Update manual pages

README.rst: fix typo

AUTHORS

@@ -25,6 +25,7 @@ Angus Gratton
 Ant Bryan
 Benedikt Christoph Wolters
 Benedikt Christoph Wolters
+Benjamin Peterson
 Bernard Spil
 Bernard Spil
 Brian Card
@@ -67,6 +68,7 @@ Remo E
 Reza Tavakoli
 Ross Smith II
 Scott Mitchell
+Simone Basso
 Soham Sinha
 Stefan Eissing
 Stephen Ludin

CMakeLists.txt

@@ -24,7 +24,7 @@
 
 cmake_minimum_required(VERSION 3.0)
 # XXX using 1.8.90 instead of 1.9.0-DEV
-project(nghttp2 VERSION 1.23.0)
+project(nghttp2 VERSION 1.24.0)
 
 # See versioning rule:
 #  http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html

README.rst

@@ -157,7 +157,7 @@ minimizes the risk of private key leakage when serious bug like
 Heartbleed is exploited.  The neverbleed is disabled by default.  To
 enable it, use ``--with-neverbleed`` configure option.
 
-In ordre to compile the source code, gcc >= 4.8.3 or clang >= 3.4 is
+In order to compile the source code, gcc >= 4.8.3 or clang >= 3.4 is
 required.
 
 .. note::

configure.ac

@@ -25,7 +25,7 @@ dnl Do not change user variables!
 dnl http://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html
 
 AC_PREREQ(2.61)
-AC_INIT([nghttp2], [1.23.0], [t-tujikawa@users.sourceforge.net])
+AC_INIT([nghttp2], [1.24.0], [t-tujikawa@users.sourceforge.net])
 AC_CONFIG_AUX_DIR([.])
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_HEADERS([config.h])

doc/Makefile.am

@@ -267,7 +267,7 @@ apiref.rst: \
 $(APIDOCS): apiref.rst
 
 clean-local:
-	[ $(srcdir) = $(builddir) ] || for i in $(RST_FILES); do [ -e $(builddir)/$$i ] && rm -f $(builddir)/$$i; done
+	if [ $(srcdir) != $(builddir) ]; then for i in $(RST_FILES); do rm -f $(builddir)/$$i; done fi
 	-rm -f apiref.rst
 	-rm -f $(APIDOCS)
 	-rm -rf $(BUILDDIR)/*

doc/h2load.1

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "H2LOAD" "1" "May 26, 2017" "1.23.0" "nghttp2"
+.TH "H2LOAD" "1" "Jul 02, 2017" "1.24.0" "nghttp2"
 .SH NAME
 h2load \- HTTP/2 benchmarking tool
 .

doc/nghttp.1

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTP" "1" "May 26, 2017" "1.23.0" "nghttp2"
+.TH "NGHTTP" "1" "Jul 02, 2017" "1.24.0" "nghttp2"
 .SH NAME
 nghttp \- HTTP/2 client
 .

doc/nghttpd.1

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTPD" "1" "May 26, 2017" "1.23.0" "nghttp2"
+.TH "NGHTTPD" "1" "Jul 02, 2017" "1.24.0" "nghttp2"
 .SH NAME
 nghttpd \- HTTP/2 server
 .

doc/nghttpx.1

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTPX" "1" "May 26, 2017" "1.23.0" "nghttp2"
+.TH "NGHTTPX" "1" "Jul 02, 2017" "1.24.0" "nghttp2"
 .SH NAME
 nghttpx \- HTTP/2 proxy
 .
@@ -604,11 +604,14 @@ enabled for backend connections.
 .INDENT 0.0
 .TP
 .B \-\-cacert=<PATH>
-Set path to trusted CA  certificate file used in backend
-TLS connections.   The file must  be in PEM  format.  It
-can  contain  multiple   certificates.   If  the  linked
-OpenSSL is configured to  load system wide certificates,
-they are loaded at startup regardless of this option.
+Set path to trusted CA  certificate file.  It is used in
+backend  TLS connections  to verify  peer\(aqs certificate.
+It is also used to  verify OCSP response from the script
+set by \fI\%\-\-fetch\-ocsp\-response\-file\fP\&.  The  file must be in
+PEM format.   It can contain multiple  certificates.  If
+the  linked OpenSSL  is configured  to load  system wide
+certificates, they  are loaded at startup  regardless of
+this option.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -691,10 +694,14 @@ done in  case\-insensitive manner.  The  versions between
 \fI\%\-\-tls\-min\-proto\-version\fP and  \fI\%\-\-tls\-max\-proto\-version\fP are
 enabled.  If the protocol list advertised by client does
 not  overlap  this range,  you  will  receive the  error
-message "unknown protocol".  The available versions are:
+message "unknown protocol".  If a protocol version lower
+than TLSv1.2 is specified, make sure that the compatible
+ciphers are  included in \fI\%\-\-ciphers\fP option.   The default
+cipher  list  only   includes  ciphers  compatible  with
+TLSv1.2 or above.  The available versions are:
 TLSv1.2, TLSv1.1, and TLSv1.0
 .sp
-Default: \fBTLSv1.1\fP
+Default: \fBTLSv1.2\fP
 .UNINDENT
 .INDENT 0.0
 .TP

doc/nghttpx.1.rst

@@ -558,11 +558,14 @@ SSL/TLS
 
 .. option:: --cacert=<PATH>
 
-    Set path to trusted CA  certificate file used in backend
-    TLS connections.   The file must  be in PEM  format.  It
-    can  contain  multiple   certificates.   If  the  linked
-    OpenSSL is configured to  load system wide certificates,
-    they are loaded at startup regardless of this option.
+    Set path to trusted CA  certificate file.  It is used in
+    backend  TLS connections  to verify  peer's certificate.
+    It is also used to  verify OCSP response from the script
+    set by :option:`--fetch-ocsp-response-file`\.  The  file must be in
+    PEM format.   It can contain multiple  certificates.  If
+    the  linked OpenSSL  is configured  to load  system wide
+    certificates, they  are loaded at startup  regardless of
+    this option.
 
 .. option:: --private-key-passwd-file=<PATH>
 
@@ -636,10 +639,14 @@ SSL/TLS
     :option:`--tls-min-proto-version` and  :option:`\--tls-max-proto-version` are
     enabled.  If the protocol list advertised by client does
     not  overlap  this range,  you  will  receive the  error
-    message "unknown protocol".  The available versions are:
+    message "unknown protocol".  If a protocol version lower
+    than TLSv1.2 is specified, make sure that the compatible
+    ciphers are  included in :option:`--ciphers` option.   The default
+    cipher  list  only   includes  ciphers  compatible  with
+    TLSv1.2 or above.  The available versions are:
     TLSv1.2, TLSv1.1, and TLSv1.0
 
-    Default: ``TLSv1.1``
+    Default: ``TLSv1.2``
 
 .. option:: --tls-max-proto-version=<VER>
 

doc/sources/nghttpx-howto.rst

@@ -297,13 +297,31 @@ When you write this option in command-line, you should enclose
 argument with single or double quotes, since the character ``;`` has a
 special meaning in shell.
 
-To route, request to request path whose prefix is ``/foo`` to backend
-server ``[::1]:8080``, you can write like so:
+To route, request to request path ``/foo`` to backend server
+``[::1]:8080``, you can write like so:
 
 .. code-block:: text
 
    backend=::1,8080;/foo
 
+If the last character of path pattern is ``/``, all request paths
+which start with that pattern match:
+
+.. code-block:: text
+
+   backend=::1,8080;/bar/
+
+The request path ``/bar/buzz`` matches the ``/bar/``.
+
+You can use ``*`` at the end of the path pattern to make it wildcard
+pattern.  ``*`` must match at least one character:
+
+.. code-block:: text
+
+   backend=::1,8080;/sample*
+
+The request path ``/sample1/foo`` matches the ``/sample*`` pattern.
+
 Of course, you can specify both host and request path at the same
 time:
 

lib/includes/nghttp2/nghttp2.h

@@ -3809,9 +3809,8 @@ nghttp2_submit_response(nghttp2_session *session, int32_t stream_id,
  * Submits trailer fields HEADERS against the stream |stream_id|.
  *
  * The |nva| is an array of name/value pair :type:`nghttp2_nv` with
- * |nvlen| elements.  The application is responsible not to include
- * pseudo-header fields (header field whose name starts with ":") in
- * |nva|.
+ * |nvlen| elements.  The application must not include pseudo-header
+ * fields (headers whose names starts with ":") in |nva|.
  *
  * This function creates copies of all name/value pairs in |nva|.  It
  * also lower-cases all names in |nva|.  The order of elements in

src/nghttp.cc

@@ -404,17 +404,10 @@ int htp_msg_begincb(http_parser *htp) {
 }
 } // namespace
 
-namespace {
-int htp_statuscb(http_parser *htp, const char *at, size_t length) {
-  auto client = static_cast<HttpClient *>(htp->data);
-  client->upgrade_response_status_code = htp->status_code;
-  return 0;
-}
-} // namespace
-
 namespace {
 int htp_msg_completecb(http_parser *htp) {
   auto client = static_cast<HttpClient *>(htp->data);
+  client->upgrade_response_status_code = htp->status_code;
   client->upgrade_response_complete = true;
   return 0;
 }
@@ -424,7 +417,7 @@ namespace {
 constexpr http_parser_settings htp_hooks = {
     htp_msg_begincb,   // http_cb      on_message_begin;
     nullptr,           // http_data_cb on_url;
-    htp_statuscb,      // http_data_cb on_status;
+    nullptr,           // http_data_cb on_status;
     nullptr,           // http_data_cb on_header_field;
     nullptr,           // http_data_cb on_header_value;
     nullptr,           // http_cb      on_headers_complete;

src/shrpx.cc

@@ -1392,7 +1392,7 @@ constexpr auto DEFAULT_NPN_LIST = StringRef::from_lit("h2,h2-16,h2-14,"
 } // namespace
 
 namespace {
-constexpr auto DEFAULT_TLS_MIN_PROTO_VERSION = StringRef::from_lit("TLSv1.1");
+constexpr auto DEFAULT_TLS_MIN_PROTO_VERSION = StringRef::from_lit("TLSv1.2");
 #ifdef TLS1_3_VERSION
 constexpr auto DEFAULT_TLS_MAX_PROTO_VERSION = StringRef::from_lit("TLSv1.3");
 #else  // !TLS1_3_VERSION
@@ -2071,11 +2071,14 @@ SSL/TLS:
               Don't  verify backend  server's  certificate  if TLS  is
               enabled for backend connections.
   --cacert=<PATH>
-              Set path to trusted CA  certificate file used in backend
-              TLS connections.   The file must  be in PEM  format.  It
-              can  contain  multiple   certificates.   If  the  linked
-              OpenSSL is configured to  load system wide certificates,
-              they are loaded at startup regardless of this option.
+              Set path to trusted CA  certificate file.  It is used in
+              backend  TLS connections  to verify  peer's certificate.
+              It is also used to  verify OCSP response from the script
+              set by --fetch-ocsp-response-file.  The  file must be in
+              PEM format.   It can contain multiple  certificates.  If
+              the  linked OpenSSL  is configured  to load  system wide
+              certificates, they  are loaded at startup  regardless of
+              this option.
   --private-key-passwd-file=<PATH>
               Path  to file  that contains  password for  the server's
               private key.   If none is  given and the private  key is
@@ -2131,7 +2134,11 @@ SSL/TLS:
               --tls-min-proto-version and  --tls-max-proto-version are
               enabled.  If the protocol list advertised by client does
               not  overlap  this range,  you  will  receive the  error
-              message "unknown protocol".  The available versions are:
+              message "unknown protocol".  If a protocol version lower
+              than TLSv1.2 is specified, make sure that the compatible
+              ciphers are  included in --ciphers option.   The default
+              cipher  list  only   includes  ciphers  compatible  with
+              TLSv1.2 or above.  The available versions are:
               )"
 #ifdef TLS1_3_VERSION
                              "TLSv1.3, "

src/shrpx_http2_downstream_connection.cc

@@ -201,9 +201,7 @@ ssize_t http2_data_read_callback(nghttp2_session *session, int32_t stream_id,
     if (!trailers.empty()) {
       std::vector<nghttp2_nv> nva;
       nva.reserve(trailers.size());
-      // We cannot use nocopy version, since nva may be touched after
-      // Downstream object is deleted.
-      http2::copy_headers_to_nva(nva, trailers, http2::HDOP_STRIP_ALL);
+      http2::copy_headers_to_nva_nocopy(nva, trailers, http2::HDOP_STRIP_ALL);
       if (!nva.empty()) {
         rv = nghttp2_submit_trailer(session, stream_id, nva.data(), nva.size());
         if (rv != 0) {

src/shrpx_tls.cc

@@ -829,6 +829,22 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
   }
 
   SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+
+  if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
+    LOG(WARN) << "Could not load system trusted ca certificates: "
+              << ERR_error_string(ERR_get_error(), nullptr);
+  }
+
+  if (!tlsconf.cacert.empty()) {
+    if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.c_str(),
+                                      nullptr) != 1) {
+      LOG(FATAL) << "Could not load trusted ca certificates from "
+                 << tlsconf.cacert << ": "
+                 << ERR_error_string(ERR_get_error(), nullptr);
+      DIE();
+    }
+  }
+
   if (!tlsconf.private_key_passwd.empty()) {
     SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
     SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
@@ -1844,9 +1860,11 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
   }
   auto bs_deleter = defer(OCSP_BASICRESP_free, bs);
 
+  auto store = SSL_CTX_get_cert_store(ssl_ctx);
+
   ERR_clear_error();
 
-  rv = OCSP_basic_verify(bs, chain_certs, nullptr, OCSP_TRUSTOTHER);
+  rv = OCSP_basic_verify(bs, chain_certs, store, 0);
 
   if (rv != 1) {
     LOG(ERROR) << "OCSP_basic_verify failed: "