between backends (GH-1392)
• nghttpx: Reconnect h1 backend if it lost connection before sending headers
• nghttpx: Returns 408 if backend timed out before sending headers
• nghttpx: Fix request stall (GH-1378)

This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
“Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
frames cause Denial of Service by consuming CPU time. Check out
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

• Fix CVE-2019-9511 and CVE-2019-9513
• Add nghttp2_option_set_max_outbound_ack API function
• nghttpx: Fix request stall

• nghttpx: Fix bug that log-level is not set with cmd-line or configuration file
• nghttpx: Fix FPE with default backend

• lib: Ignore content-length in 200 response to CONNECT request (GH-1347)
• third-party: Upgrade mruby to 2.0.1 (GH-1337)
• asio: support boost-1.70 (Patch from Adam Gołębiowski) (GH-1335)
• src: Replace http-parser with llhttp (GH-1340)
• nghttpx: Ignore Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT (GH-1347)
• nghttpx: Fix unchanged log level on configuration reload (GH-1356)

• lib: Fix bug that on_header callback is still called after stream is closed (GH-1331)
• third-party: Update http-parser to v2.9.1
• nghttpx: Fix bug that altered authority and path affect backend selection (GH-1334)
• nghttpx: Fix bug that chunked request stalls (GH-1333)
• nghttpx: Don't log authorization request header field value with -LINFO (GH-1332)
• nghttpx: Fix for compilation against modern LibreSSL (Patch from Jeff 'Raid' Baitis) (GH-1270)

• lib: Take into account larger frame size for prioritization
• lib: Reuse name when indexing header by referencing dynamic table
• build: Explicitly set install location when building shared libs (Patch from Don) (GH-1303)
• nghttpx: Fix backend stall if header and request body are sent in 2 packets
• nghttpx: Backend address selection with weight (GH-1297)
• nghttpx: Fix compilation with boringssl (Patch from Simon Frankenberger) (GH-1295)

• build: Disable shared library if ENABLE_SHARED_LIB is OFF (Patch from Brendan Heinonen) (GH-1285)
• third-party: Use http-parser to v2.9.0 (GH-1294)
• third-party: Update mruby to 2.0.0
• nghttpx: Pool h1 backend connection per address (GH-1292)
• nghttpx: Randomize backend address round robin order per thread (GH-1291)
• nghttpx: Fix getting long serial numbers for openssl < 1.1 (Patch from Josh Braegger) (GH-1287)
• h2load: add an option to write per-request logs (Patch from dawg) (GH-1256)
• asio: added access to the number of the current server port (Patch from Pedro Santos) (GH-1257)

• nghttpx: Fix broken trailing slash handling (GH-1276)

• build: cmake: Fix libevent version detection (Patch from Jan Kundrát) (GH-1238)
• lib: Use __has_declspec_attribute for shared builds (Patch from Don) (GH-1222)
• src: Require C++14 language feature
• nghttpx: Write mruby send_info early
• nghttpx: Fix assertion failure on mruby send_info with HTTP/1 frontend
• h2load: Handle HTTP/1 non-final response (GH-1259)
• h2load: Clarify that time for connect includes TLS handshake

• lib: Implement RFC 8441 :protocol support (GH-1181)
• nghttpx: Add read/write-timeout parameters to backend option (GH-1235)
• nghttpx: Fix mruby parameter validation in backend option
• nghttpx: Implement RFC 8441 Bootstrapping WebSocket with HTTP/2 (GH-1234)
• nghttpx: Update neverbleed to fix OpenSSL 1.1.1 issues
• nghttpx: Update mruby 1.4.1
• nghttpx: Add mruby env.tls_handshake_finished
• nghttpx: Add --tls13-ciphers and --tls-client-ciphers options
• nghttpx: Add RFC 8470 Early-Data header field support
• nghttpx: Add RFC 8446 TLSv1.3 0-RTT early data support (GH-846)

• lib: Tweak nghttp2_session_set_stream_user_data (GH-1211)
• lib: Fix handling of SETTINGS_MAX_CONCURRENT_STREAMS. (Patch from Piotr Sikora) (GH-1184)
• lib: Implement ORIGIN frame (GH-1177)
• asio: support definition of local endpoint for cleartext client session (Patch from Alexandros Konstantinakis-Karmis) (GH-1204, GH-1212, GH-1217)
• integration: Remove remaining SPDY code from the integration tests. (Patch from Piotr Sikora) (GH-1183)
• nghttpx: Fix worker process crash with neverbleed write error
• nghttpx: Support per-backend mruby script (GH-1215)
• nghttpx: Fix stream reset if data from client is arrived before dconn is attached (GH-1214)

• lib: Tweak nghttp2_session_set_stream_user_data

• lib: Ignore all input after calling session_terminate_session
• lib: Fix treatment of padding
• lib: Don't allow 101 HTTP status code because HTTP/2 removes HTTP Upgrade
• build: add ENABLE_STATIC_LIB option to build static lib (Patch from Viktor Szakats) (GH-1146)
• third-party: Upgrade neverbleed to the latest master
• asio: Support client side SNI (GH-1172)
• src: Compile with libressl 2.7.2 (GH-1162)
• src: Allow building without NPN (Patch from Bernard Spil) (GH-1152)
• h2load: -r and --duration are mutually exclusive (GH-1171)

• lib: Fix CVE-2018-1000168. See https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/

• lib: Add nghttp2_session_set_user_data() public API function (GH-1137)
• src: Define nghttp2_inet_pton wrapper to avoid inet_pton macro (GH-1128)
• nghttpx: Close listening socket on graceful shutdown
• nghttpx: Add an option to accept expired client certificate (GH-1126)
• nghttpx: Add mruby tls_client_not_before, and tls_client_not_after (GH-1123)
• nghttpx: Fix potential memory leak

• lib: Allow PING frame to be sent after GOAWAY (GH-1103)
• nghttpx: Fix bug that h1 backend idle timeout expires sooner
• nghttpx: Stop overwrite of first header on mruby call to env.req.set_header(..) (Patch from Dylan Plecki) (GH-1119)
• nghttpx: Add upgrade-scheme parameter to backend option (GH-1099)
• nghttpx: Fix missing ALPN validation (--npn-list) (GH-1094)
• nghttpx: Remember which resource is pushed for RFC 8297 (GH-1101)

• lib: Use NGHTTP2_REFUSED_STREAM for streams which are closed by GOAWAY (GH-1077)
• build: Remove SPDY (GH-821)
• build: Fix CMAKE_MODULE_PATH (Patch from Dmitriy Vetutnev) (GH-1084)
• nghttpx: Revert "nghttpx: Use an existing h2 backend connection as much as possible" (GH-1086)
• nghttpx: Write API request body in temporary file (GH-1083)
• nghttpx: Increase api-max-request-body (GH-1082)
• nghttpx: Faster configuration loading with lots of backends (GH-1081)
• nghttpx: Fix crash with --backend-http-proxy-uri option (GH-1079)

• lib: Add nghttp2_error_callback2 (GH-1062)
• build: Add deprecation warning when spdylay support is enabled
• Switch to clang-format-5.0
• examples: Make client and server work with libevent-2.1.8 (GH-1039)
• third-party: Update neverbleed
• integration: Fix issues reported by the go vet tool. (Patch from Piotr Sikora) (GH-1047)
• nghttpx: Fix affinity retry
• nghttpx: Fix stalled backend connection on retry
• nghttpx: Cookie based session affinity (GH-1024, GH-1066)
• nghttpx: Expose additional TLS related variables to mruby and accesslog (GH-1031, GH-1038, GH-1057)